From 39b5e08d44e22cd3ecd3bf3ba9011ba4944a9c4b Mon Sep 17 00:00:00 2001 From: Mikael Nordfeldth Date: Sat, 25 Oct 2014 14:56:38 +0200 Subject: [PATCH] Possible XSS scenario when posting Bookmarks --- plugins/Bookmark/classes/Bookmark.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/plugins/Bookmark/classes/Bookmark.php b/plugins/Bookmark/classes/Bookmark.php index 65c767efdd..a99df87ee3 100644 --- a/plugins/Bookmark/classes/Bookmark.php +++ b/plugins/Bookmark/classes/Bookmark.php @@ -134,6 +134,10 @@ class Bookmark extends Managed_DataObject static function saveNew($profile, $title, $url, $rawtags, $description, $options=null) { + if (!common_valid_http_url($url)) { + throw new ClientException(_m('Only web bookmarks can be posted (HTTP or HTTPS).')); + } + $nb = self::getByURL($profile, $url); if (!empty($nb)) {