From 61ee9c9d747842d45af2ed0b5862236a3c28579b Mon Sep 17 00:00:00 2001
From: Carlos Garcia Gomez <neorazorx@gmail.com>
Date: Mon, 16 May 2022 18:48:49 +0200
Subject: [PATCH] =?UTF-8?q?Improved=20url=20checks=20on=20AgenciaTransport?=
 =?UTF-8?q?e=20model=20to=20prevent=20XSS=20attacks=20with=20javascript=20?=
 =?UTF-8?q?urls.=20------=20Mejorada=20la=20comprobaci=C3=B3n=20de=20urls?=
 =?UTF-8?q?=20en=20el=20modelo=20de=20agencia=20de=20transporte=20para=20e?=
 =?UTF-8?q?vitar=20ataques=20XSS=20mediante=20urls=20de=20tipo=20javascrip?=
 =?UTF-8?q?t.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Core/Base/Utils.php                       | 10 ++++++++++
 Core/Model/AgenciaTransporte.php          |  2 +-
 Test/Core/Model/AgenciaTransporteTest.php |  4 ++++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/Core/Base/Utils.php b/Core/Base/Utils.php
index 9de3dc6553..69d0f1a97e 100644
--- a/Core/Base/Utils.php
+++ b/Core/Base/Utils.php
@@ -135,6 +135,16 @@ public static function intval(?string $str): ?int
         return $str === null ? null : (int)$str;
     }
 
+    public static function isValidUrl(string $url): bool
+    {
+        // si la url está vacío o comienza por javascript: entonces no es una url válida
+        if (empty($url) || strpos($url, 'javascript:') === 0) {
+            return false;
+        }
+
+        return filter_var($url, FILTER_VALIDATE_URL) !== false;
+    }
+
     /**
      * This function converts:
      * < to &lt;
diff --git a/Core/Model/AgenciaTransporte.php b/Core/Model/AgenciaTransporte.php
index 2fbb3f9a1b..f3df5f138b 100644
--- a/Core/Model/AgenciaTransporte.php
+++ b/Core/Model/AgenciaTransporte.php
@@ -93,7 +93,7 @@ public function test(): bool
         $this->web = $utils->noHtml($this->web);
 
         // check if the web is a valid url
-        if (!empty($this->web) && !filter_var($this->web, FILTER_VALIDATE_URL)) {
+        if (!empty($this->web) && false === self::toolBox()::utils()::isValidUrl($this->web)) {
             self::toolBox()::i18nLog()->error('invalid-web');
             return false;
         }
diff --git a/Test/Core/Model/AgenciaTransporteTest.php b/Test/Core/Model/AgenciaTransporteTest.php
index 0afbb36c87..bd7b5e9ab1 100644
--- a/Test/Core/Model/AgenciaTransporteTest.php
+++ b/Test/Core/Model/AgenciaTransporteTest.php
@@ -59,6 +59,10 @@ public function testBadWeb()
         $agency->nombre = 'Test Agency';
         $agency->web = 'javascript:alert(origin)';
         $this->assertFalse($agency->save(), 'agency-can-save-bad-web');
+
+        // otra url peligrosa
+        $agency->web = 'javascript://example.com//%0aalert(document.domain);//';
+        $this->assertFalse($agency->save(), 'agency-can-save-bad-web-2');
     }
 
     public function testGoodWeb()