Url could contain Javascript that leeds to XSS #1159

Admidio · Jan 8, 2022 · d86f980 · d86f980
1 parent 5720147
commit d86f980
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/adm_program/system/classes/StringUtils.php b/adm_program/system/classes/StringUtils.php
@@ -182,8 +182,8 @@ public static function strValidCharacters($string, $checkType)
                 $validRegex = '=^[^/?*;:~<>|\"\\\\]+$=';
                 break;
             case 'url':
-                //$validRegex = '/^[\wáàâåäæçéèêîñóòôöõøœúùûüß$&!?() \/%=#:~.@+-]+$/i';
-                $validRegex = '/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i';
+                $validRegex = '/^[\wáàâåäæçéèêîñóòôöõøœúùûüß$&!?() \/%=#:~.@+-]+$/i';
+                $validRegexValidUrl = '/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i';
                 break;
             case 'phone':
                 $validRegex = '/^[\d() \/+-]+$/i';
@@ -203,6 +203,11 @@ public static function strValidCharacters($string, $checkType)
             case 'email':
                 return filter_var(trim($string), FILTER_VALIDATE_EMAIL) !== false;
             case 'url':
+                // url has a valid structure
+                if (!preg_match($validRegexValidUrl, $string)) {
+                    return false;
+                }
+
                 return filter_var(trim($string), FILTER_VALIDATE_URL) !== false;
             default:
                 return true;