allow geo: uri and be more specific when checking uri schemes also remove zhttp which is not used anymore and ftp which is not supported by most browsers anymore

2026-06-21 00:52:33 -04:00 · 2025-06-17 09:29:27 +00:00
parent 37159937d7
commit 86ebef7e08
1 changed files with 6 additions and 2 deletions
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -1813,9 +1813,13 @@ function bbcode($text, $options = []) {
 		$text = preg_replace("/\<(.*?)(src|href)=(.*?)\&amp\;(.*?)\>/ism", '<$1$2=$3&$4>', $text);

 	// This is subtle - it's an XSS filter. It only accepts links with a protocol scheme and where
-	// the scheme begins with z (zhttp), h (http(s)), f (ftp(s)), m (mailto), t (tel) and named anchors.
+	// the scheme begins with http:, https:, mailto:, tel:, geo: and named anchors.

-	$text = preg_replace("/\<(.*?)(src|href)=\"[^zhfmt#](.*?)\>/ism", '<$1$2="">', $text);
+	$text = preg_replace(
+		'/(<[^>]*?\b(?:src|href)\s*=\s*([\'"])\s*)(?!https?:|geo:|mailto:|tel:|#)[^\'"]*?\2/iu',
+		'$1$2$2',
+		$text
+	);

 	$text = bb_replace_images($text, $saved_images);