fix: Return safe url for accounts. (#1839)

Signed-off-by: Rubén D <nuxsmin@syspass.org>
This commit is contained in:
RubénD
2022-06-16 08:32:21 +02:00
committed by GitHub
parent 3cebed36dc
commit b1e7edd761
5 changed files with 95 additions and 26 deletions

View File

@@ -1,4 +1,27 @@
<?php
/*
* sysPass
*
* @author nuxsmin
* @link https://syspass.org
* @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
*
* This file is part of sysPass.
*
* sysPass is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* sysPass is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with sysPass. If not, see <http://www.gnu.org/licenses/>.
*/
/**
* @var callable $_getvar
* @var ThemeIcons $icons
@@ -253,11 +276,8 @@ $showCustomFields = count($_getvar('customFields', 0)) > 0;
class="mdl-textfield__input mdl-color-text--indigo-400"
rows="3" id="notes"
name="notes"
maxlength="5000" <?php echo $_getvar('readonly'); ?>>
<?php echo $gotData
? htmlspecialchars($accountData->getNotes(), ENT_QUOTES)
: ''; ?>
</textarea>
maxlength="5000" <?php echo $_getvar('readonly'); ?>><?php echo $gotData
? htmlspecialchars($accountData->getNotes(), ENT_QUOTES) : ''; ?></textarea>
<label class="mdl-textfield__label"
for="notes"><?php echo __('Notes about the account'); ?></label>
</div>

View File

@@ -1,4 +1,27 @@
<?php
/*
* sysPass
*
* @author nuxsmin
* @link https://syspass.org
* @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
*
* This file is part of sysPass.
*
* sysPass is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* sysPass is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with sysPass. If not, see <http://www.gnu.org/licenses/>.
*/
/**
* @var ThemeIcons $icons
* @var callable $_getvar
@@ -102,9 +125,12 @@ $favoriteRouteOff = $_getvar('favoriteRouteOff');
<div class="field-url field-text label-field">
<div class="field-name"><?php echo __('URL / IP'); ?></div>
<?php if ($accountSearchItem->isUrlIslink()): ?>
<a href="<?php echo urlencode($accountSearchData->getUrl()); ?>"
<a href="<?php echo $accountSearchItem->getSafeUrl(); ?>"
target="_blank"
title="<?php printf(__('Open link to: %s'), htmlspecialchars($accountSearchData->getUrl(), ENT_QUOTES)); ?>">
title="<?php printf(
__('Open link to: %s'),
htmlspecialchars($accountSearchData->getUrl(), ENT_QUOTES)
); ?>">
<?php echo htmlspecialchars($accountSearchItem->getShortUrl(), ENT_QUOTES); ?>
</a>
<?php else: ?>

View File

@@ -1,10 +1,10 @@
<?php
/**
/*
* sysPass
*
* @author nuxsmin
* @link https://syspass.org
* @copyright 2012-2019, Rubén Domínguez nuxsmin@$syspass.org
* @author nuxsmin
* @link https://syspass.org
* @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
*
* This file is part of sysPass.
*
@@ -19,7 +19,7 @@
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with sysPass. If not, see <http://www.gnu.org/licenses/>.
* along with sysPass. If not, see <http://www.gnu.org/licenses/>.
*/
namespace SP\Html;
@@ -176,4 +176,19 @@ final class Html
// Replace tags, then new lines, tabs and return chars, and then 2 or more spaces
return trim(preg_replace(['/<[^>]*>/', '/[\n\t\r]+/', '/\s{2,}/'], ' ', $text));
}
/**
* @param string $url
*
* @return string
*/
public static function getSafeUrl(string $url): string
{
if (preg_match('#^((?:https?|ftp|ssh|rdp)://[\w._-]+/)(.*)#', $url, $urlParts)
&& count($urlParts) === 3) {
return $urlParts[1].urlencode($urlParts[2]);
}
return urlencode($url);
}
}

View File

@@ -1,10 +1,10 @@
<?php
/**
/*
* sysPass
*
* @author nuxsmin
* @link https://syspass.org
* @copyright 2012-2019, Rubén Domínguez nuxsmin@$syspass.org
* @author nuxsmin
* @link https://syspass.org
* @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
*
* This file is part of sysPass.
*
@@ -19,7 +19,7 @@
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with sysPass. If not, see <http://www.gnu.org/licenses/>.
* along with sysPass. If not, see <http://www.gnu.org/licenses/>.
*/
namespace SP\Services\Account;
@@ -202,7 +202,7 @@ final class AccountSearchItem
*/
public function getShortUrl()
{
return Html::truncate($this->accountSearchVData->getUrl(), $this->textMaxLength);
return Html::truncate($this->getSafeUrl(), $this->textMaxLength);
}
/**
@@ -210,7 +210,15 @@ final class AccountSearchItem
*/
public function isUrlIslink()
{
return preg_match('#^\w+://#i', $this->accountSearchVData->getUrl());
return preg_match('#^\w+://#', $this->accountSearchVData->getUrl());
}
/**
* @return string
*/
public function getSafeUrl()
{
return Html::getSafeUrl($this->accountSearchVData->getUrl());
}
/**

View File

@@ -1,11 +1,11 @@
<?php
/**
/*
* sysPass
*
* @author nuxsmin
* @link https://syspass.org
* @copyright 2012-2019, Rubén Domínguez nuxsmin@$syspass.org
* @author nuxsmin
* @link https://syspass.org
* @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
*
* This file is part of sysPass.
*
@@ -20,7 +20,7 @@
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with sysPass. If not, see <http://www.gnu.org/licenses/>.
* along with sysPass. If not, see <http://www.gnu.org/licenses/>.
*/
namespace SP\Services\Install;
@@ -60,9 +60,9 @@ final class Installer extends Service
/**
* sysPass' version and build number
*/
const VERSION = [3, 2, 5];
const VERSION = [3, 2, 6];
const VERSION_TEXT = '3.2';
const BUILD = 22060401;
const BUILD = 22061601;
/**
* @var DatabaseSetupInterface