From b52b15965611fc865058c0331b55e4e9bccabd2e Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Tue, 14 Jun 2011 19:50:29 +0200
Subject: only allow configured URL schemes in external links

This fixes a problem where JavaScript could be introduced through
specially crafted RSS feeds on a lower level than the commit from
yesterday (1ca2719c7488662ebd7964c0d026e0890f923ee9)

This also fixes a problem where JavaScript links could be introduced by
specifying it as an RSS URL: the resulting error message displays a
link to the broken feed URL. This patch makes sure there's no working
link for unknown protocols.
---
 inc/parser/xhtml.php | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'inc/parser')

diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
index 1af3a1ce1..22dc58963 100644
--- a/inc/parser/xhtml.php
+++ b/inc/parser/xhtml.php
@@ -648,6 +648,19 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
 
         $name = $this->_getLinkTitle($name, $url, $isImage);
 
+        // url might be an attack vector, only allow registered protocols
+        if(is_null($this->schemes)) $this->schemes = getSchemes();
+        list($scheme) = explode('://',$url);
+        $scheme = strtolower($scheme);
+        if(!in_array($scheme,$this->schemes)) $url = '';
+
+        // is there still an URL?
+        if(!$url){
+            $this->doc .= $name;
+            return;
+        }
+
+        // set class
         if ( !$isImage ) {
             $class='urlextern';
         } else {
-- 
cgit v1.2.3