From b26d2251363939150ddc0386e967c6e9a37c08df Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Fri, 25 Sep 2020 11:36:04 -0400
Subject: [PATCH] Restrict character class for charset capture in Util\ParseUrl

- Address https://github.com/friendica/friendica/issues/9252#issuecomment-698742359
---
 src/Util/ParseUrl.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/Util/ParseUrl.php b/src/Util/ParseUrl.php
index ce2a0ea966..1596e015be 100644
--- a/src/Util/ParseUrl.php
+++ b/src/Util/ParseUrl.php
@@ -204,7 +204,7 @@ class ParseUrl
 		$charset = '';
 		// Look for a charset, first in headers
 		// Expected form: Content-Type: text/html; charset=ISO-8859-4
-		if (preg_match('/charset=(.+?)\s/', $header, $matches)) {
+		if (preg_match('/charset=([a-z0-9-_.\/]+)/i', $header, $matches)) {
 			$charset = trim(trim(trim(array_pop($matches)), ';,'));
 		}
 
@@ -212,14 +212,18 @@ class ParseUrl
 		// Expected forms:
 		// - <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 		// - <meta charset="utf-8">
+		// - <meta charset=utf-8>
+		// - <meta charSet="utf-8">
 		// We escape <style> and <script> tags since they can contain irrelevant charset information
 		// (see https://github.com/friendica/friendica/issues/9251#issuecomment-698636806)
 		Strings::performWithEscapedBlocks($body, '#<(?:style|script).*?</(?:style|script)>#ism', function ($body) use (&$charset) {
-			if (preg_match('/charset=["\']?([^\',"]*?)[\'"]/', $body, $matches)) {
+			if (preg_match('/charset=["\']?([a-z0-9-_.\/]+)/i', $body, $matches)) {
 				$charset = trim(trim(trim(array_pop($matches)), ';,'));
 			}
 		});
 
+		$siteinfo['charset'] = $charset;
+
 		if ($charset && strtoupper($charset) != 'UTF-8') {
 			// See https://github.com/friendica/friendica/issues/5470#issuecomment-418351211
 			$charset = str_ireplace('latin-1', 'latin1', $charset);