XSS vulnerability in URL tags

chriskonnertz / bbcode

A BBCode parser and converter written in PHP.

MIT License

40 stars 25 forks source link

Open Nisto opened 1 year ago

Nisto commented 1 year ago

I believe javascript: URLs ought to be filtered. URL tags currently allows embedding malicious inline scripts:

$bbcode = new ChrisKonnertz\BBCode\BBCode();

echo $bbcode->render("[url=javascript:alert('hacked')]malicious link[/url]");

ui0ppk commented 12 months ago

tbh i plan to make a pull to fix it

ui0ppk commented 9 months ago

im a few months late on this but if anyone cares to do it just make it allow specific urls or disallow (like a whitelist or blacklist)