aboutsummaryrefslogtreecommitdiff
path: root/engine/lib
diff options
context:
space:
mode:
authorBrett Profitt <brett.profitt@gmail.com>2011-10-12 21:01:17 -0700
committerBrett Profitt <brett.profitt@gmail.com>2011-10-12 21:01:17 -0700
commitef119763b51119a10851a7a3fb1258c7116a96c0 (patch)
treee1e39edcc761796dfdc0c9b60574e87233c4de0c /engine/lib
parent56e424e6e629307583418f530e6c31e4011a761b (diff)
downloadelgg-ef119763b51119a10851a7a3fb1258c7116a96c0.tar.gz
elgg-ef119763b51119a10851a7a3fb1258c7116a96c0.tar.bz2
Fixes #3747. Using filter_var to check for any valid URI.
Diffstat (limited to 'engine/lib')
-rw-r--r--engine/lib/output.php25
1 files changed, 22 insertions, 3 deletions
diff --git a/engine/lib/output.php b/engine/lib/output.php
index 2c3e1a0ba..37ebbb4aa 100644
--- a/engine/lib/output.php
+++ b/engine/lib/output.php
@@ -243,13 +243,32 @@ function elgg_clean_vars(array $vars = array()) {
* @return string The absolute url
*/
function elgg_normalize_url($url) {
- // 'http://example.com', 'https://example.com', '//example.com'
- // '#target', '?query=string'
- if (preg_match("#^(\#|\?|(https?:)?//)#i", $url)) {
+ // see https://bugs.php.net/bug.php?id=51192
+ // from the bookmarks save action.
+ $php_5_2_13_and_below = version_compare(PHP_VERSION, '5.2.14', '<');
+ $php_5_3_0_to_5_3_2 = version_compare(PHP_VERSION, '5.3.0', '>=') &&
+ version_compare(PHP_VERSION, '5.3.3', '<');
+
+ $validated = false;
+ if ($php_5_2_13_and_below || $php_5_3_0_to_5_3_2) {
+ $tmp_address = str_replace("-", "", $url);
+ $validated = filter_var($tmp_address, FILTER_VALIDATE_URL);
+ } else {
+ $validated = filter_var($url, FILTER_VALIDATE_URL);
+ }
+
+ if ($validated) {
+ // all normal URLs including mailto:
return $url;
+ } elseif (preg_match("#^(\#|\?|//)#i", $url)) {
+ // '//example.com' (Shortcut for protocol.)
+ // '?query=test', #target
+ return $url;
+
} elseif (stripos($url, 'javascript:') === 0) {
// 'javascript:'
+ // Not covered in FILTER_VALIDATE_URL
return $url;
} elseif (preg_match("#^[^/]*\.php(\?.*)?$#i", $url)) {