From d99a96ef4979e9c5840f7a7534f8c327434e5cb9 Mon Sep 17 00:00:00 2001 From: Matthew Exon Date: Mon, 30 Jan 2017 00:55:38 +0000 Subject: [PATCH 1/3] Global is an integer, do not set it to an empty string --- include/bbcode.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/bbcode.php b/include/bbcode.php index 74dde2fdf4..ab928bf12f 100644 --- a/include/bbcode.php +++ b/include/bbcode.php @@ -1164,7 +1164,7 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true, $simplehtml = fal $Text = preg_replace('/\<([^>]*?)(src|href)=(.*?)\&\;(.*?)\>/ism', '<$1$2=$3&$4>', $Text); // sanitizes src attributes (only relative redir URIs or http URLs) - $Text = preg_replace('#<([^>]*?)(src)="(?!http|redir)(.*?)"(.*?)>#ism', '<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text); + $Text = preg_replace('#<([^>]*?)(src)="(?!http|redir|cid)(.*?)"(.*?)>#ism', '<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text); // sanitize href attributes (only whitelisted protocols URLs) // default value for backward compatibility From ce10a9aa7f97424caa3f2db5d5fd54a2da850ca3 Mon Sep 17 00:00:00 2001 From: Matthew Exon Date: Mon, 30 Jan 2017 15:48:12 +0000 Subject: [PATCH 2/3] Break out list of acceptable protocols in "src" attribute into separate variable similar to "href" attributes --- include/bbcode.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/bbcode.php b/include/bbcode.php index ab928bf12f..0f1a705faa 100644 --- a/include/bbcode.php +++ b/include/bbcode.php @@ -1163,8 +1163,10 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true, $simplehtml = fal // fix any escaped ampersands that may have been converted into links $Text = preg_replace('/\<([^>]*?)(src|href)=(.*?)\&\;(.*?)\>/ism', '<$1$2=$3&$4>', $Text); - // sanitizes src attributes (only relative redir URIs or http URLs) - $Text = preg_replace('#<([^>]*?)(src)="(?!http|redir|cid)(.*?)"(.*?)>#ism', '<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text); + // sanitizes src attributes (http and redir URLs for displaying in a web page, cid used for inline images in emails) + $allowed_src_protocols = array('http', 'redir', 'cid'); + $Text = preg_replace('#<([^>]*?)(src)="(?!' . implode('|', $allowed_src_protocols) . ')(.*?)"(.*?)>#ism', + '<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text); // sanitize href attributes (only whitelisted protocols URLs) // default value for backward compatibility From 96aadb23f8beb2b0ae453d9f4ba6bf9fc86ba1cd Mon Sep 17 00:00:00 2001 From: Matthew Exon Date: Tue, 31 Jan 2017 03:44:32 +0000 Subject: [PATCH 3/3] Change $allowed_src_protocols to static --- include/bbcode.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/bbcode.php b/include/bbcode.php index 0f1a705faa..489ef8b2e3 100644 --- a/include/bbcode.php +++ b/include/bbcode.php @@ -1164,7 +1164,7 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true, $simplehtml = fal $Text = preg_replace('/\<([^>]*?)(src|href)=(.*?)\&\;(.*?)\>/ism', '<$1$2=$3&$4>', $Text); // sanitizes src attributes (http and redir URLs for displaying in a web page, cid used for inline images in emails) - $allowed_src_protocols = array('http', 'redir', 'cid'); + static $allowed_src_protocols = array('http', 'redir', 'cid'); $Text = preg_replace('#<([^>]*?)(src)="(?!' . implode('|', $allowed_src_protocols) . ')(.*?)"(.*?)>#ism', '<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text);