From 43b61590e51980965c8c9731d79e0b1479e8feb6 Mon Sep 17 00:00:00 2001
From: diosmosis <diosmosis@users.noreply.github.com>
Date: Mon, 10 Dec 2018 11:29:46 -0800
Subject: Introduce whitelist test for link protocols. (#13798)

* Introduce whitelist test for link protocols.

* Two more url fixes.

* Add whole_url escape filter to do url trustworthiness check.

* Use whole_url in conjunction w/ html_attr, since twig will automatically apply html if not done.

* Use existing safelink filter.

* Regex tweak.
---
 plugins/Events/templates/_actionEvent.twig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'plugins/Events')

diff --git a/plugins/Events/templates/_actionEvent.twig b/plugins/Events/templates/_actionEvent.twig
index d360a0410c..9b2588aa2c 100644
--- a/plugins/Events/templates/_actionEvent.twig
+++ b/plugins/Events/templates/_actionEvent.twig
@@ -15,7 +15,7 @@
                 action.url|trim|lower starts with 'data:' %}
                     {{ action.url }}
                 {% else %}
-                    <a href="{{ action.url }}" rel="noreferrer noopener" target="_blank" class="truncated-text-line">
+                    <a href="{{ action.url|safelink|e('html_attr') }}" rel="noreferrer noopener" target="_blank" class="truncated-text-line">
                         {{ action.url|replace({'http://': '', 'https://': ''}) }}
                     </a>
                 {% endif %}
-- 
cgit v1.2.3