From: Daniel Friesen Date: Mon, 13 May 2013 02:41:13 +0000 (-0700) Subject: Whitelist a bunch of url protocols. X-Git-Tag: 1.31.0-rc.0~19694^2 X-Git-Url: http://git.cyclocoop.org/%7D%7Cconcat%7B?a=commitdiff_plain;h=a89d623302b5027dbb2d06941a22372948757685;p=lhc%2Fweb%2Fwiklou.git Whitelist a bunch of url protocols. Our url whitelisting is just to reject unsafe protocols like javascript:. We have no reason to reject a bunch of urls to open standardized schemes. Whitelist a bunch of them: ftps, ssh, sftp, xmpp, sip, sips, tel, sms, bitcoin, magnet, urn, and geo. Change-Id: I941190203ee1442d912d46144584bf2e7733f32c --- diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22 index ad12bf9cd1..569a2b9650 100644 --- a/RELEASE-NOTES-1.22 +++ b/RELEASE-NOTES-1.22 @@ -16,6 +16,8 @@ production. Special:UserLogin/signup is activated. * $wgVectorUseIconWatch is now enabled by default. * $wgCascadingRestrictionLevels was added. +* ftps, ssh, sftp, xmpp, sip, sips, tel, sms, bitcoin, magnet, urn, and geo + have been whitelisted inside of $wgUrlProtocols. === New features in 1.22 === * (bug 44525) mediawiki.jqueryMsg can now parse (whitelisted) HTML elements and attributes. diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 46ca7edbae..bcc4ae4525 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -3377,17 +3377,29 @@ $wgUrlProtocols = array( 'http://', 'https://', 'ftp://', + 'ftps://', // If we allow ftp:// we should allow the secure version. + 'ssh://', + 'sftp://', // SFTP > FTP 'irc://', 'ircs://', // @bug 28503 + 'xmpp:', // Another open communication protocol + 'sip:', + 'sips:', 'gopher://', 'telnet://', // Well if we're going to support the above.. -ævar 'nntp://', // @bug 3808 RFC 1738 'worldwind://', 'mailto:', + 'tel:', // If we can make emails linkable, why not phone numbers? + 'sms:', // Likewise this is standardized too 'news:', 'svn://', 'git://', 'mms://', + 'bitcoin:', // Even registerProtocolHandler whitelists this along with mailto: + 'magnet:', // No reason to reject torrents over magnet: when they're allowed over http:// + 'urn:', // Allow URNs to be used in Microdata/RDFa s + 'geo:', // geo: urls define locations, they're useful in Microdata/RDFa and when mentioning coordinates. '//', // for protocol-relative URLs );