Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F15425486
D18873.id45264.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
1 KB
Referenced Files
None
Subscribers
None
D18873.id45264.diff
View Options
diff --git a/src/markup/__tests__/PhutilMarkupTestCase.php b/src/markup/__tests__/PhutilMarkupTestCase.php
--- a/src/markup/__tests__/PhutilMarkupTestCase.php
+++ b/src/markup/__tests__/PhutilMarkupTestCase.php
@@ -72,11 +72,20 @@
// These should get the implicit insertion.
'http://www.example.org/' => true,
- '///evil.com/' => true,
' http://www.example.org/' => true,
'ftp://filez.com' => true,
'mailto:santa@northpole.com' => true,
'tel:18005555555' => true,
+
+ // These are protocol-relative hrefs. Browers will treat a URI with
+ // a leading slash followed by any positive number of slashes and
+ // backslashes as a protocol-relative link.
+ '//evil.com/' => true,
+ '/\\evil.com/' => true,
+ '///evil.com/' => true,
+ '//\\evil.com/' => true,
+ '/\\/evil.com/' => true,
+ '/\\\\/evil.com' => true,
);
foreach ($map as $input => $expect) {
diff --git a/src/markup/render.php b/src/markup/render.php
--- a/src/markup/render.php
+++ b/src/markup/render.php
@@ -35,9 +35,14 @@
$is_anchor_href = ($href[0] == '#');
// Is this a link to a resource on the same domain? The second part of
- // this excludes "///evil.com/" protocol-relative hrefs.
- $is_domain_href = ($href[0] == '/') &&
- (!isset($href[1]) || $href[1] != '/');
+ // this excludes "//evil.com/" protocol-relative hrefs. The third part
+ // of this excludes "/\evil.com/" protocol-relative fantasy hrefs which
+ // are completely made up but which browsers all respect. Broadly,
+ // browsers will dutifuly treat "/" followed by ANY sequence of "/" and
+ // "\" as though it were "//".
+ $is_domain_href =
+ ($href[0] == '/') &&
+ (!isset($href[1]) || ($href[1] != '/' && $href[1] != '\\'));
// If the `rel` attribute is not specified, fill in `rel="noreferrer"`.
// Effectively, this serves to make the default behavior for offsite
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Mon, Mar 24, 4:48 AM (2 w, 6 d ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7707977
Default Alt Text
D18873.id45264.diff (1 KB)
Attached To
Mode
D18873: Expand detection of protocol-relative hrefs to cover "/\evil.com" and variants
Attached
Detach File
Event Timeline
Log In to Comment