Merge pull request #3 from alromh87/master

Fixed xss on social buttons

bl-kernel/helpers/sanitize.class.php

@@ -30,6 +30,16 @@ class Sanitize {
 		return htmlspecialchars_decode($text, $flags);
 	}
 
+	// Remove javascript from links
+	public static function noJSLink($text)
+	{
+		$text = preg_replace("/\s+/", "", $text);
+		while(strpos($text, 'javascript:')===0){
+			$text = preg_replace("/javascript\s*:\s*/", "", $text);
+		}
+		return $text;
+	}
+
 	public static function pathFile($path, $file=false)
 	{
 		if ($file!==false){
@@ -81,4 +91,4 @@ class Sanitize {
 			return 0;
 	}
 
-}
+}

bl-kernel/site.class.php

@@ -49,6 +49,18 @@ class Site extends dbJSON {
 		'markdownParser'=>	true,
 		'customFields'=>	'{}'
 	);
+	private $linkKeys = array(
+		'twitter',
+		'facebook',
+		'codepen',
+		'instagram',
+		'github',
+		'gitlab',
+		'linkedin',
+		'mastodon',
+		'dribbble',
+		'vk'
+	);
 
 	function __construct()
 	{
@@ -73,6 +85,12 @@ class Site extends dbJSON {
 		foreach ($this->dbFields as $field=>$value) {
 			if (isset($args[$field])) {
 				$finalValue = Sanitize::html($args[$field]);
+				$finalValue = Sanitize::noJSLink($finalValue);
+				if (in_array($field,$this->linkKeys)){
+					if (!filter_var($finalValue, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED | FILTER_FLAG_HOST_REQUIRED)) {
+						$finalValue = "";
+					}
+				}
 				if ($finalValue==='false') { $finalValue = false; }
 				elseif ($finalValue==='true') { $finalValue = true; }
 				settype($finalValue, gettype($value));
@@ -414,4 +432,4 @@ class Site extends dbJSON {
 		return json_decode($customFields, true);
 	}
 
-}
+}