From b1e7edd761edf997a08e4b013395ca09b64bb6ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rub=C3=A9nD?= <nuxsmin@users.noreply.github.com>
Date: Thu, 16 Jun 2022 08:32:21 +0200
Subject: [PATCH] fix: Return safe url for accounts. (#1839)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Rubén D <nuxsmin@syspass.org>
---
 .../material-blue/views/account/account.inc   | 30 +++++++++++++++----
 .../views/account/search-rows.inc             | 30 +++++++++++++++++--
 lib/SP/Html/Html.php                          | 25 ++++++++++++----
 lib/SP/Services/Account/AccountSearchItem.php | 22 +++++++++-----
 lib/SP/Services/Install/Installer.php         | 14 ++++-----
 5 files changed, 95 insertions(+), 26 deletions(-)

diff --git a/app/modules/web/themes/material-blue/views/account/account.inc b/app/modules/web/themes/material-blue/views/account/account.inc
index 5ec50390..2462bf38 100644
--- a/app/modules/web/themes/material-blue/views/account/account.inc
+++ b/app/modules/web/themes/material-blue/views/account/account.inc
@@ -1,4 +1,27 @@
 <?php
+/*
+ * sysPass
+ *
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
+ *
+ * This file is part of sysPass.
+ *
+ * sysPass is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * sysPass is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
 /**
  * @var callable       $_getvar
  * @var ThemeIcons     $icons
@@ -253,11 +276,8 @@ $showCustomFields = count($_getvar('customFields', 0)) > 0;
                                 class="mdl-textfield__input mdl-color-text--indigo-400"
                                 rows="3" id="notes"
                                 name="notes"
-                                maxlength="5000" <?php echo $_getvar('readonly'); ?>>
-                            <?php echo $gotData
-                                ? htmlspecialchars($accountData->getNotes(), ENT_QUOTES)
-                                : ''; ?>
-                        </textarea>
+                                maxlength="5000" <?php echo $_getvar('readonly'); ?>><?php echo $gotData
+                                ? htmlspecialchars($accountData->getNotes(), ENT_QUOTES) : ''; ?></textarea>
                                 <label class="mdl-textfield__label"
                                        for="notes"><?php echo __('Notes about the account'); ?></label>
                             </div>
diff --git a/app/modules/web/themes/material-blue/views/account/search-rows.inc b/app/modules/web/themes/material-blue/views/account/search-rows.inc
index 8b36c978..b3ccbc9a 100644
--- a/app/modules/web/themes/material-blue/views/account/search-rows.inc
+++ b/app/modules/web/themes/material-blue/views/account/search-rows.inc
@@ -1,4 +1,27 @@
 <?php
+/*
+ * sysPass
+ *
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
+ *
+ * This file is part of sysPass.
+ *
+ * sysPass is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * sysPass is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
 /**
  * @var ThemeIcons         $icons
  * @var callable           $_getvar
@@ -102,9 +125,12 @@ $favoriteRouteOff = $_getvar('favoriteRouteOff');
                         <div class="field-url field-text label-field">
                             <div class="field-name"><?php echo __('URL / IP'); ?></div>
                             <?php if ($accountSearchItem->isUrlIslink()): ?>
-                                <a href="<?php echo urlencode($accountSearchData->getUrl()); ?>"
+                                <a href="<?php echo $accountSearchItem->getSafeUrl(); ?>"
                                    target="_blank"
-                                   title="<?php printf(__('Open link to: %s'), htmlspecialchars($accountSearchData->getUrl(), ENT_QUOTES)); ?>">
+                                   title="<?php printf(
+                                       __('Open link to: %s'),
+                                       htmlspecialchars($accountSearchData->getUrl(), ENT_QUOTES)
+                                   ); ?>">
                                     <?php echo htmlspecialchars($accountSearchItem->getShortUrl(), ENT_QUOTES); ?>
                                 </a>
                             <?php else: ?>
diff --git a/lib/SP/Html/Html.php b/lib/SP/Html/Html.php
index 3c4ea017..6684bf80 100644
--- a/lib/SP/Html/Html.php
+++ b/lib/SP/Html/Html.php
@@ -1,10 +1,10 @@
 <?php
-/**
+/*
  * sysPass
  *
- * @author    nuxsmin
- * @link      https://syspass.org
- * @copyright 2012-2019, Rubén Domínguez nuxsmin@$syspass.org
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
  *
  * This file is part of sysPass.
  *
@@ -19,7 +19,7 @@
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
- *  along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
  */
 
 namespace SP\Html;
@@ -176,4 +176,19 @@ final class Html
         // Replace tags, then new lines, tabs and return chars, and then 2 or more spaces
         return trim(preg_replace(['/<[^>]*>/', '/[\n\t\r]+/', '/\s{2,}/'], ' ', $text));
     }
+
+    /**
+     * @param  string  $url
+     *
+     * @return string
+     */
+    public static function getSafeUrl(string $url): string
+    {
+        if (preg_match('#^((?:https?|ftp|ssh|rdp)://[\w._-]+/)(.*)#', $url, $urlParts)
+            && count($urlParts) === 3) {
+            return $urlParts[1].urlencode($urlParts[2]);
+        }
+
+        return urlencode($url);
+    }
 }
diff --git a/lib/SP/Services/Account/AccountSearchItem.php b/lib/SP/Services/Account/AccountSearchItem.php
index 674bd71e..ba1ce227 100644
--- a/lib/SP/Services/Account/AccountSearchItem.php
+++ b/lib/SP/Services/Account/AccountSearchItem.php
@@ -1,10 +1,10 @@
 <?php
-/**
+/*
  * sysPass
  *
- * @author    nuxsmin
- * @link      https://syspass.org
- * @copyright 2012-2019, Rubén Domínguez nuxsmin@$syspass.org
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
  *
  * This file is part of sysPass.
  *
@@ -19,7 +19,7 @@
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
- *  along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
  */
 
 namespace SP\Services\Account;
@@ -202,7 +202,7 @@ final class AccountSearchItem
      */
     public function getShortUrl()
     {
-        return Html::truncate($this->accountSearchVData->getUrl(), $this->textMaxLength);
+        return Html::truncate($this->getSafeUrl(), $this->textMaxLength);
     }
 
     /**
@@ -210,7 +210,15 @@ final class AccountSearchItem
      */
     public function isUrlIslink()
     {
-        return preg_match('#^\w+://#i', $this->accountSearchVData->getUrl());
+        return preg_match('#^\w+://#', $this->accountSearchVData->getUrl());
+    }
+
+    /**
+     * @return string
+     */
+    public function getSafeUrl()
+    {
+        return Html::getSafeUrl($this->accountSearchVData->getUrl());
     }
 
     /**
diff --git a/lib/SP/Services/Install/Installer.php b/lib/SP/Services/Install/Installer.php
index e413dd5e..bf3ab4e2 100644
--- a/lib/SP/Services/Install/Installer.php
+++ b/lib/SP/Services/Install/Installer.php
@@ -1,11 +1,11 @@
 <?php
 
-/**
+/*
  * sysPass
  *
- * @author    nuxsmin
- * @link      https://syspass.org
- * @copyright 2012-2019, Rubén Domínguez nuxsmin@$syspass.org
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
  *
  * This file is part of sysPass.
  *
@@ -20,7 +20,7 @@
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
- *  along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
  */
 
 namespace SP\Services\Install;
@@ -60,9 +60,9 @@ final class Installer extends Service
     /**
      * sysPass' version and build number
      */
-    const VERSION = [3, 2, 5];
+    const VERSION      = [3, 2, 6];
     const VERSION_TEXT = '3.2';
-    const BUILD = 22060401;
+    const BUILD        = 22061601;
 
     /**
      * @var DatabaseSetupInterface