Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Web: sanitize user URLs to prevent XSS attacks #5495

Merged
merged 1 commit into from
Jan 19, 2024
Merged

Web: sanitize user URLs to prevent XSS attacks #5495

merged 1 commit into from
Jan 19, 2024

Conversation

davidpanderson
Copy link
Contributor

Add a function sanitize_user_url() to do this.
It accepts things like

google.com
http://google.com
https://google.com?blah=foo&x=y

but nothing else.
There doesn't seem to be a PHP function that works, and stack overflow didn't yield anything plausible.

When showing a user page,
show 'Invalid URL' if it's nonempty and doesn't pass this.

When a user edits their info, show error page if they enter an invalid URL.

Fixes #5491

@davidpanderson
Web: sanitize user URLs to prevent XSS attacks
d5c485d 
Add a function sanitize_user_url() to do this.
It accepts things like

google.com
http://google.com
https://google.com?blah=foo&x=y

but nothing else.
There doesn't seem to be a PHP function that works,
and stack overflow didn't yield anything plausible.

When showing a user page,
show 'Invalid URL' if it's nonempty and doesn't pass this.

When a user edits their info, show error page if they enter an invalid URL.
@AenBleidd
Copy link
Member

@nilsjh, could you please check that this PR fixes the issues?
Thank you in advance.

@AenBleidd AenBleidd added this to the Server Release 1.6.0 milestone Jan 19, 2024
@nilsjh
Copy link

nilsjh commented Jan 19, 2024

Thanks! When applied to our dev project, I get "Invalid URL" when trying both the XSS POF and other invalid URLs.

@AenBleidd AenBleidd merged commit de2a70d into master Jan 19, 2024
86 checks passed
@AenBleidd AenBleidd deleted the dpa_user_url branch January 19, 2024 14:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AenBleidd AenBleidd AenBleidd approved these changes

Assignees
No one assigned
Labels
C: Web - Project P: Major PR: Bugfix
Projects
Server
Status: Done
Milestone
Server Release 1.6.0
Development

Successfully merging this pull request may close these issues.

URL field not sanitized on edit_user_info_form.php
3 participants
@davidpanderson @AenBleidd @nilsjh