From 8c19ab8f9f47a522ad2b929495f3b5821efd2f34 Mon Sep 17 00:00:00 2001 From: Harald Eilertsen Date: Sun, 20 Mar 2022 12:57:42 +0100 Subject: Add helper to escape URLs. The escaping makes the URL safe for display and for use in HTML element attributes (such as href="..." etc), but does not guarantee that the URL itself is valid after conversion. This should be good enough for mitigating XSS issues caused by injecting html or javascript into a URL. Also probably good enough for _most_ normal URLs, but there may be devils hidden in the details somewhere. --- include/text.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'include') diff --git a/include/text.php b/include/text.php index 9a2ca1af4..0c806d009 100644 --- a/include/text.php +++ b/include/text.php @@ -114,6 +114,18 @@ function escape_tags($string) { return (htmlspecialchars($string, ENT_COMPAT, 'UTF-8', false)); } +/** + * Escape URL's so they're safe for use in HTML and in HTML element attributes. + */ +function escape_url($input) { + if (empty($input)) { + return EMPTY_STR; + } + + // This is a bit crude but seems to do the trick for now. It makes no + // guarantees that the URL is valid for use after escaping. + return htmlspecialchars($input, ENT_HTML5 | ENT_QUOTES); +} function z_input_filter($s,$type = 'text/bbcode',$allow_code = false) { -- cgit v1.2.3 From b02f6a1dae3e3fae4af4b24e65256cdf653b2515 Mon Sep 17 00:00:00 2001 From: Harald Eilertsen Date: Sun, 20 Mar 2022 14:35:25 +0100 Subject: Add function is_local_url() to check if url is local. --- include/network.php | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'include') diff --git a/include/network.php b/include/network.php index fa408e602..a236a6f8e 100644 --- a/include/network.php +++ b/include/network.php @@ -559,6 +559,14 @@ function z_dns_check($h,$check_mx = 0) { return((@dns_get_record($h,$opts) || filter_var($h, FILTER_VALIDATE_IP)) ? true : false); } +function is_local_url($url) { + if (str_starts_with($url, z_root()) || str_starts_with($url, '/')) { + return true; + } + + return false; +} + /** * @brief Validates a given URL. * -- cgit v1.2.3