From d240ceb3453d298a5daf2c4a6ecdcd19d0bdabf7 Mon Sep 17 00:00:00 2001
From: Alejandro Romero Herrera <alromh87@gmail.com>
Date: Fri, 28 Aug 2020 20:14:02 +0300
Subject: [PATCH] Fixed xss on social buttons

---
 bl-kernel/helpers/sanitize.class.php | 8 +++++++-
 bl-kernel/site.class.php             | 3 ++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/bl-kernel/helpers/sanitize.class.php b/bl-kernel/helpers/sanitize.class.php
index 327e5bd4..f46e5f61 100644
--- a/bl-kernel/helpers/sanitize.class.php
+++ b/bl-kernel/helpers/sanitize.class.php
@@ -30,6 +30,12 @@ class Sanitize {
 		return htmlspecialchars_decode($text, $flags);
 	}
 
+	// Remove javacript from links
+	public static function noJSLink($text)
+	{
+		return preg_replace("/javascript\s*:\s*/", "", $text);
+	}
+
 	public static function pathFile($path, $file=false)
 	{
 		if ($file!==false){
@@ -81,4 +87,4 @@ class Sanitize {
 			return 0;
 	}
 
-}
\ No newline at end of file
+}
diff --git a/bl-kernel/site.class.php b/bl-kernel/site.class.php
index a42179f9..b0d90f64 100644
--- a/bl-kernel/site.class.php
+++ b/bl-kernel/site.class.php
@@ -73,6 +73,7 @@ class Site extends dbJSON {
 		foreach ($this->dbFields as $field=>$value) {
 			if (isset($args[$field])) {
 				$finalValue = Sanitize::html($args[$field]);
+				$finalValue = Sanitize::noJSLink($args[$field]);
 				if ($finalValue==='false') { $finalValue = false; }
 				elseif ($finalValue==='true') { $finalValue = true; }
 				settype($finalValue, gettype($value));
@@ -414,4 +415,4 @@ class Site extends dbJSON {
 		return json_decode($customFields, true);
 	}
 
-}
\ No newline at end of file
+}