commit 1e0007805a8d092c0838a9a3cbef2b09d1c25a05
parent fd27fe91ca8bd25e9aa30d255731bc1b5a615734
Author: markseu <mark2011@mayberg.se>
Date: Wed, 20 Apr 2022 14:40:51 +0200
Refactored code, spring cleanup
Diffstat:
2 files changed, 22 insertions(+), 14 deletions(-)
diff --git a/system/extensions/core.php b/system/extensions/core.php
@@ -2,7 +2,7 @@
// Core extension, https://github.com/datenstrom/yellow-extensions/tree/master/source/core
class YellowCore {
- const VERSION = "0.8.70";
+ const VERSION = "0.8.71";
const RELEASE = "0.8.19";
public $page; // current page
public $content; // content files
@@ -2165,16 +2165,15 @@ class YellowLookup {
// Return media location from file path
public function findMediaLocationFromFile($fileName) {
$location = "";
- $regex = "/\.(css|gif|ico|js|jpg|png|svg|woff|woff2)$/";
$extensionDirectoryLength = strlenu($this->yellow->system->get("coreExtensionDirectory"));
$themeDirectoryLength = strlenu($this->yellow->system->get("coreThemeDirectory"));
$mediaDirectoryLength = strlenu($this->yellow->system->get("coreMediaDirectory"));
if (substru($fileName, 0, $extensionDirectoryLength)==$this->yellow->system->get("coreExtensionDirectory")) {
- if ($this->isFileLocation($fileName) && preg_match($regex, $fileName)) {
+ if ($this->yellow->toolbox->isSafeFile($fileName)) {
$location = $this->yellow->system->get("coreExtensionLocation").substru($fileName, $extensionDirectoryLength);
}
} elseif (substru($fileName, 0, $themeDirectoryLength)==$this->yellow->system->get("coreThemeDirectory")) {
- if ($this->isFileLocation($fileName) && preg_match($regex, $fileName)) {
+ if ($this->yellow->toolbox->isSafeFile($fileName)) {
$location = $this->yellow->system->get("coreThemeLocation").substru($fileName, $themeDirectoryLength);
}
} elseif (substru($fileName, 0, $mediaDirectoryLength)==$this->yellow->system->get("coreMediaDirectory")) {
@@ -2186,16 +2185,15 @@ class YellowLookup {
// Return file path from media location
public function findFileFromMediaLocation($location) {
$fileName = "";
- $regex = "/\.(css|gif|ico|js|jpg|png|svg|woff|woff2)$/";
$extensionLocationLength = strlenu($this->yellow->system->get("coreExtensionLocation"));
$themeLocationLength = strlenu($this->yellow->system->get("coreThemeLocation"));
$mediaLocationLength = strlenu($this->yellow->system->get("coreMediaLocation"));
if (substru($location, 0, $extensionLocationLength)==$this->yellow->system->get("coreExtensionLocation")) {
- if ($this->isFileLocation($location) && preg_match($regex, $location)) {
+ if ($this->yellow->toolbox->isSafeFile($location)) {
$fileName = $this->yellow->system->get("coreExtensionDirectory").substru($location, $extensionLocationLength);
}
} elseif (substru($location, 0, $themeLocationLength)==$this->yellow->system->get("coreThemeLocation")) {
- if ($this->isFileLocation($location) && preg_match($regex, $location)) {
+ if ($this->yellow->toolbox->isSafeFile($location)) {
$fileName = $this->yellow->system->get("coreThemeDirectory").substru($location, $themeLocationLength);
}
} elseif (substru($location, 0, $mediaLocationLength)==$this->yellow->system->get("coreMediaLocation")) {
@@ -2219,7 +2217,7 @@ class YellowLookup {
return $fileNames;
}
- // Return media directory from a well-known system setting
+ // Return media directory from a system setting
public function findMediaDirectory($key) {
return substru($key, -8, 8)=="Location" ? $this->findFileFromMediaLocation($this->yellow->system->get($key)) : "";
}
@@ -2312,7 +2310,7 @@ class YellowLookup {
$location = str_replace("/./", "/", $location);
$location = str_replace(":", $this->yellow->toolbox->getLocationArgumentsSeparator(), $location);
} else {
- if ($filterStrict && !preg_match("/^(http|https|ftp|mailto|tel):/", $location)) $location = "error-xss-filter";
+ if ($filterStrict && !$this->yellow->toolbox->isSafeUrl($location)) $location = "error-xss-filter";
}
return $location;
}
@@ -2322,7 +2320,7 @@ class YellowLookup {
if (!preg_match("/^\w+:/", $location)) {
$url = "$scheme://$address$base$location";
} else {
- if ($filterStrict && !preg_match("/^(http|https|ftp|mailto|tel):/", $location)) $location = "error-xss-filter";
+ if ($filterStrict && !$this->yellow->toolbox->isSafeUrl($location)) $location = "error-xss-filter";
$url = $location;
}
return $url;
@@ -3459,11 +3457,11 @@ class YellowToolbox {
}
if ($filterStrict) {
$href = isset($elementAttributes["href"]) ? $elementAttributes["href"] : "";
- if (preg_match("/^\w+:/", $href) && !preg_match("/^(http|https|ftp|mailto|tel):/", $href)) {
+ if (preg_match("/^\w+:/", $href) && !$this->isSafeUrl($href)) {
$elementAttributes["href"] = "error-xss-filter";
}
$href = isset($elementAttributes["xlink:href"]) ? $elementAttributes["xlink:href"] : "";
- if (preg_match("/^\w+:/", $href) && !preg_match("/^(http|https|ftp|mailto|tel):/", $href)) {
+ if (preg_match("/^\w+:/", $href) && !$this->isSafeUrl($href)) {
$elementAttributes["xlink:href"] = "error-xss-filter";
}
}
@@ -3523,6 +3521,16 @@ class YellowToolbox {
$time = intval((microtime(true)-$time) * 1000);
}
+ // Check if file is a well-known file type
+ public function isSafeFile($fileName) {
+ return preg_match("/\.(css|gif|ico|js|jpg|png|svg|woff|woff2)$/", $fileName);
+ }
+
+ // Check if URL is a well-known URL scheme
+ public function isSafeUrl($url) {
+ return preg_match("/^(http|https|ftp|mailto|tel):/", $url);
+ }
+
// Check if there are location arguments in current HTTP request
public function isLocationArguments($location = "") {
if (empty($location)) $location = $this->getServer("LOCATION").$this->getServer("LOCATION_ARGUMENTS");
diff --git a/system/extensions/update-current.ini b/system/extensions/update-current.ini
@@ -21,11 +21,11 @@ Tag: feature
system/extensions/command.php: command.php, create, update
Extension: Core
-Version: 0.8.70
+Version: 0.8.71
Description: Core functionality of the website.
DocumentationUrl: https://github.com/datenstrom/yellow-extensions/tree/master/source/core
DownloadUrl: https://github.com/datenstrom/yellow-extensions/raw/master/zip/core.zip
-Published: 2022-04-19 19:43:28
+Published: 2022-04-20 14:36:27
Developer: Datenstrom
Tag: feature
system/extensions/core.php: core.php, create, update
