diff options
author | Brett Profitt <brett.profitt@gmail.com> | 2011-10-12 21:01:17 -0700 |
---|---|---|
committer | Brett Profitt <brett.profitt@gmail.com> | 2011-10-12 21:01:17 -0700 |
commit | ef119763b51119a10851a7a3fb1258c7116a96c0 (patch) | |
tree | e1e39edcc761796dfdc0c9b60574e87233c4de0c /engine/lib | |
parent | 56e424e6e629307583418f530e6c31e4011a761b (diff) | |
download | elgg-ef119763b51119a10851a7a3fb1258c7116a96c0.tar.gz elgg-ef119763b51119a10851a7a3fb1258c7116a96c0.tar.bz2 |
Fixes #3747. Using filter_var to check for any valid URI.
Diffstat (limited to 'engine/lib')
-rw-r--r-- | engine/lib/output.php | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/engine/lib/output.php b/engine/lib/output.php index 2c3e1a0ba..37ebbb4aa 100644 --- a/engine/lib/output.php +++ b/engine/lib/output.php @@ -243,13 +243,32 @@ function elgg_clean_vars(array $vars = array()) { * @return string The absolute url */ function elgg_normalize_url($url) { - // 'http://example.com', 'https://example.com', '//example.com' - // '#target', '?query=string' - if (preg_match("#^(\#|\?|(https?:)?//)#i", $url)) { + // see https://bugs.php.net/bug.php?id=51192 + // from the bookmarks save action. + $php_5_2_13_and_below = version_compare(PHP_VERSION, '5.2.14', '<'); + $php_5_3_0_to_5_3_2 = version_compare(PHP_VERSION, '5.3.0', '>=') && + version_compare(PHP_VERSION, '5.3.3', '<'); + + $validated = false; + if ($php_5_2_13_and_below || $php_5_3_0_to_5_3_2) { + $tmp_address = str_replace("-", "", $url); + $validated = filter_var($tmp_address, FILTER_VALIDATE_URL); + } else { + $validated = filter_var($url, FILTER_VALIDATE_URL); + } + + if ($validated) { + // all normal URLs including mailto: return $url; + } elseif (preg_match("#^(\#|\?|//)#i", $url)) { + // '//example.com' (Shortcut for protocol.) + // '?query=test', #target + return $url; + } elseif (stripos($url, 'javascript:') === 0) { // 'javascript:' + // Not covered in FILTER_VALIDATE_URL return $url; } elseif (preg_match("#^[^/]*\.php(\?.*)?$#i", $url)) { |