From f88435fa4c4a866003587c4b4ef8e6333a3ed5cd Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Wed, 14 Aug 2019 21:40:51 -0400 Subject: [PATCH 1/2] Add support for protocol-less URLs in BBCode::convert --- src/Content/Text/BBCode.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Content/Text/BBCode.php b/src/Content/Text/BBCode.php index 12497d665..cd40d717a 100644 --- a/src/Content/Text/BBCode.php +++ b/src/Content/Text/BBCode.php @@ -1753,7 +1753,7 @@ class BBCode extends BaseObject $text = preg_replace('/\<([^>]*?)(src|href)=(.*?)\&\;(.*?)\>/ism', '<$1$2=$3&$4>', $text); // sanitizes src attributes (http and redir URLs for displaying in a web page, cid used for inline images in emails) - $allowed_src_protocols = ['http', 'redir', 'cid']; + $allowed_src_protocols = ['//', 'http', 'redir', 'cid']; $text = preg_replace('#<([^>]*?)(src)="(?!' . implode('|', $allowed_src_protocols) . ')(.*?)"(.*?)>#ism', '<$1$2=""$4 data-original-src="$3" class="invalid-src" title="' . L10n::t('Invalid source protocol') . '">', $text); @@ -1763,6 +1763,7 @@ class BBCode extends BaseObject // Always allowed protocol even if config isn't set or not including it $allowed_link_protocols[] = 'http'; + $allowed_link_protocols[] = '//'; $allowed_link_protocols[] = 'redir/'; $regex = '#<([^>]*?)(href)="(?!' . implode('|', $allowed_link_protocols) . ')(.*?)"(.*?)>#ism'; From 0f9520f520ab527c819213aedfcdfda7399a2f47 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Wed, 14 Aug 2019 21:42:00 -0400 Subject: [PATCH 2/2] Increase specificity of default allowed protocols --- src/Content/Text/BBCode.php | 12 +++++++++--- static/defaults.config.php | 4 ++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/src/Content/Text/BBCode.php b/src/Content/Text/BBCode.php index cd40d717a..c16041e22 100644 --- a/src/Content/Text/BBCode.php +++ b/src/Content/Text/BBCode.php @@ -1753,19 +1753,25 @@ class BBCode extends BaseObject $text = preg_replace('/\<([^>]*?)(src|href)=(.*?)\&\;(.*?)\>/ism', '<$1$2=$3&$4>', $text); // sanitizes src attributes (http and redir URLs for displaying in a web page, cid used for inline images in emails) - $allowed_src_protocols = ['//', 'http', 'redir', 'cid']; + $allowed_src_protocols = ['//', 'http://', 'https://', 'redir/', 'cid:']; + + array_walk($allowed_src_protocols, function(&$value) { $value = preg_quote($value, '#');}); + $text = preg_replace('#<([^>]*?)(src)="(?!' . implode('|', $allowed_src_protocols) . ')(.*?)"(.*?)>#ism', '<$1$2=""$4 data-original-src="$3" class="invalid-src" title="' . L10n::t('Invalid source protocol') . '">', $text); // sanitize href attributes (only whitelisted protocols URLs) // default value for backward compatibility - $allowed_link_protocols = Config::get('system', 'allowed_link_protocols', ['ftp', 'mailto', 'gopher', 'cid']); + $allowed_link_protocols = Config::get('system', 'allowed_link_protocols', []); // Always allowed protocol even if config isn't set or not including it - $allowed_link_protocols[] = 'http'; $allowed_link_protocols[] = '//'; + $allowed_link_protocols[] = 'http://'; + $allowed_link_protocols[] = 'https://'; $allowed_link_protocols[] = 'redir/'; + array_walk($allowed_link_protocols, function(&$value) { $value = preg_quote($value, '#');}); + $regex = '#<([^>]*?)(href)="(?!' . implode('|', $allowed_link_protocols) . ')(.*?)"(.*?)>#ism'; $text = preg_replace($regex, '<$1$2="javascript:void(0)"$4 data-original-href="$3" class="invalid-href" title="' . L10n::t('Invalid link protocol') . '">', $text); diff --git a/static/defaults.config.php b/static/defaults.config.php index dcda564c2..0cfb15e84 100644 --- a/static/defaults.config.php +++ b/static/defaults.config.php @@ -52,8 +52,8 @@ return [ ], 'system' => [ // allowed_link_protocols (Array) - // Allowed protocols in links URLs, add at your own risk. http is always allowed. - 'allowed_link_protocols' => ['ftp', 'ftps', 'mailto', 'cid', 'gopher'], + // Allowed protocols in links URLs, add at your own risk. http(s) is always allowed. + 'allowed_link_protocols' => ['ftp://', 'ftps://', 'mailto:', 'cid:', 'gopher://'], // always_show_preview (Boolean) // Only show small preview pictures.