From 3992425a272fc62c4972faf53763da1ca010f669 Mon Sep 17 00:00:00 2001 From: Romain Quetiez Date: Mon, 10 Oct 2016 16:03:32 +0000 Subject: [PATCH] (Retrofit from trunk) N.466 HTML links with href="ftp://..." or "file://...". The filtering implemented by default (DOM Sanitization) now takes the configuration parameter url_validation_pattern into account. Thus aligning the behavior between HTML attributes and AttributeURL, and the automatic wiki formatting. By default, iTop allows the protocols http/https/ftp. To allow the 'file' protocol, edit the config file and change url_validation_pattern accordingly. SVN:2.3[4456] --- core/htmlsanitizer.class.inc.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/core/htmlsanitizer.class.inc.php b/core/htmlsanitizer.class.inc.php index 99c6f9b28..180d4f10a 100644 --- a/core/htmlsanitizer.class.inc.php +++ b/core/htmlsanitizer.class.inc.php @@ -187,14 +187,22 @@ class HTMLDOMSanitizer extends HTMLSanitizer ); protected static $aAttrsWhiteList = array( - 'href' => '/^(http:|https:)/i', 'src' => '/^(http:|https:|data:)/i', ); protected static $aStylesWhiteList = array( 'background-color', 'color', 'float', 'font', 'font-style', 'font-size', 'font-family', 'padding', 'margin', 'border', 'cellpadding', 'cellspacing', 'bordercolor', 'border-collapse', 'width', 'height', ); - + + public function __construct() + { + if (!array_key_exists('href', self::$aAttrsWhiteList)) + { + $sPattern = '/'.str_replace('/', '\/', utils::GetConfig()->Get('url_validation_pattern')).'/i'; + self::$aAttrsWhiteList['href'] = $sPattern; + } + } + public function DoSanitize($sHTML) { $this->oDoc = new DOMDocument();