Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Enhance javascript URLs filtering
  • Loading branch information
cedric-anne authored and trasher committed Jan 24, 2023
1 parent aec5c2d commit 5319b38
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 1 deletion.
3 changes: 2 additions & 1 deletion src/Toolbox/URL.php
Expand Up @@ -54,7 +54,8 @@ final public static function sanitizeURL(?string $url): string

$url = trim($url);

if (preg_match('/^javascript:/i', $url)) {
$js_pattern = '/^' . implode('\s*', str_split('javascript:')) . '/i';
if (preg_match($js_pattern, $url)) {
return '';
}

Expand Down
8 changes: 8 additions & 0 deletions tests/units/Glpi/Toolbox/URL.php
Expand Up @@ -53,6 +53,14 @@ protected function urlProvider(): iterable
'url' => 'javascript:alert(1);',
'expected' => '',
];
yield [
'url' => "java\nscript:alert(1);",
'expected' => '',
];
yield [
'url' => "j a v\t\ta\n s c \t ript :alert(1);",
'expected' => '',
];
yield [
'url' => 'jAvAscrIPt:alert(1);',
'expected' => '',
Expand Down

0 comments on commit 5319b38

Please sign in to comment.