Commit 791f6251 authored by Steven Wittens's avatar Steven Wittens

#105031: Allow both upper and lower case for allowed protocols in XSS checks.

parent b6d1519b
......@@ -1493,8 +1493,9 @@ function filter_xss_bad_protocol($string, $decode = TRUE) {
if (preg_match('![/?#]!', $protocol)) {
break;
}
// Per RFC2616, section 3.2.3 (URI Comparison) scheme comparison must be case-insensitive.
// Check if this is a disallowed protocol.
if (!isset($allowed_protocols[$protocol])) {
if (!isset($allowed_protocols[strtolower($protocol)])) {
$string = substr($string, $colonpos + 1);
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment