diff options
| author | Mario <mario@mariovavti.com> | 2022-03-23 18:38:03 +0000 |
|---|---|---|
| committer | Mario <mario@mariovavti.com> | 2022-03-23 18:38:03 +0000 |
| commit | a41c7caa182117b2b7b820550cc20dff8be2c0f0 (patch) | |
| tree | 19611241fd496b778c2f412ab9ebcc4fb34843bd /include/text.php | |
| parent | bddeab3ac11efaf786ddb2a6ce3f73d8c06790ab (diff) | |
| parent | b3ca31bce7ed0dd5777458005718ba96985cbdc2 (diff) | |
| download | volse-hubzilla-a41c7caa182117b2b7b820550cc20dff8be2c0f0.tar.gz volse-hubzilla-a41c7caa182117b2b7b820550cc20dff8be2c0f0.tar.bz2 volse-hubzilla-a41c7caa182117b2b7b820550cc20dff8be2c0f0.zip | |
Merge branch 'security-fixes-lfi-xss-open-redirect' into 'dev'
Security fixes
See merge request hubzilla/core!2017
Diffstat (limited to 'include/text.php')
| -rw-r--r-- | include/text.php | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/include/text.php b/include/text.php index 9a2ca1af4..0c806d009 100644 --- a/include/text.php +++ b/include/text.php @@ -114,6 +114,18 @@ function escape_tags($string) { return (htmlspecialchars($string, ENT_COMPAT, 'UTF-8', false)); } +/** + * Escape URL's so they're safe for use in HTML and in HTML element attributes. + */ +function escape_url($input) { + if (empty($input)) { + return EMPTY_STR; + } + + // This is a bit crude but seems to do the trick for now. It makes no + // guarantees that the URL is valid for use after escaping. + return htmlspecialchars($input, ENT_HTML5 | ENT_QUOTES); +} function z_input_filter($s,$type = 'text/bbcode',$allow_code = false) { |