diff options
| author | Marc Alexander <admin@m-a-styles.de> | 2017-07-26 21:14:05 +0200 |
|---|---|---|
| committer | Marc Alexander <admin@m-a-styles.de> | 2017-07-26 21:14:05 +0200 |
| commit | 0aba1faa0803af6013c9ac2071e87f117e9c4835 (patch) | |
| tree | f5d1e7aa2f0fc24c3a38f290a8997fc39bf3f768 /phpBB/develop | |
| parent | 91f9050a70d95a472daf9f6fa15187c195f05909 (diff) | |
| download | forums-0aba1faa0803af6013c9ac2071e87f117e9c4835.tar forums-0aba1faa0803af6013c9ac2071e87f117e9c4835.tar.gz forums-0aba1faa0803af6013c9ac2071e87f117e9c4835.tar.bz2 forums-0aba1faa0803af6013c9ac2071e87f117e9c4835.tar.xz forums-0aba1faa0803af6013c9ac2071e87f117e9c4835.zip | |
[ticket/security/211] Do not match javascript URIs with URL regexes
SECURITY-211
Diffstat (limited to 'phpBB/develop')
| -rw-r--r-- | phpBB/develop/regex_idn.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/phpBB/develop/regex_idn.php b/phpBB/develop/regex_idn.php index d871695c50..30373f8de3 100644 --- a/phpBB/develop/regex_idn.php +++ b/phpBB/develop/regex_idn.php @@ -120,7 +120,7 @@ do $pct_encoded = "%[\dA-F]{2}"; $unreserved = "$add_chars\pL0-9\-._~"; $sub_delims = ($inline) ? '!$&\'(*+,;=' : '!$&\'()*+,;='; - $scheme = ($inline) ? '[a-z][a-z\d+]*': '[a-z][a-z\d+\-.]*' ; // avoid automatic parsing of "word" in "last word.http://..." + $scheme = ($inline) ? '[a-z][a-z\d+]*(?<!javascript)': '[a-z][a-z\d+\-.]*(?<!javascript)' ; // avoid automatic parsing of "word" in "last word.http://..." $pchar = "(?:[^$remove_chars]*[$unreserved$sub_delims:@|]+|$pct_encoded)"; // rfc: no "|" $reg_name = "(?:[^$remove_chars]*[$unreserved$sub_delims:@|]+|$pct_encoded)+"; // rfc: * instead of + and no "|" and no "@" and no ":" (included instead of userinfo) |