aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorMario <mario@mariovavti.com>2022-03-23 18:38:03 +0000
committerMario <mario@mariovavti.com>2022-03-23 18:38:03 +0000
commita41c7caa182117b2b7b820550cc20dff8be2c0f0 (patch)
tree19611241fd496b778c2f412ab9ebcc4fb34843bd /include
parentbddeab3ac11efaf786ddb2a6ce3f73d8c06790ab (diff)
parentb3ca31bce7ed0dd5777458005718ba96985cbdc2 (diff)
downloadvolse-hubzilla-a41c7caa182117b2b7b820550cc20dff8be2c0f0.tar.gz
volse-hubzilla-a41c7caa182117b2b7b820550cc20dff8be2c0f0.tar.bz2
volse-hubzilla-a41c7caa182117b2b7b820550cc20dff8be2c0f0.zip
Merge branch 'security-fixes-lfi-xss-open-redirect' into 'dev'
Security fixes See merge request hubzilla/core!2017
Diffstat (limited to 'include')
-rw-r--r--include/network.php8
-rw-r--r--include/text.php12
2 files changed, 20 insertions, 0 deletions
diff --git a/include/network.php b/include/network.php
index fa408e602..a236a6f8e 100644
--- a/include/network.php
+++ b/include/network.php
@@ -559,6 +559,14 @@ function z_dns_check($h,$check_mx = 0) {
return((@dns_get_record($h,$opts) || filter_var($h, FILTER_VALIDATE_IP)) ? true : false);
}
+function is_local_url($url) {
+ if (str_starts_with($url, z_root()) || str_starts_with($url, '/')) {
+ return true;
+ }
+
+ return false;
+}
+
/**
* @brief Validates a given URL.
*
diff --git a/include/text.php b/include/text.php
index 9a2ca1af4..0c806d009 100644
--- a/include/text.php
+++ b/include/text.php
@@ -114,6 +114,18 @@ function escape_tags($string) {
return (htmlspecialchars($string, ENT_COMPAT, 'UTF-8', false));
}
+/**
+ * Escape URL's so they're safe for use in HTML and in HTML element attributes.
+ */
+function escape_url($input) {
+ if (empty($input)) {
+ return EMPTY_STR;
+ }
+
+ // This is a bit crude but seems to do the trick for now. It makes no
+ // guarantees that the URL is valid for use after escaping.
+ return htmlspecialchars($input, ENT_HTML5 | ENT_QUOTES);
+}
function z_input_filter($s,$type = 'text/bbcode',$allow_code = false) {