Possible XSS scenario when posting Bookmarks

This commit is contained in:
Mikael Nordfeldth 2014-10-25 14:56:38 +02:00
parent 048af5ac73
commit 39b5e08d44

View File

@ -134,6 +134,10 @@ class Bookmark extends Managed_DataObject
static function saveNew($profile, $title, $url, $rawtags, $description,
$options=null)
{
if (!common_valid_http_url($url)) {
throw new ClientException(_m('Only web bookmarks can be posted (HTTP or HTTPS).'));
}
$nb = self::getByURL($profile, $url);
if (!empty($nb)) {