function fp_strip_dangerous_protocols
Search API
| 6.x misc.inc | fp_strip_dangerous_protocols($uri) |
| 4.x misc.inc | fp_strip_dangerous_protocols($uri) |
| 5.x misc.inc | fp_strip_dangerous_protocols($uri) |
1 call to fp_strip_dangerous_protocols()
- filter_xss_bad_protocol in includes/
misc.inc
File
- includes/
misc.inc, line 1232 - This file contains misc functions for FlightPath
Code
function fp_strip_dangerous_protocols($uri) {
static $allowed_protocols;
if (!isset($allowed_protocols)) {
$allowed_protocols = array_flip(array('ftp', 'http', 'https', 'irc', 'mailto', 'news', 'nntp', 'rtsp', 'sftp', 'ssh', 'tel', 'telnet', 'webcal'));
}
// Iteratively remove any invalid protocol found.
do {
$before = $uri;
$colonpos = strpos($uri, ':');
if ($colonpos > 0) {
// We found a colon, possibly a protocol. Verify.
$protocol = substr($uri, 0, $colonpos);
// If a colon is preceded by a slash, question mark or hash, it cannot
// possibly be part of the URL scheme. This must be a relative URL, which
// inherits the (safe) protocol of the base document.
if (preg_match('![/?#]!', $protocol)) {
break;
}
// Check if this is a disallowed protocol. Per RFC2616, section 3.2.3
// (URI Comparison) scheme comparison must be case-insensitive.
if (!isset($allowed_protocols [strtolower($protocol)])) {
$uri = substr($uri, $colonpos + 1);
}
}
} while ($before != $uri);
return $uri;
}