From 0ff0568b945aa307ee2269172c5073cd2586565b Mon Sep 17 00:00:00 2001 From: Carlos Garcia Gomez Date: Thu, 19 May 2022 10:35:23 +0200 Subject: [PATCH] =?UTF-8?q?Improved=20valid=20url=20check=20to=20avoid=20j?= =?UTF-8?q?avascript=20with=20capital=20letters=20------=20Mejorada=20la?= =?UTF-8?q?=20comprobaci=C3=B3n=20de=20url=20v=C3=A1lida=20para=20evitar?= =?UTF-8?q?=20javascript=20con=20may=C3=BAsculas?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Core/Base/Utils.php | 2 +- Test/Core/Model/AgenciaTransporteTest.php | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/Core/Base/Utils.php b/Core/Base/Utils.php index 69d0f1a97e..7aadd5c4b9 100644 --- a/Core/Base/Utils.php +++ b/Core/Base/Utils.php @@ -138,7 +138,7 @@ public static function intval(?string $str): ?int public static function isValidUrl(string $url): bool { // si la url está vacío o comienza por javascript: entonces no es una url válida - if (empty($url) || strpos($url, 'javascript:') === 0) { + if (empty($url) || stripos($url, 'javascript:') === 0) { return false; } diff --git a/Test/Core/Model/AgenciaTransporteTest.php b/Test/Core/Model/AgenciaTransporteTest.php index bd7b5e9ab1..2ab1647905 100644 --- a/Test/Core/Model/AgenciaTransporteTest.php +++ b/Test/Core/Model/AgenciaTransporteTest.php @@ -60,9 +60,13 @@ public function testBadWeb() $agency->web = 'javascript:alert(origin)'; $this->assertFalse($agency->save(), 'agency-can-save-bad-web'); - // otra url peligrosa + // javascript con forma de url $agency->web = 'javascript://example.com//%0aalert(document.domain);//'; $this->assertFalse($agency->save(), 'agency-can-save-bad-web-2'); + + // javascript con mayúsculas + $agency->web = 'jAvAsCriPt://sadas.com/%0aalert(11);//'; + $this->assertFalse($agency->save(), 'agency-can-save-bad-web-3'); } public function testGoodWeb()