kazhnuz/koblog
1
0
Fork 0
Code Issues 31 Pull requests Projects 3 Releases Packages Wiki Activity Actions

Recursively erase javascript URI scheme in noJSLink to avoid XSS

Browse source
This commit is contained in:
Alejandro Romero Herrera 2020-08-31 12:27:49 +03:00
parent d5be0c0cdb
commit e2226c01e7
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
bl-kernel/helpers/sanitize.class.php
View file

@ -30,10 +30,14 @@ class Sanitize {
return htmlspecialchars_decode($text, $flags); return htmlspecialchars_decode($text, $flags);
} }
// Remove javacript from links // Remove javascript from links
public static function noJSLink($text) public static function noJSLink($text)
{ {
return preg_replace("/javascript\s*:\s*/", "", $text); $text = trim($text);
while(strpos($text, 'javascript')===0){
$text = preg_replace("/javascript\s*:\s*/", "", $text);
}
return $text;
} }
public static function pathFile($path, $file=false) public static function pathFile($path, $file=false)