[SECURITY] Disallow javascript & data scheme in URL link handler
[Packages/TYPO3.CMS.git] / typo3 / sysext / core / Classes / LinkHandling / UrlLinkHandler.php
1 <?php
2 namespace TYPO3\CMS\Core\LinkHandling;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 /**
18 * Resolves URLs (simple, no magic needed)
19 */
20 class UrlLinkHandler implements LinkHandlingInterface
21 {
22
23 /**
24 * Returns the URL as given
25 *
26 * @param array $parameters
27 * @return mixed
28 */
29 public function asString(array $parameters): string
30 {
31 return $this->addHttpSchemeAsFallback($parameters['url']);
32 }
33
34 /**
35 * Returns the URL as is
36 *
37 * @param array $data (needs 'url') inside
38 * @return array
39 */
40 public function resolveHandlerData(array $data): array
41 {
42 return ['url' => $this->addHttpSchemeAsFallback($data['url'])];
43 }
44
45 /**
46 * Ensures that a scheme is always added, if www.typo3.org was added previously
47 *
48 * @param string $url the URL
49 * @return string
50 */
51 protected function addHttpSchemeAsFallback(string $url): string
52 {
53 if (!empty($url)) {
54 $scheme = parse_url($url, PHP_URL_SCHEME);
55 if (empty($scheme)) {
56 $url = 'http://' . $url;
57 } elseif (in_array(strtolower($scheme), ['javascript', 'data'], true)) {
58 // deny using insecure scheme's like `javascript:` or `data:` as URL scheme
59 $url = '';
60 }
61 }
62 return $url;
63 }
64 }