Commit c5851d8f authored by Robert Lyon's avatar Robert Lyon Committed by Aaron Wells
Browse files

Allow prefixes that end in / to try ? and # as well



Bug 1286935

Seeing as we check the url against FILTER_VALIDATE_URL and that only
site admins can add to the 'allowed iframe sources' that should be
enough without having to add the / to the end of the url.

Change-Id: I82e3623d3df2fa03012278d334994224c51a092e
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
parent fb3715c6
...@@ -1368,11 +1368,15 @@ function update_safe_iframe_regex() { ...@@ -1368,11 +1368,15 @@ function update_safe_iframe_regex() {
// in future we may need to be more clever. Admins who know // in future we may need to be more clever. Admins who know
// what they're doing, and need something fancy, can always // what they're doing, and need something fancy, can always
// override this in config.php. // override this in config.php.
foreach ($prefixes as $r) { foreach ($prefixes as $key => $r) {
if (!preg_match('/^[a-zA-Z0-9\/\._-]+$/', $r)) { if (!preg_match('/^[a-zA-Z0-9\/\._-]+$/', $r)) {
throw new SystemException('Invalid site passed to update_safe_iframe_regex'); throw new SystemException('Invalid site passed to update_safe_iframe_regex');
} }
if (substr($r, -1) == '/') {
$prefixes[$key] = substr($r, 0, -1) . '($|[/?#])';
}
} }
// Allowed iframe URLs should be one of the partial URIs in iframe_source, // Allowed iframe URLs should be one of the partial URIs in iframe_source,
// prefaced by http:// or https:// or just // (which is a protocol-relative URL) // prefaced by http:// or https:// or just // (which is a protocol-relative URL)
$iframeregexp = '%^(http:|https:|)//(' . str_replace('.', '\.', implode('|', $prefixes)) . ')%'; $iframeregexp = '%^(http:|https:|)//(' . str_replace('.', '\.', implode('|', $prefixes)) . ')%';
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment