Fixed xss on social buttons

2020-08-28 20:14:02 +03:00 · 2020-08-28 20:14:02 +03:00 · d240ceb345
commit d240ceb345
parent ca0d973a24
2 changed files with 9 additions and 2 deletions
--- a/bl-kernel/helpers/sanitize.class.php
+++ b/bl-kernel/helpers/sanitize.class.php
@ -30,6 +30,12 @@ class Sanitize {
 		return htmlspecialchars_decode($text, $flags);
 	}

+	// Remove javacript from links
+	public static function noJSLink($text)
+	{
+		return preg_replace("/javascript\s*:\s*/", "", $text);
+	}
+
 	public static function pathFile($path, $file=false)
 	{
 		if ($file!==false){
@ -81,4 +87,4 @@ class Sanitize {
 			return 0;
 	}

-}
+}
--- a/bl-kernel/site.class.php
+++ b/bl-kernel/site.class.php
@ -73,6 +73,7 @@ class Site extends dbJSON {
 		foreach ($this->dbFields as $field=>$value) {
 			if (isset($args[$field])) {
 				$finalValue = Sanitize::html($args[$field]);
+				$finalValue = Sanitize::noJSLink($args[$field]);
 				if ($finalValue==='false') { $finalValue = false; }
 				elseif ($finalValue==='true') { $finalValue = true; }
 				settype($finalValue, gettype($value));
@ -414,4 +415,4 @@ class Site extends dbJSON {
 		return json_decode($customFields, true);
 	}

-}
+}