Merge pull request #3198 from owncloud/check-url

Bookmarks: Check if url is valid

2 files changed, 14 insertions, 1 deletions

diff --git a/apps/bookmarks/ajax/addBookmark.php b/apps/bookmarks/ajax/addBookmark.php
index b4d0f33d721..187cfe48dbc 100644
--- a/apps/bookmarks/ajax/addBookmark.php
+++ b/apps/bookmarks/ajax/addBookmark.php
@@ -31,6 +31,13 @@ OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('bookmarks');
 OCP\JSON::callCheck();
 
+// Check if it is a valid URL
+if (filter_var($_POST['url'], FILTER_VALIDATE_URL) === FALSE) {
+ OC_JSON::error();
+	exit();
+}
+
+
 require_once(OC::$APPSROOT . '/apps/bookmarks/bookmarksHelper.php');
 $id = addBookmark($_POST['url'], $_POST['title'], $_POST['tags']);
-OCP\JSON::success(array('data' => $id));
\ No newline at end of file
+OCP\JSON::success(array('data' => $id));
diff --git a/apps/bookmarks/ajax/editBookmark.php b/apps/bookmarks/ajax/editBookmark.php
index 36258f70961..5521aab0ef1 100644
--- a/apps/bookmarks/ajax/editBookmark.php
+++ b/apps/bookmarks/ajax/editBookmark.php
@@ -31,6 +31,12 @@ OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('bookmarks');
 OCP\JSON::callCheck();
 
+// Check if it is a valid URL
+if (filter_var($_POST['url'], FILTER_VALIDATE_URL) === FALSE) {
+ OC_JSON::error();
+ exit();
+}
+
 $CONFIG_DBTYPE = OCP\Config::getSystemValue( "dbtype", "sqlite" );
 if( $CONFIG_DBTYPE == 'sqlite' or $CONFIG_DBTYPE == 'sqlite3' ){
 	$_ut = "strftime('%s','now')";