kazhnuz/koblog
1
0
Fork 0
Code Issues 31 Pull requests Projects 3 Releases Packages Wiki Activity Actions

Fixed xss on social buttons

Browse source
This commit is contained in:
Alejandro Romero Herrera 2020-08-28 20:14:02 +03:00
parent ca0d973a24
commit d240ceb345
2 changed files with 9 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
bl-kernel/helpers/sanitize.class.php
View file

@ -30,6 +30,12 @@ class Sanitize {
return htmlspecialchars_decode($text, $flags); return htmlspecialchars_decode($text, $flags);
} }
// Remove javacript from links
public static function noJSLink($text)
{
return preg_replace("/javascript\s*:\s*/", "", $text);
}
public static function pathFile($path, $file=false) public static function pathFile($path, $file=false)
{ {
if ($file!==false){ if ($file!==false){
@ -81,4 +87,4 @@ class Sanitize {
return 0; return 0;
} }
} }

3
bl-kernel/site.class.php
View file

@ -73,6 +73,7 @@ class Site extends dbJSON {
foreach ($this->dbFields as $field=>$value) { foreach ($this->dbFields as $field=>$value) {
if (isset($args[$field])) { if (isset($args[$field])) {
$finalValue = Sanitize::html($args[$field]); $finalValue = Sanitize::html($args[$field]);
$finalValue = Sanitize::noJSLink($args[$field]);
if ($finalValue==='false') { $finalValue = false; } if ($finalValue==='false') { $finalValue = false; }
elseif ($finalValue==='true') { $finalValue = true; } elseif ($finalValue==='true') { $finalValue = true; }
settype($finalValue, gettype($value)); settype($finalValue, gettype($value));
@ -414,4 +415,4 @@ class Site extends dbJSON {
return json_decode($customFields, true); return json_decode($customFields, true);
} }
} }