Sanitize text fields

This commit is contained in:
Julian Prieber 2024-02-05 19:03:49 +01:00
parent debb028a7d
commit cc6a1195b3
2 changed files with 23 additions and 2 deletions

View File

@ -139,3 +139,15 @@ function footer($key)
} }
return $title; return $title;
} }
function strip_tags_except_allowed_protocols($str) {
preg_match_all('/<a[^>]+>(.*?)<\/a>/i', $str, $matches, PREG_SET_ORDER);
foreach ($matches as $val) {
if (!preg_match('/href=["\'](http:|https:|mailto:|tel:)[^"\']*["\']/', $val[0])) {
$str = str_replace($val[0], $val[1], $str);
}
}
return $str;
}

View File

@ -264,9 +264,13 @@ class UserController extends Controller
'button_id' => "42", 'button_id' => "42",
]); ]);
}elseif($linkType->typename == "text"){ }elseif($linkType->typename == "text"){
$sanitizedText = $request->text;
$sanitizedText = strip_tags($sanitizedText, '<a><p><strong><i><ul><ol><li><blockquote><h2><h3><h4>');
$sanitizedText = preg_replace("/<a([^>]*)>/i", "<a $1 rel=\"noopener noreferrer nofollow\">", $sanitizedText);
$sanitizedText = strip_tags_except_allowed_protocols($sanitizedText);
$OrigLink->update([ $OrigLink->update([
'button_id' => "93", 'button_id' => "93",
'title' => $request->text, 'title' => $sanitizedText,
]); ]);
}elseif($linkType->typename == "email"){ }elseif($linkType->typename == "email"){
$LinkURL = "mailto:".$LinkURL; $LinkURL = "mailto:".$LinkURL;
@ -387,8 +391,12 @@ class UserController extends Controller
}elseif($linkType->typename == "heading"){ }elseif($linkType->typename == "heading"){
$links->button_id = "42"; $links->button_id = "42";
}elseif($linkType->typename == "text"){ }elseif($linkType->typename == "text"){
$sanitizedText = $request->text;
$sanitizedText = strip_tags($sanitizedText, '<a><p><strong><i><ul><ol><li><blockquote><h2><h3><h4>');
$sanitizedText = preg_replace("/<a([^>]*)>/i", "<a $1 rel=\"noopener noreferrer nofollow\">", $sanitizedText);
$sanitizedText = strip_tags_except_allowed_protocols($sanitizedText);
$links->button_id = "93"; $links->button_id = "93";
$links->title = $request->text; $links->title = $sanitizedText;
}elseif($linkType->typename == "email"){ }elseif($linkType->typename == "email"){
$links->link = "mailto:".$links->link; $links->link = "mailto:".$links->link;
$links->button_id = $button?->id; $links->button_id = $button?->id;
@ -789,6 +797,7 @@ class UserController extends Controller
$pageName = $request->littlelink_name; $pageName = $request->littlelink_name;
$pageDescription = strip_tags($request->pageDescription, '<a><p><strong><i><ul><ol><li><blockquote><h2><h3><h4>'); $pageDescription = strip_tags($request->pageDescription, '<a><p><strong><i><ul><ol><li><blockquote><h2><h3><h4>');
$pageDescription = preg_replace("/<a([^>]*)>/i", "<a $1 rel=\"noopener noreferrer nofollow\">", $pageDescription); $pageDescription = preg_replace("/<a([^>]*)>/i", "<a $1 rel=\"noopener noreferrer nofollow\">", $pageDescription);
$pageDescription = strip_tags_except_allowed_protocols($pageDescription);
$name = $request->name; $name = $request->name;
$checkmark = $request->checkmark; $checkmark = $request->checkmark;
$sharebtn = $request->sharebtn; $sharebtn = $request->sharebtn;