From e149c9f97d5f6df0dd7e8a0f83446fbbf7cedd32 Mon Sep 17 00:00:00 2001 From: Daniel Winzen Date: Sat, 2 May 2020 19:42:34 +0200 Subject: [PATCH] Fix reflected XSS vulnerability --- chat.php | 8 ++++++-- lang_de.php | 1 + lang_en.php | 1 + 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/chat.php b/chat.php index 79f468d..e57dd58 100644 --- a/chat.php +++ b/chat.php @@ -368,7 +368,7 @@ function print_start($class='', $ref=0, $url=''){ function send_redirect($url){ global $I; - $url=htmlspecialchars_decode(rawurldecode($url)); + $url=trim(htmlspecialchars_decode(rawurldecode($url))); preg_match('~^(.*)://~u', $url, $match); $url=preg_replace('~^(.*)://~u', '', $url); $escaped=htmlspecialchars($url); @@ -380,7 +380,11 @@ function send_redirect($url){ if(!isset($match[0])){ $match[0]=''; } - echo "

$I[nonhttp] $match[0]$escaped.

"; + if(preg_match('~^(javascript|blob|data):~', $url)){ + echo "

$I[dangerousnonhttp] $match[0]$escaped

"; + } else { + echo "

$I[nonhttp] $match[0]$escaped.

"; + } echo "

$I[httpredir] http://$escaped.

"; } print_end(); diff --git a/lang_de.php b/lang_de.php index 25b05db..3991c72 100644 --- a/lang_de.php +++ b/lang_de.php @@ -241,6 +241,7 @@ $T=[ 'YellowGreen' => 'Gelbgrün', 'redirectto' => 'Leite weiter zu:', 'nonhttp' => 'Nicht-http Adresse angefordert:', + 'dangerousnonhttp' => 'Nicht-http Adresse angefordert. Kopieren Sie diesen Link und fügen ihn ein, falls Sie wirklich sicher sind.:', 'httpredir' => 'Wenn sie nicht funktioniert, probiere diese:', 'actions' => 'Aktionen', 'sesip' => 'IP-Adresse', diff --git a/lang_en.php b/lang_en.php index c0805e3..a0d8fa0 100644 --- a/lang_en.php +++ b/lang_en.php @@ -241,6 +241,7 @@ $I=[ 'YellowGreen' => 'Yellow green', 'redirectto' => 'Redirecting to:', 'nonhttp' => 'Non-http link requested:', + 'dangerousnonhttp' => 'Dangerous non-http link requested, copy paste this link if you are really sure:', 'httpredir' => 'If it\'s not working, try this one:', 'actions' => 'Actions', 'sesip' => 'IP-Address',