From d86f980b597e2565154fefd8ee28c1da707bc19b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20Fa=C3=9Fbender?= <markus.fassbender@gmail.com>
Date: Sat, 8 Jan 2022 07:07:15 +0100
Subject: [PATCH]  Url could contain Javascript that leeds to XSS #1159

---
 adm_program/system/classes/StringUtils.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/adm_program/system/classes/StringUtils.php b/adm_program/system/classes/StringUtils.php
index c0e259cf2a..eb0aee01f5 100644
--- a/adm_program/system/classes/StringUtils.php
+++ b/adm_program/system/classes/StringUtils.php
@@ -182,8 +182,8 @@ public static function strValidCharacters($string, $checkType)
                 $validRegex = '=^[^/?*;:~<>|\"\\\\]+$=';
                 break;
             case 'url':
-                //$validRegex = '/^[\wáàâåäæçéèêîñóòôöõøœúùûüß$&!?() \/%=#:~.@+-]+$/i';
-                $validRegex = '/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i';
+                $validRegex = '/^[\wáàâåäæçéèêîñóòôöõøœúùûüß$&!?() \/%=#:~.@+-]+$/i';
+                $validRegexValidUrl = '/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i';
                 break;
             case 'phone':
                 $validRegex = '/^[\d() \/+-]+$/i';
@@ -203,6 +203,11 @@ public static function strValidCharacters($string, $checkType)
             case 'email':
                 return filter_var(trim($string), FILTER_VALIDATE_EMAIL) !== false;
             case 'url':
+                // url has a valid structure
+                if (!preg_match($validRegexValidUrl, $string)) {
+                    return false;
+                }
+
                 return filter_var(trim($string), FILTER_VALIDATE_URL) !== false;
             default:
                 return true;