From 470f534768f47e3bb506ec3c66a9ddecc9a41cf5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20Fa=C3=9Fbender?= <markus.fassbender@gmail.com>
Date: Mon, 6 Dec 2021 18:21:41 +0100
Subject: [PATCH] Cross-site Scripting (XSS) when redirect an url

---
 adm_program/system/bootstrap/function.php  | 11 +++++++++--
 adm_program/system/classes/StringUtils.php |  3 ++-
 adm_program/system/redirect.php            |  2 +-
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/adm_program/system/bootstrap/function.php b/adm_program/system/bootstrap/function.php
index ac8c48e22..4804052ba 100644
--- a/adm_program/system/bootstrap/function.php
+++ b/adm_program/system/bootstrap/function.php
@@ -301,7 +301,7 @@ function admFuncProcessableImageSize()
  * @param array<string,mixed> $array        The array with the element that should be checked
  * @param string              $variableName Name of the array element that should be checked
  * @param string              $datatype     The datatype like **string**, **numeric**, **int**, **float**, **bool**, **boolean**, **html**,
- *                                          **date**, **file** or **folder** that is expected and which will be checked.
+ *                                          **url**, **date**, **file** or **folder** that is expected and which will be checked.
  *                                          Datatype **date** expects a date that has the Admidio default format from the
  *                                          preferences or the english date format **Y-m-d**
  * @param array<string,mixed> $options      (optional) An array with the following possible entries:
@@ -387,7 +387,8 @@ function admFuncVariableIsValid(array $array, $variableName, $datatype, array $o
 
     switch ($datatype)
     {
-        case 'file':
+        case 'file': // fallthrough
+        case 'folder':
             try
             {
                 if ($value !== '')
@@ -461,6 +462,12 @@ function admFuncVariableIsValid(array $array, $variableName, $datatype, array $o
             // check html string vor invalid tags and scripts
             $value = Htmlawed::filter(stripslashes($value), array('safe' => 1));
             break;
+
+        case 'url':
+            if (!StringUtils::strValidCharacters($value, 'url')) {
+                $errorMessage = $gL10n->get('SYS_INVALID_PAGE_VIEW');
+            }
+            break;
     }
 
     // wurde kein Fehler entdeckt, dann den Inhalt der Variablen zurueckgeben
diff --git a/adm_program/system/classes/StringUtils.php b/adm_program/system/classes/StringUtils.php
index 9dd0b2795..c0e259cf2 100644
--- a/adm_program/system/classes/StringUtils.php
+++ b/adm_program/system/classes/StringUtils.php
@@ -182,7 +182,8 @@ public static function strValidCharacters($string, $checkType)
                 $validRegex = '=^[^/?*;:~<>|\"\\\\]+$=';
                 break;
             case 'url':
-                $validRegex = '/^[\wáàâåäæçéèêîñóòôöõøœúùûüß$&!?() \/%=#:~.@+-]+$/i';
+                //$validRegex = '/^[\wáàâåäæçéèêîñóòôöõøœúùûüß$&!?() \/%=#:~.@+-]+$/i';
+                $validRegex = '/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i';
                 break;
             case 'phone':
                 $validRegex = '/^[\d() \/+-]+$/i';
diff --git a/adm_program/system/redirect.php b/adm_program/system/redirect.php
index cda0a97de..ffe30f28a 100644
--- a/adm_program/system/redirect.php
+++ b/adm_program/system/redirect.php
@@ -19,7 +19,7 @@
 require_once(__DIR__ . '/common.php');
 
 // Initialize and check the parameters
-$getUrl = admFuncVariableIsValid($_GET, 'url', 'string', array('requireValue' => true));
+$getUrl = admFuncVariableIsValid($_GET, 'url', 'url', array('requireValue' => true));
 
 if (filter_var($getUrl, FILTER_VALIDATE_URL) === false)
 {