(Retrofit from trunk) N.466 HTML links with href="ftp://..." or "file://...". The filtering implemented by default (DOM Sanitization) now takes the configuration parameter url_validation_pattern into account. Thus aligning the behavior between HTML attributes and AttributeURL, and the automatic wiki formatting. By default, iTop allows the protocols http/https/ftp. To allow the 'file' protocol, edit the config file and change url_validation_pattern accordingly.

SVN:2.3[4456]
2026-03-05 00:54:12 +01:00 · 2016-10-10 16:03:32 +00:00
parent 64ef7fbc08
commit 3992425a27
1 changed files with 10 additions and 2 deletions
--- a/core/htmlsanitizer.class.inc.php
+++ b/core/htmlsanitizer.class.inc.php
@@ -187,14 +187,22 @@ class HTMLDOMSanitizer extends HTMLSanitizer
 	);
 	
 	protected static $aAttrsWhiteList = array(
-		'href' => '/^(http:|https:)/i',
 		'src' => '/^(http:|https:|data:)/i',
 	);
 	
 	protected static $aStylesWhiteList = array(
 		'background-color', 'color', 'float', 'font', 'font-style', 'font-size', 'font-family', 'padding', 'margin', 'border', 'cellpadding', 'cellspacing', 'bordercolor', 'border-collapse', 'width', 'height',
 	);
-	
+
+	public function __construct()
+	{
+		if (!array_key_exists('href', self::$aAttrsWhiteList))
+		{
+			$sPattern = '/'.str_replace('/', '\/', utils::GetConfig()->Get('url_validation_pattern')).'/i';
+			self::$aAttrsWhiteList['href'] = $sPattern;
+		}
+	}
+
 	public function DoSanitize($sHTML)
 	{
 		$this->oDoc = new DOMDocument();