Skip to content

GitLab

Commit 64356c94 authored by Aaron Wells's avatar Aaron Wells Committed by Gerrit Code Review
Browse files

Fix "Invalid array key 'url'" warnings 

Bug 1409545: Also cleaning up this old & messy function

Change-Id: I9c338aa35208148811bdfe77aee4938f23d8313f
parent 247c10a2
Hide whitespace changes
Inline Side-by-side
htdocs/blocktype/externalfeed/lib.php
View file @ 64356c94
......@@ -459,66 +459,54 @@ class PluginBlocktypeExternalfeed extends SystemBlocktype {
* actual logo associated with the feed)
*/
private static function make_feed_image_tag($image) {
$result = '';
if ($image['url']) {
$image['url'] = sanitize_url($image['url']);
}
if (!$image['url']) {
return '';
}
if (is_string($image)) {
if (is_https() and stripos($image, 'http://') !== false) {
// HTTPS sites should not display HTTP images
return '';
// Depending on whether they're using RSS or ATOM, the image may
// be an array of properties about the feed image, or it may be
// just the URL of the image.
if (is_array($image)) {
if (isset($image['url'])) {
$imageurl = $image['url'];
}
else {
$imageurl = '';
}
return '<img src="' . hsc($image) . '">';
}
if ($image['link']) {
$image['link'] = sanitize_url($image['link']);
}
if (!empty($image['link'])) {
$result .= '<a href="' . $image['link'] . '">';
else {
$imageurl = $image;
$image = array(
'url' => $imageurl
);
}
$url = $image['url'];
// Try and fix URLs that aren't absolute. The standards all say URLs
// are supposed to be absolute in RSS feeds, yet still some people
// can't even get the basics right...
if (substr($url, 0, 1) == '/' && !empty($image['link'])) {
$url = $image['link'] . $image['url'];
// Make sure it's a valid URL.
$imageurl = sanitize_url($imageurl);
if (!$imageurl) {
return '';
}
if (is_https() and stripos($url, 'http://') !== false) {
// HTTPS sites should not display HTTP images
return '';
// If we're in HTTPS, make sure the image URL is not HTTP
if (is_https()) {
$imageurl = preg_replace('#^http://#', 'https://', $imageurl);
}
$result .= '<img src="' . hsc($url) . '"';
// Required by the specification, but we can't count on it...
$result = "<img src=\"{$imageurl}\"";
// The specification says there should be a title, but it's not always present.
if (!empty($image['title'])) {
$result .= ' alt="' . hsc($image['title']) . '"';
$result .= ' alt="' . htmlentities($image['title']) . '"';
}
if (!empty($image['width']) || !empty($image['height'])) {
$result .= ' style="';
if (!empty($image['width'])) {
$result .= 'width: ' . hsc($image['width']) . 'px;"';
}
if (!empty($image['height'])) {
$result .= 'height: ' . hsc($image['height']) . 'px;"';
// There may be height & weight attributes
foreach (array('height', 'width') as $attribute) {
if (isset($image[$attribute]) && ((int) $image[$attribute])) {
$result .= " {$attribute}=\"" . (int) $image[$attribute] . '"';
}
$result .= '"';
}
$result .= " />";
$result .= '>';
// A "link" tag indicates that the image should be a clickable link to another URL
if (!empty($image['link'])) {
$result .= '</a>';
$link = sanitize_url($image['link']);
if ($link) {
$result = "<a href=\"{$link}\">{$result}</a>";
}
}
return $result;
......
htdocs/lib/web.php
View file @ 64356c94
......@@ -4151,7 +4151,13 @@ function sanitize_url($url) {
return '';
}
}
if (!in_array($parsedurl['scheme'], array('https', 'http', 'ftp', 'mailto'))) {
// Make sure the URL starts with a valid protocol (or "//", indicating that it's protocol-relative)
if (
!(
in_array($parsedurl['scheme'], array('https', 'http', 'ftp', 'mailto'))
|| preg_match('#^//[a-zA-Z0-9]#', $url) === 1
)
) {
return '';
}
if (!filter_var($url, FILTER_VALIDATE_URL)) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment