Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/processone/ejabberd.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBadlop <badlop@process-one.net>2009-02-21 12:30:23 +0300
committerBadlop <badlop@process-one.net>2009-02-21 12:30:23 +0300
commitad486073270eb4e214bcf9c690d7342ea180ab74 (patch)
tree48ce729879b9038800cdcef288b4e3f8aef68c1b
parentfea7eac245507b65423800983870144d5b493bac (diff)
Merge r1879 from trunk:
* src/mod_muc/mod_muc_log.erl: Prevent XSS in MUC logs by linkifying only a few known protocols (EJAB-850) SVN Revision: 1905
Diffstat
-rw-r--r--ChangeLog3
-rw-r--r--src/mod_muc/mod_muc_log.erl3
2 files changed, 5 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 9fa9fad22..b64bd1f6d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
2009-02-21 Badlop <badlop@process-one.net>
+ * src/mod_muc/mod_muc_log.erl: Prevent XSS in MUC logs by
+ linkifying only a few known protocols (EJAB-850)
+
* src/mod_roster.erl: When account is deleted, cancel presence
subscription for all roster items (EJAB-790)
* src/mod_roster_odbc.erl: Likewise
diff --git a/src/mod_muc/mod_muc_log.erl b/src/mod_muc/mod_muc_log.erl
index 75aee4d77..1ebff1b2d 100644
--- a/src/mod_muc/mod_muc_log.erl
+++ b/src/mod_muc/mod_muc_log.erl
@@ -701,7 +701,8 @@ htmlize2(S1, NoFollow) ->
S2 = element(2, regexp:gsub(S1, "\\&", "\\&amp;")),
S3 = element(2, regexp:gsub(S2, "<", "\\&lt;")),
S4 = element(2, regexp:gsub(S3, ">", "\\&gt;")),
- S5 = element(2, regexp:gsub(S4, "[-+.a-zA-Z0-9]+://[^] )\'\"}]+", link_regexp(NoFollow))),
+ S5 = element(2, regexp:gsub(S4, "(http|https|ftp|mailto|xmpp)://[^] )\'\"}]+",
+ link_regexp(NoFollow))),
%% Remove 'right-to-left override' unicode character 0x202e
element(2, regexp:gsub(S5, [226,128,174], "[RLO]")).
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-07 16:16:30 +0300