diff options
| author | Harald Eilertsen <haraldei@anduin.net> | 2022-03-20 12:57:42 +0100 |
|---|---|---|
| committer | Harald Eilertsen <haraldei@anduin.net> | 2022-03-20 15:34:24 +0100 |
| commit | 8c19ab8f9f47a522ad2b929495f3b5821efd2f34 (patch) | |
| tree | 11b60be2ec18f48734665495353bc44424981d70 | |
| parent | 30ae198b898a987e0d934a0e049cc6811f500475 (diff) | |
| download | volse-hubzilla-8c19ab8f9f47a522ad2b929495f3b5821efd2f34.tar.gz volse-hubzilla-8c19ab8f9f47a522ad2b929495f3b5821efd2f34.tar.bz2 volse-hubzilla-8c19ab8f9f47a522ad2b929495f3b5821efd2f34.zip | |
Add helper to escape URLs.
The escaping makes the URL safe for display and for use in HTML element
attributes (such as href="..." etc), but does not guarantee that the URL
itself is valid after conversion. This should be good enough for
mitigating XSS issues caused by injecting html or javascript into a URL.
Also probably good enough for _most_ normal URLs, but there may be
devils hidden in the details somewhere.
| -rw-r--r-- | include/text.php | 12 | ||||
| -rw-r--r-- | tests/unit/AntiXSSTest.php | 20 |
2 files changed, 32 insertions, 0 deletions
diff --git a/include/text.php b/include/text.php index 9a2ca1af4..0c806d009 100644 --- a/include/text.php +++ b/include/text.php @@ -114,6 +114,18 @@ function escape_tags($string) { return (htmlspecialchars($string, ENT_COMPAT, 'UTF-8', false)); } +/** + * Escape URL's so they're safe for use in HTML and in HTML element attributes. + */ +function escape_url($input) { + if (empty($input)) { + return EMPTY_STR; + } + + // This is a bit crude but seems to do the trick for now. It makes no + // guarantees that the URL is valid for use after escaping. + return htmlspecialchars($input, ENT_HTML5 | ENT_QUOTES); +} function z_input_filter($s,$type = 'text/bbcode',$allow_code = false) { diff --git a/tests/unit/AntiXSSTest.php b/tests/unit/AntiXSSTest.php index b45042a1e..09642726f 100644 --- a/tests/unit/AntiXSSTest.php +++ b/tests/unit/AntiXSSTest.php @@ -24,6 +24,26 @@ class AntiXSSTest extends TestCase { $this->assertEquals("<submit type="button" onclick="alert('failed!');" />", $escapedString); } + /** + * @dataProvider urlTestProvider + */ + public function testEscapeURL($url, $expected) : void { + $this->assertEquals($expected, escape_url($url)); + } + + public function urlTestProvider() : array { + return [ + [ + "https://example.com/settings/calendar/?f=&rpath=https://example.com/cdav/calendar'><script>alert('boom')</script>", + "https://example.com/settings/calendar/?f=&rpath=https://example.com/cdav/calendar'><script>alert('boom')</script>" + ], + [ + "settings/calendar/?f=&rpath=https://example.com'+accesskey=x+onclick=alert(/boom/);a='", + "settings/calendar/?f=&rpath=https://example.com'+accesskey=x+onclick=alert(/boom/);a='" + ], + ]; + } + /** *xmlify and unxmlify */ |