Merge branch 'security-fixes-lfi-xss-open-redirect' into 'dev'

Security fixes

See merge request hubzilla/core!2017

2 files changed, 20 insertions, 0 deletions

diff --git a/include/network.php b/include/network.php
index fa408e602..a236a6f8e 100644
--- a/include/network.php
+++ b/include/network.php
@@ -559,6 +559,14 @@ function z_dns_check($h,$check_mx = 0) {
 	return((@dns_get_record($h,$opts) || filter_var($h, FILTER_VALIDATE_IP)) ? true : false);
 }
 
+function is_local_url($url) {
+  if (str_starts_with($url, z_root()) || str_starts_with($url, '/')) {
+    return true;
+  }
+
+  return false;
+}
+
 /**
  * @brief Validates a given URL.
  *
diff --git a/include/text.php b/include/text.php
index 9a2ca1af4..0c806d009 100644
--- a/include/text.php
+++ b/include/text.php
@@ -114,6 +114,18 @@ function escape_tags($string) {
 	return (htmlspecialchars($string, ENT_COMPAT, 'UTF-8', false));
 }
 
+/**
+ * Escape URL's so they're safe for use in HTML and in HTML element attributes.
+ */
+function escape_url($input) {
+  if (empty($input)) {
+    return EMPTY_STR;
+  }
+
+  // This is a bit crude but seems to do the trick for now. It makes no
+  // guarantees that the URL is valid for use after escaping.
+  return htmlspecialchars($input, ENT_HTML5 | ENT_QUOTES);
+}
 
 function z_input_filter($s,$type = 'text/bbcode',$allow_code = false) {