Commit c5851d8f authored by Robert Lyon's avatar Robert Lyon Committed by Aaron Wells

Allow prefixes that end in / to try ? and # as well

Bug 1286935

Seeing as we check the url against FILTER_VALIDATE_URL and that only
site admins can add to the 'allowed iframe sources' that should be
enough without having to add the / to the end of the url.

Change-Id: I82e3623d3df2fa03012278d334994224c51a092e
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
parent fb3715c6
......@@ -1368,11 +1368,15 @@ function update_safe_iframe_regex() {
// in future we may need to be more clever. Admins who know
// what they're doing, and need something fancy, can always
// override this in config.php.
foreach ($prefixes as $r) {
foreach ($prefixes as $key => $r) {
if (!preg_match('/^[a-zA-Z0-9\/\._-]+$/', $r)) {
throw new SystemException('Invalid site passed to update_safe_iframe_regex');
}
if (substr($r, -1) == '/') {
$prefixes[$key] = substr($r, 0, -1) . '($|[/?#])';
}
}
// Allowed iframe URLs should be one of the partial URIs in iframe_source,
// prefaced by http:// or https:// or just // (which is a protocol-relative URL)
$iframeregexp = '%^(http:|https:|)//(' . str_replace('.', '\.', implode('|', $prefixes)) . ')%';
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment