Recent Topics

1 Dec 18, 2005 00:11    

I'm afraid to ask anymore. Is my "invalid URL" as a result of attempting to post

<a href="mailto:someone@somewhere.com">blah</a>

a bug or feature of Phoenix?

(don't worry ... it's not an email address I mind having harvested ... quite the contrary) ... IF the intent is security ... see ... I'm [u]NOT[/u] shooting myself in the foot. ;)

And I already know that the "//" requirement in the url_validate function is (in part) killing it.

Hmmm ... me thinks it's a bug, since 'mailto' was included in the default allowed_uri_scheme. ;)

-stk :D

2 Feb 16, 2006 20:59

is there a fix for this bug? This is the only thing I need to work before I release my project!!! agh ... can anyone help me get around the bug?

---------------------------

Nevermind, I just disabled the checker and activated the security checker. I guess it's still a bug to fix tho.

3 Feb 17, 2006 00:17

I don't know if it's a bug or a security feature either, but it sure did come in unhandy when I wanted to post an email ID that I didn't mind feeding to the spam-bots. Anyway I hacked it then unhacked it but still have the hack. Or at least I think I do. I have two files hacked, but only one has "_MAILTO" attached to the original file name. The other has "_TEST" which tells me it never developed a specific value.

BTW I'm dealing with the CVSd version of 1.6 so now you know it might be different for you. In conf/_formatting.php find and modify

	$allowed_attributes = array
	(
		'snippage' => stuffage,			// Strict
		'a' => A_attrs.' charset type href hreflang rel rev shape coords mailto',	// Strict


The change is the addition of "mailto" in the 'a' bit.

Next find and modify the other 'a' for the else allowed_attributes (which will be the transitional version I believe). Same thing: add a "mailto" to it.

Finally find and modify

$uri_attrs = array
(
	'snippage',
	'mailto'


Another mailto added eh?

I think that's it. The other file I tweaked is evocore/_htmlchecker.class.php but I'm pretty sure I didn't need to.

4 Feb 17, 2006 01:05

You really don't need to hack the core for this. The ability is already in the bbcode plugin (just commented out) ;)

¥

5 Feb 17, 2006 02:31

Yes, using the bbcode plugin is probably the cleanest way.

But I'Ve just fixed validate_url() for it. Replace the existing one in /evocore/_misc.funcs.php with this one:


function validate_url( $url, & $allowed_uri_scheme )
{
	global $debug, $Debuglog;

	if( empty($url) )
	{ // Empty URL, no problem
		return false;
	}

	// minimum length: http://az.fr/
	// TODO: fails on "http://blogs" (without trailing slash)  fp>> yes, "blogs" is not a valid domain name, allowing this could cause all sorts of unexpected problems
	if( strlen($url) < 13 )
	{ // URL too short!
		$Debuglog->add( 'URL &laquo;'.$url.';&raquo; is too short!', 'error' );
		return T_('Invalid URL');
	}

	// Validate URL structure
	// NOTE: this causes the most problems with this function!
	// fp>> we should probably go back to a very laxist scheme here... :(
	// blueyed>> yes, seems so.
	/* Remaining problems with this one are:
	 *  - no spaces in URL allowed (must be written as %20)
	 *  - umlauts in domains/url
	 */
	if( ! preg_match('~^                # start
		(?:
			(?: ([a-z][a-z0-9+.\-]*):[0-9]*       # scheme
				//                                # authority absolute URLs only
			)|(mailto):
		)
		[a-z0-9]([a-z0-9\~+.\-_,:;/\\\\*=@]|(%\d+))* # Don t allow anything too funky like entities
		([?#][a-z0-9\~+.\-_,:;/\\\\%&=!?#*\ \[\]]*)?
		$~ix', $url, $matches) )
	{ // Cannot validate URL structure
		$Debuglog->add( 'URL &laquo;'.$url.'&raquo; does not match url pattern!', 'error' );
		return T_('Invalid URL');
	}

	$scheme = empty( $matches[1] ) ? strtolower($matches[2]) : strtolower($matches[1]);
	if( !in_array( $scheme, $allowed_uri_scheme ) )
	{ // Scheme not allowed
		$Debuglog->add( 'URL scheme &laquo;'.$scheme.'&raquo; not allowed!', 'error' );
		return T_('URI scheme not allowed');
	}

	// Search for blocked URLs:
	if( $block = antispam_check($url) )
	{
		if( $debug ) return 'Url refused. Debug info: blacklisted word: ['.$block.']';
		return T_('URL not allowed');
	}

	return false; // OK
}

watch out for line breaks..

6 Nov 09, 2006 03:26

Hello Blueyed,

would that change work in 1.8, and can you tell me where the file is, if it's not in the same location as it was in 1.6?

That mailto thing worked in my 0.9 version, but not now!

thanks much,
Ross

7 Nov 09, 2006 20:05

It's probably fixed in 1.8.5, as released yesterday.

8 Nov 16, 2006 21:19

I still get an "invalid url" when I try to insert a hyperlinked email address into the blog description field. [url] and [email] bbcode tags fail yet I can insert a hyperlink to a web page in this field no problem. Any ideas? :idea:

(BTW, email addresses automatically hyperlink inside blog posts. This problem only appears to be with the notes.)

Thanks in advance.

9 Nov 16, 2006 21:24

Yes, can confirm it. It's fixed in the upcoming 1.9 though (just tested at the demo site).


Form is loading...