aboutsummaryrefslogtreecommitdiffstats
path: root/include/text.php
diff options
context:
space:
mode:
authorMario <mario@mariovavti.com>2022-03-23 18:38:03 +0000
committerMario <mario@mariovavti.com>2022-03-23 18:38:03 +0000
commita41c7caa182117b2b7b820550cc20dff8be2c0f0 (patch)
tree19611241fd496b778c2f412ab9ebcc4fb34843bd /include/text.php
parentbddeab3ac11efaf786ddb2a6ce3f73d8c06790ab (diff)
parentb3ca31bce7ed0dd5777458005718ba96985cbdc2 (diff)
downloadvolse-hubzilla-a41c7caa182117b2b7b820550cc20dff8be2c0f0.tar.gz
volse-hubzilla-a41c7caa182117b2b7b820550cc20dff8be2c0f0.tar.bz2
volse-hubzilla-a41c7caa182117b2b7b820550cc20dff8be2c0f0.zip
Merge branch 'security-fixes-lfi-xss-open-redirect' into 'dev'
Security fixes See merge request hubzilla/core!2017
Diffstat (limited to 'include/text.php')
-rw-r--r--include/text.php12
1 files changed, 12 insertions, 0 deletions
diff --git a/include/text.php b/include/text.php
index 9a2ca1af4..0c806d009 100644
--- a/include/text.php
+++ b/include/text.php
@@ -114,6 +114,18 @@ function escape_tags($string) {
return (htmlspecialchars($string, ENT_COMPAT, 'UTF-8', false));
}
+/**
+ * Escape URL's so they're safe for use in HTML and in HTML element attributes.
+ */
+function escape_url($input) {
+ if (empty($input)) {
+ return EMPTY_STR;
+ }
+
+ // This is a bit crude but seems to do the trick for now. It makes no
+ // guarantees that the URL is valid for use after escaping.
+ return htmlspecialchars($input, ENT_HTML5 | ENT_QUOTES);
+}
function z_input_filter($s,$type = 'text/bbcode',$allow_code = false) {