Merge r1879 from trunk:

* src/mod_muc/mod_muc_log.erl: Prevent XSS in MUC logs by linkifying only a few known protocols (EJAB-850) SVN Revision: 1905
2009-02-21 09:30:23 +00:00 · 2009-02-21 09:30:23 +00:00 · ad48607327
parent fea7eac245
commit ad48607327
2 changed files with 5 additions and 1 deletions
--- a/3
+++ b/3
@ -1,5 +1,8 @@
 2009-02-21  Badlop  <badlop@process-one.net>

+ 	* src/mod_muc/mod_muc_log.erl: Prevent XSS in MUC logs by
+ 	linkifying only a few known protocols (EJAB-850)
+
 	* src/mod_roster.erl: When account is deleted, cancel presence
 	subscription for all roster items (EJAB-790)
 	* src/mod_roster_odbc.erl: Likewise
--- a/src/mod_muc/mod_muc_log.erl
+++ b/src/mod_muc/mod_muc_log.erl
@ -701,7 +701,8 @@ htmlize2(S1, NoFollow) ->
    S2 = element(2, regexp:gsub(S1, "\\&", "\\&amp;")),
    S3 = element(2, regexp:gsub(S2, "<", "\\&lt;")),
    S4 = element(2, regexp:gsub(S3, ">", "\\&gt;")),
-    S5 = element(2, regexp:gsub(S4, "[-+.a-zA-Z0-9]+://[^] )\'\"}]+", link_regexp(NoFollow))),
+    S5 = element(2, regexp:gsub(S4, "(http|https|ftp|mailto|xmpp)://[^] )\'\"}]+",
+				link_regexp(NoFollow))),
    %% Remove 'right-to-left override' unicode character 0x202e
    element(2, regexp:gsub(S5, [226,128,174], "[RLO]")).