From cc6272e84a80ffd92ab52e961efaa7aec15eabe0 Mon Sep 17 00:00:00 2001 From: Guillaume Lajarige Date: Thu, 28 Dec 2017 15:34:24 +0000 Subject: [PATCH] =?UTF-8?q?N=C2=B01143=20Fix=20removed=20email=20links=20(?= =?UTF-8?q?mailto)=20in=20HTML=20attributes=20(CKEditor).?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SVN:trunk[5179] --- core/htmlsanitizer.class.inc.php | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/core/htmlsanitizer.class.inc.php b/core/htmlsanitizer.class.inc.php index f159e7398..c6829fb50 100644 --- a/core/htmlsanitizer.class.inc.php +++ b/core/htmlsanitizer.class.inc.php @@ -212,9 +212,17 @@ class HTMLDOMSanitizer extends HTMLSanitizer public function __construct() { + // Building href validation pattern from url and email validation patterns as the patterns are not used the same way in HTML content than in standard attributes value. + // eg. "foo@bar.com" vs "mailto:foo@bar.com?subject=Title&body=Hello%20world" if (!array_key_exists('href', self::$aAttrsWhiteList)) { - $sPattern = '/'.str_replace('/', '\/', utils::GetConfig()->Get('url_validation_pattern')).'/i'; + // Regular urls + $sUrlPattern = utils::GetConfig()->Get('url_validation_pattern'); + // Mailto urls + $sMailtoPattern = '(mailto:(' . utils::GetConfig()->Get('email_validation_pattern') . ')(?:\?(?:subject|body)=([a-zA-Z0-9+\$_.-]*)(?:&(?:subject|body)=([a-zA-Z0-9+\$_.-]*))?)?)'; + + $sPattern = $sUrlPattern . '|' . $sMailtoPattern; + $sPattern = '/'.str_replace('/', '\/', $sPattern).'/i'; self::$aAttrsWhiteList['href'] = $sPattern; } }