Page MenuHomePhabricator

Use $wgUrlProtocols API protocol whitelist
Closed, ResolvedPublic

Description

Patch using $wgUrlProtocols in the API

formatHTML() uses a protocol whitelist to avoid protocol injections (such as javascript:, see r17105).
However, this list is arbitrary. It should be detecting the same protocols accepted into the wiki ie. $wgUrlProtocols


Version: 1.14.x
Severity: enhancement

Attached:

Details

Reference
bz15392

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:20 PM
bzimport set Reference to bz15392.

Bryan.TongMinh wrote:

Why was ://.*? replaced by .*? in preg_replace?

Because $wgUrlProtocols already contains the :// for the which need it (it also has protocols, such as mailto: which don't have slashes, i think supporting them is also ok).

Bryan.TongMinh wrote:

Patch committed in r40278.