Merge r1879 from trunk:

author Badlop <badlop@process-one.net>

Sat, 21 Feb 2009 09:30:23 +0000 (09:30 +0000)

committer Badlop <badlop@process-one.net>

Sat, 21 Feb 2009 09:30:23 +0000 (09:30 +0000)
author Badlop <badlop@process-one.net>
Sat, 21 Feb 2009 09:30:23 +0000 (09:30 +0000)
committer Badlop <badlop@process-one.net>
Sat, 21 Feb 2009 09:30:23 +0000 (09:30 +0000)
diff --git a/ChangeLog b/ChangeLog

index 9fa9fad22cf4e142e0fac42a11e5d436a159cd01..b64bd1f6d6e50f755a318d7f65feb12a5bd6d582 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
  2009-02-21  Badlop  <badlop@process-one.net>
  
+       * src/mod_muc/mod_muc_log.erl: Prevent XSS in MUC logs by
+       linkifying only a few known protocols (EJAB-850)
+
         * src/mod_roster.erl: When account is deleted, cancel presence
         subscription for all roster items (EJAB-790)
         * src/mod_roster_odbc.erl: Likewise
diff --git a/src/mod_muc/mod_muc_log.erl b/src/mod_muc/mod_muc_log.erl

index 75aee4d7711efd74aeb264b27a2f7bf7d2ade265..1ebff1b2d0ffadd8e4c50589a553ea1df2c87d35 100644 (file)
--- a/src/mod_muc/mod_muc_log.erl
+++ b/src/mod_muc/mod_muc_log.erl
@@ -701,7 +701,8 @@ htmlize2(S1, NoFollow) ->
      S2 = element(2, regexp:gsub(S1, "\\&", "\\&amp;")),
      S3 = element(2, regexp:gsub(S2, "<", "\\&lt;")),
      S4 = element(2, regexp:gsub(S3, ">", "\\&gt;")),
-    S5 = element(2, regexp:gsub(S4, "[-+.a-zA-Z0-9]+://[^] )\'\"}]+", link_regexp(NoFollow))),
+    S5 = element(2, regexp:gsub(S4, "(http|https|ftp|mailto|xmpp)://[^] )\'\"}]+",
+                               link_regexp(NoFollow))),
      %% Remove 'right-to-left override' unicode character 0x202e
      element(2, regexp:gsub(S5, [226,128,174], "[RLO]")).
author	Badlop <badlop@process-one.net>
	Sat, 21 Feb 2009 09:30:23 +0000 (09:30 +0000)
committer	Badlop <badlop@process-one.net>
	Sat, 21 Feb 2009 09:30:23 +0000 (09:30 +0000)
ChangeLog		patch \| blob \| history
src/mod_muc/mod_muc_log.erl		patch \| blob \| history