Added sanitize_url function to strip out unsupported URI Schemas schema:// if not on the allow list it will show unsupport://URL

This commit is contained in:
johnnyq
2025-06-09 20:28:10 -04:00
parent 680dbb04ce
commit d79a17adb0
6 changed files with 54 additions and 35 deletions

View File

@@ -1652,3 +1652,22 @@ function display_folder_options($parent_folder_id, $client_id, $folder_location
display_folder_options($folder_id, $client_id, $folder_location, $indent + 1);
}
}
function sanitize_url($url) {
$allowed = ['http', 'https', 'file', 'ftp', 'ftps', 'sftp', 'dav', 'webdav', 'caldav', 'carddav', 'ssh', 'telnet', 'smb', 'rdp', 'vnc', 'rustdesk', 'anydesk', 'connectwise', 'splashtop', 'sip', 'sips', 'ldap', 'ldaps'];
$parts = parse_url($url);
if (isset($parts['scheme']) && !in_array(strtolower($parts['scheme']), $allowed)) {
// Remove the scheme and colon
$pos = strpos($url, ':');
$without_scheme = $url;
if ($pos !== false) {
$without_scheme = substr($url, $pos + 1); // This keeps slashes (e.g. //pizza.com)
}
// Prepend 'unsupported://' (strip any leading slashes from $without_scheme to avoid triple slashes)
$unsupported = 'unsupported://' . ltrim($without_scheme, '/');
return htmlspecialchars($unsupported, ENT_QUOTES, 'UTF-8');
}
// Safe schemes: return escaped original URL
return htmlspecialchars($url, ENT_QUOTES, 'UTF-8');
}