1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
diff -ur phpBB2.orig/includes/bbcode.php phpBB2/includes/bbcode.php
--- phpBB2.orig/includes/bbcode.php 2006-06-09 16:29:41.000000000 +0200
+++ phpBB2/includes/bbcode.php 2006-07-03 13:26:27.000000000 +0200
@@ -194,13 +194,17 @@
$patterns = array();
$replacements = array();
+ // These are the URL schemas we trust to be safe. This is to prevent
+ // cross side scripting with javascript:, chrome: etc urls.
+ $allowed_urlschemas = '(?:http|https|ftp|news|nntp|telnet|gopher|mailto)';
+
// [img]image_url_here[/img] code..
// This one gets first-passed..
- $patterns[] = "#\[img:$uid\]([^?](?:[^\[]+|\[(?!url))*?)\[/img:$uid\]#i";
+ $patterns[] = "#\[img:$uid\]($allowed_urlschemas://[^ \"\n\r\t<]*?)\[/img:$uid\]#si";
$replacements[] = $bbcode_tpl['img'];
// matches a [url]xxxx://www.phpbb.com[/url] code..
- $patterns[] = "#\[url\]([\w]+?://([\w\#$%&~/.\-;:=,?@\]+]+|\[(?!url=))*?)\[/url\]#is";
+ $patterns[] = "#\[url\]($allowed_urlschemas://[\w\#$%&~/.\-;:=,?@\[\]+]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url1'];
// [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).
@@ -208,7 +212,7 @@
$replacements[] = $bbcode_tpl['url2'];
// [url=xxxx://www.phpbb.com]phpBB[/url] code..
- $patterns[] = "#\[url=([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*?)\]([^?\n\r\t].*?)\[/url\]#is";
+ $patterns[] = "#\[url=($allowed_urlschemas://[\w\#$%&~/.\-;:=,?@\[\]+]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url3'];
// [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).
|
