Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Improved valid url check to avoid javascript with capital letters
------
Mejorada la comprobación de url válida para evitar javascript con mayúsculas
  • Loading branch information
NeoRazorX committed May 19, 2022
1 parent 7882dbe commit 0ff0568
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 2 deletions.
2 changes: 1 addition & 1 deletion Core/Base/Utils.php
Expand Up @@ -138,7 +138,7 @@ public static function intval(?string $str): ?int
public static function isValidUrl(string $url): bool
{
// si la url está vacío o comienza por javascript: entonces no es una url válida
if (empty($url) || strpos($url, 'javascript:') === 0) {
if (empty($url) || stripos($url, 'javascript:') === 0) {
return false;
}

Expand Down
6 changes: 5 additions & 1 deletion Test/Core/Model/AgenciaTransporteTest.php
Expand Up @@ -60,9 +60,13 @@ public function testBadWeb()
$agency->web = 'javascript:alert(origin)';
$this->assertFalse($agency->save(), 'agency-can-save-bad-web');

// otra url peligrosa
// javascript con forma de url
$agency->web = 'javascript://example.com//%0aalert(document.domain);//';
$this->assertFalse($agency->save(), 'agency-can-save-bad-web-2');

// javascript con mayúsculas
$agency->web = 'jAvAsCriPt://sadas.com/%0aalert(11);//';
$this->assertFalse($agency->save(), 'agency-can-save-bad-web-3');
}

public function testGoodWeb()
Expand Down

0 comments on commit 0ff0568

Please sign in to comment.