Open aimeos opened 3 years ago
@darylldoyle Can you have a look at the PR because without, Server-Side Request Forgery is possible
Seems to be reasonable. I'll add some more test-cases covering the new behavior during the next few day - in case somebody else is faster, please don't hesitate... 😉
Is it possible to get some test cases added for this please?
If
removeRemoteReferences(true)
is used, the current code fails to remove attributes with namespaces (e.g. "xlink:href"), "http" and "ftps" URLs and all URLs not wrapped inurl('...')
.