Fixes #3747. Using filter_var to check for any valid URI.

1 files changed, 22 insertions, 3 deletions

diff --git a/engine/lib/output.php b/engine/lib/output.php
index 2c3e1a0ba..37ebbb4aa 100644
--- a/engine/lib/output.php
+++ b/engine/lib/output.php
@@ -243,13 +243,32 @@ function elgg_clean_vars(array $vars = array()) {
  * @return string The absolute url
  */
 function elgg_normalize_url($url) {
-	// 'http://example.com', 'https://example.com', '//example.com'
-	// '#target', '?query=string'
-	if (preg_match("#^(\#|\?|(https?:)?//)#i", $url)) {
+	// see https://bugs.php.net/bug.php?id=51192
+	// from the bookmarks save action.
+	$php_5_2_13_and_below = version_compare(PHP_VERSION, '5.2.14', '<');
+	$php_5_3_0_to_5_3_2 = version_compare(PHP_VERSION, '5.3.0', '>=') &&
+			version_compare(PHP_VERSION, '5.3.3', '<');
+
+	$validated = false;
+	if ($php_5_2_13_and_below || $php_5_3_0_to_5_3_2) {
+		$tmp_address = str_replace("-", "", $url);
+		$validated = filter_var($tmp_address, FILTER_VALIDATE_URL);
+	} else {
+		$validated = filter_var($url, FILTER_VALIDATE_URL);
+	}
+
+	if ($validated) {
+		// all normal URLs including mailto:
 		return $url;
 
+	} elseif (preg_match("#^(\#|\?|//)#i", $url)) {
+		// '//example.com' (Shortcut for protocol.)
+		// '?query=test', #target
+		return $url;
+	
 	} elseif (stripos($url, 'javascript:') === 0) {
 		// 'javascript:'
+		// Not covered in FILTER_VALIDATE_URL
 		return $url;
 
 	} elseif (preg_match("#^[^/]*\.php(\?.*)?$#i", $url)) {