* src/mod_muc/mod_muc_log.erl: Prevent XSS in MUC logs by

linkifying only a few known protocols (EJAB-850)

SVN Revision: 1879

diff --git a/ChangeLog b/ChangeLog
index c801ece7f41a0eace49084614acfae5d3433b5ad..9e05d21252abfbf1ac38977a3b3c95189231b1d1 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2009-02-16  Badlop  <badlop@process-one.net>
 
+       * src/mod_muc/mod_muc_log.erl: Prevent XSS in MUC logs by
+       linkifying only a few known protocols (EJAB-850)
+
        * src/mod_muc/mod_muc.erl: Export function to create MUC
        room (thanks to Eric Cestari) (EJAB-729)
 

diff --git a/src/mod_muc/mod_muc_log.erl b/src/mod_muc/mod_muc_log.erl
index 6f75a750ee079ccc18d739a29483aacdb7d607e1..6ef07bc23533ccff92d4cca571d9cdd81c271c09 100644 (file)
--- a/src/mod_muc/mod_muc_log.erl
+++ b/src/mod_muc/mod_muc_log.erl
@@ -752,7 +752,8 @@ htmlize2(S1, NoFollow) ->
     S2 = element(2, regexp:gsub(S1, "\\&", "\\&")),
     S3 = element(2, regexp:gsub(S2, "<", "\\&lt;")),
     S4 = element(2, regexp:gsub(S3, ">", "\\&gt;")),
-    S5 = element(2, regexp:gsub(S4, "[-+.a-zA-Z0-9]+://[^] )\'\"}]+", link_regexp(NoFollow))),
+    S5 = element(2, regexp:gsub(S4, "(http|https|ftp|mailto|xmpp)://[^] )\'\"}]+",
+                               link_regexp(NoFollow))),
     %% Remove 'right-to-left override' unicode character 0x202e
     element(2, regexp:gsub(S5, [226,128,174], "[RLO]")).