Merge pull request #8328 from annando/clean-uri

Clean the profile URL when follow
This commit is contained in:
Tobias Diekershoff 2020-02-22 17:31:21 +01:00 committed by GitHub
commit 357c0072bd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 27 additions and 2 deletions

View file

@ -41,7 +41,7 @@ function follow_post(App $a)
} }
$uid = local_user(); $uid = local_user();
$url = Strings::escapeTags(trim($_REQUEST['url'])); $url = Probe::cleanURI($_REQUEST['url']);
$return_path = 'follow?url=' . urlencode($url); $return_path = 'follow?url=' . urlencode($url);
// Makes the connection request for friendica contacts easier // Makes the connection request for friendica contacts easier

View file

@ -54,7 +54,7 @@ class RemoteFollow extends BaseModule
return; return;
} }
$url = trim($_POST['dfrn_url']); $url = Probe::cleanURI($_POST['dfrn_url']);
if (!strlen($url)) { if (!strlen($url)) {
notice(DI::l10n()->t("Invalid locator")); notice(DI::l10n()->t("Invalid locator"));
return; return;

View file

@ -47,6 +47,31 @@ class Probe
private static $baseurl; private static $baseurl;
private static $istimeout; private static $istimeout;
/**
* Remove stuff from an URI that doesn't belong there
*
* @param string $URI
* @return string Cleaned URI
*/
public static function cleanURI(string $URI)
{
// At first remove leading and trailing junk
$URI = trim($URI, "@#?:/ \t\n\r\0\x0B");
$parts = parse_url($URI);
if (empty($parts['scheme'])) {
return $URI;
}
// Remove the URL fragment, since these shouldn't be part of any profile URL
unset($parts['fragment']);
$URI = Network::unparseURL($parts);
return $URI;
}
/** /**
* Rearrange the array so that it always has the same order * Rearrange the array so that it always has the same order
* *