Skip to content
Snippets Groups Projects
Commit 782382bd authored by Jared Hancock's avatar Jared Hancock
Browse files

External URLs need to route through l.php 

This include URLs in embedded links as well as URLs for external images and
videos embedded via iframe elements.
parent 4fa8fa11
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
include/class.format.php
+ 66
20
View file @ 782382bd
......@@ -276,10 +276,6 @@ class Format {
function display($text, $inline_images=true) {
global $cfg;
//make urls clickable.
if($cfg && $cfg->clickableURLS() && $text)
$text=Format::clickableurls($text);
//Wrap long words...
#$text=preg_replace_callback('/\w{75,}/',
# create_function(
......@@ -297,6 +293,10 @@ class Format {
},
$text);
//make urls clickable.
if($cfg && $cfg->clickableURLS() && $text)
$text = Format::clickableurls($text);
if ($inline_images)
return self::viewableImages($text);
......@@ -316,23 +316,69 @@ class Format {
global $ost;
$token = $ost->getLinkToken();
//Not perfect but it works - please help improve it.
$text=preg_replace_callback('/(?<!"|>)(((f|ht)tp(s?):\/\/)[-a-zA-Z0-9@:%_\+.~#?&;\/\/=]+)/',
create_function('$matches',
sprintf('return "<a href=\"l.php?url=".urlencode($matches[1])."&auth=%s\" target=\"_blank\">".$matches[1]."</a>";',
$token)),
$text);
$text=preg_replace_callback("/(^|[ \\n\\r\\t])(www\.([a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+)(\/[^\/ \\n\\r]*)*)/",
create_function('$matches',
sprintf('return "<a href=\"l.php?url=".urlencode("http://".$matches[2])."&auth=%s\" target=\"_blank\">".$matches[2]."</a>";',
$token)),
$text);
$text=preg_replace("/(^|[ \\n\\r\\t])([_\.0-9a-z-]+@([0-9a-z][0-9a-z-]+\.)+[a-z]{2,4})/",
'\\1<a href="mailto:\\2" target="_blank">\\2</a>', $text);
return $text;
// Find all text between tags
$text = preg_replace_callback(':^[^<]+|>[^<]+:',
function($match) use ($token) {
// Scan for things that look like URLs
$links = preg_replace_callback(
'`(?<!>)(((f|ht)tp(s?)://|(?<!//)www\.)([a-zA-Z0-9_-]+(\.|/|$))+\S*)`',
function ($match) use ($token) {
if (in_array(substr($match[1], -1),
array(',','.','?','!',':',';'))) {
$match[7] = substr($match[1], -1);
$match[1] = substr($match[1], 0, strlen($match[1])-1);
}
return '<a href="l.php?url='.urlencode($match[1])
.sprintf('&auth=%s" target="_blank">', $token)
.$match[1].'</a>'.$match[7];
},
$match[0]);
// Now change email addresses to links with mailto: scheme
return preg_replace(
'/(\b[_\.0-9a-z-]+@([0-9a-z][0-9a-z-]+\.)+[a-z]{2,4})/',
'<a href="mailto:\\1" target="_blank">\\1</a>', $links);
},
$text);
// Now change @href and @src attributes to come back through our
// system as well
$config = array(
'hook_tag' => function($e, $a=0) use ($token) {
static $eE = array('area'=>1, 'br'=>1, 'col'=>1, 'embed'=>1,
'hr'=>1, 'img'=>1, 'input'=>1, 'isindex'=>1, 'param'=>1);
if ($e == 'a' && $a) {
if (isset($a['href'])
&& strpos($a['href'], 'l.php?') === false)
$a['href'] = 'l.php?url='.urlencode($a['href'])
.'&amp;auth='.$token;
// ALL link targets open in a new tab
$a['target'] = '_blank';
}
// Images which are external are rewritten to <div
// data-src='url...'/>
elseif ($e == 'div' && $a && isset($a['data-src']))
$a['data-src'] = 'l.php?url='.urlencode($a['data-src'])
.'&amp;auth='.$token;
// URLs for videos need to route too
elseif ($e == 'iframe' && $a && isset($a['src']))
$a['src'] = 'l.php?url='.urlencode($a['src'])
.'&amp;auth='.$token;
$at = '';
if (is_array($a)) {
foreach ($a as $k=>$v)
$at .= " $k=\"$v\"";
return "<{$e}{$at}".(isset($eE[$e])?" /":"").">";
}
else {
return "</{$e}>";
}
},
'schemes' => 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; *:file, http, https; src: cid, http, https, data',
'elements' => '*+iframe',
'spec' => 'div=data-src,width,height',
);
return Format::html($text, $config);
}
function stripEmptyLines($string) {
......
l.php
+ 10
10
View file @ 782382bd
......@@ -15,14 +15,14 @@
**********************************************************************/
require 'secure.inc.php';
//Basic url validation + token check.
if (!($url=trim($_GET['url'])) || !Validator::is_url($url) || !$ost->validateLinkToken($_GET['auth']))
exit('Invalid url');
# PHP < 5.4.7 will not handle a URL like //host.tld/path correctly
if (!($url=trim($_GET['url'])))
Http::response(422, 'Invalid URL');
$check = (strpos($url, '//') === 0) ? 'http:' . $url : $url;
if (!Validator::is_url($check) || !$ost->validateLinkToken($_GET['auth']))
Http::response(403, 'URL link not authorized');
else
Http::redirect($url);
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
<meta http-equiv="refresh" content="0;URL=<?php echo $url; ?>"/>
</head>
<body/>
</html>
scp/l.php
+ 10
10
View file @ 782382bd
......@@ -15,14 +15,14 @@
**********************************************************************/
require_once 'staff.inc.php';
//Basic url validation + token check.
if (!($url=trim($_GET['url'])) || !Validator::is_url($url) || !$ost->validateLinkToken($_GET['auth']))
exit('Invalid url');
# PHP < 5.4.7 will not handle a URL like //host.tld/path correctly
if (!($url=trim($_GET['url'])))
Http::response(422, 'Invalid URL');
$check = (strpos($url, '//') === 0) ? 'http:' . $url : $url;
if (!Validator::is_url($check) || !$ost->validateLinkToken($_GET['auth']))
Http::response(403, 'URL link not authorized');
else
Http::redirect($url);
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
<meta http-equiv="refresh" content="0; URL=<?php echo $url; ?>"/>
</head>
<body/>
</html>
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment