dépôts / lhc / web / wiklou.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge "Introduce new hook UploadVerifyUpload to allow preventing file uploads"
[lhc/web/wiklou.git] / includes / upload / UploadBase.php
diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php
index 5d0bc13..6dcc948 100644 (file)
--- a/includes/upload/UploadBase.php
+++ b/includes/upload/UploadBase.php
@@ -353,7 +353,7 @@ abstract class UploadBase {
 
                $error = '';
                if ( !Hooks::run( 'UploadVerification',
-                       [ $this->mDestName, $this->mTempPath, &$error ] )
+                       [ $this->mDestName, $this->mTempPath, &$error ], '1.28' )
                ) {
                        return [ 'status' => self::HOOK_ABORTED, 'error' => $error ];
                }
@@ -1426,7 +1426,10 @@ abstract class UploadBase {
                                return [ 'uploaded-event-handler-on-svg', $attrib, $value ];
                        }
 
-                       # href with non-local target (don't allow http://, javascript:, etc)
+                       # Do not allow relative links, or unsafe url schemas.
+                       # For <a> tags, only data:, http: and https: and same-document
+                       # fragment links are allowed. For all other tags, only data:
+                       # and fragment are allowed.
                        if ( $stripped == 'href'
                                && strpos( $value, 'data:' ) !== 0
                                && strpos( $value, '#' ) !== 0
Wiklou, le Wiki du Wiklou