diff options
author | Badlop <badlop@process-one.net> | 2009-02-21 12:30:23 +0300 |
---|---|---|
committer | Badlop <badlop@process-one.net> | 2009-02-21 12:30:23 +0300 |
commit | ad486073270eb4e214bcf9c690d7342ea180ab74 (patch) | |
tree | 48ce729879b9038800cdcef288b4e3f8aef68c1b | |
parent | fea7eac245507b65423800983870144d5b493bac (diff) |
Merge r1879 from trunk:
* src/mod_muc/mod_muc_log.erl: Prevent XSS in MUC logs by
linkifying only a few known protocols (EJAB-850)
SVN Revision: 1905
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | src/mod_muc/mod_muc_log.erl | 3 |
2 files changed, 5 insertions, 1 deletions
@@ -1,5 +1,8 @@ 2009-02-21 Badlop <badlop@process-one.net> + * src/mod_muc/mod_muc_log.erl: Prevent XSS in MUC logs by + linkifying only a few known protocols (EJAB-850) + * src/mod_roster.erl: When account is deleted, cancel presence subscription for all roster items (EJAB-790) * src/mod_roster_odbc.erl: Likewise diff --git a/src/mod_muc/mod_muc_log.erl b/src/mod_muc/mod_muc_log.erl index 75aee4d77..1ebff1b2d 100644 --- a/src/mod_muc/mod_muc_log.erl +++ b/src/mod_muc/mod_muc_log.erl @@ -701,7 +701,8 @@ htmlize2(S1, NoFollow) -> S2 = element(2, regexp:gsub(S1, "\\&", "\\&")), S3 = element(2, regexp:gsub(S2, "<", "\\<")), S4 = element(2, regexp:gsub(S3, ">", "\\>")), - S5 = element(2, regexp:gsub(S4, "[-+.a-zA-Z0-9]+://[^] )\'\"}]+", link_regexp(NoFollow))), + S5 = element(2, regexp:gsub(S4, "(http|https|ftp|mailto|xmpp)://[^] )\'\"}]+", + link_regexp(NoFollow))), %% Remove 'right-to-left override' unicode character 0x202e element(2, regexp:gsub(S5, [226,128,174], "[RLO]")). |