From 8c19ab8f9f47a522ad2b929495f3b5821efd2f34 Mon Sep 17 00:00:00 2001
From: Harald Eilertsen <haraldei@anduin.net>
Date: Sun, 20 Mar 2022 12:57:42 +0100
Subject: Add helper to escape URLs.

The escaping makes the URL safe for display and for use in HTML element
attributes (such as href="..." etc), but does not guarantee that the URL
itself is valid after conversion. This should be good enough for
mitigating XSS issues caused by injecting html or javascript into a URL.
Also probably good enough for _most_ normal URLs, but there may be
devils hidden in the details somewhere.
---
 include/text.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'include/text.php')

diff --git a/include/text.php b/include/text.php
index 9a2ca1af4..0c806d009 100644
--- a/include/text.php
+++ b/include/text.php
@@ -114,6 +114,18 @@ function escape_tags($string) {
 	return (htmlspecialchars($string, ENT_COMPAT, 'UTF-8', false));
 }
 
+/**
+ * Escape URL's so they're safe for use in HTML and in HTML element attributes.
+ */
+function escape_url($input) {
+  if (empty($input)) {
+    return EMPTY_STR;
+  }
+
+  // This is a bit crude but seems to do the trick for now. It makes no
+  // guarantees that the URL is valid for use after escaping.
+  return htmlspecialchars($input, ENT_HTML5 | ENT_QUOTES);
+}
 
 function z_input_filter($s,$type = 'text/bbcode',$allow_code = false) {
 
-- 
cgit v1.2.3