Introduce whitelist test for link protocols. (#13798)

* Introduce whitelist test for link protocols. * Two more url fixes. * Add whole_url escape filter to do url trustworthiness check. * Use whole_url in conjunction w/ html_attr, since twig will automatically apply html if not done. * Use existing safelink filter. * Regex tweak.
author: diosmosis <diosmosis@users.noreply.github.com> 2018-12-10 22:29:46 +0300
committer: GitHub <noreply@github.com> 2018-12-10 22:29:46 +0300
commit: 43b61590e51980965c8c9731d79e0b1479e8feb6 (patch)
tree: 4fa7af2b7fbf7dd635af1bab02be31f0653d2acc /plugins/Events
parent: 4d61d27f1a5faa4470a6831fa077733e3b8a208d (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/plugins/Events/templates/_actionEvent.twig b/plugins/Events/templates/_actionEvent.twig
index d360a0410c..9b2588aa2c 100644
--- a/plugins/Events/templates/_actionEvent.twig
+++ b/plugins/Events/templates/_actionEvent.twig
@@ -15,7 +15,7 @@
                 action.url|trim|lower starts with 'data:' %}
                     {{ action.url }}
                 {% else %}
-                    <a href="{{ action.url }}" rel="noreferrer noopener" target="_blank" class="truncated-text-line">
+                    <a href="{{ action.url|safelink|e('html_attr') }}" rel="noreferrer noopener" target="_blank" class="truncated-text-line">
                         {{ action.url|replace({'http://': '', 'https://': ''}) }}
                     </a>
                 {% endif %}
author	diosmosis <diosmosis@users.noreply.github.com>	2018-12-10 22:29:46 +0300
committer	GitHub <noreply@github.com>	2018-12-10 22:29:46 +0300
commit	43b61590e51980965c8c9731d79e0b1479e8feb6 (patch)
tree	4fa7af2b7fbf7dd635af1bab02be31f0653d2acc /plugins/Events
parent	4d61d27f1a5faa4470a6831fa077733e3b8a208d (diff)