Skip to content
This repository has been archived by the owner on Nov 14, 2018. It is now read-only.

Add new site target option to External Site options #2221

Closed
wants to merge 9 commits into from
Closed

Add new site target option to External Site options #2221

wants to merge 9 commits into from

Conversation

pirate
Copy link

@pirate pirate commented Sep 9, 2017
edited
Loading

This PR adds a site_target option which lets users specify whether an External Site is framed by owncloud, replaces the current window, or opens in a separate window.

Picking up stale PR: #2216

Fixes:

  • prevents possible XSS by validating targets against allowed list

Adds:

Questions:
How can I import the value $targets defined in external/settings.php into external/ajax/setsites.php?
Is there some helper function like getAppConfig().getKey('targets') or getAppSettings('external')['targets']?

This was referenced Sep 9, 2017
Open
Closed
This was referenced Sep 9, 2017
Closed
Merged
@PVince81
Copy link
Contributor

@Peter-Prochaska can you review this ?

peterprochaska
peterprochaska suggested changes Sep 12, 2017
View reviewed changes
external/ajax/setsites.php
strip_tags($_POST['site_url'][$i]),
strip_tags($_POST['site_icon'][$i]),
strip_tags($_POST['site_target'][$i]),
));
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think strip_tags is not enough here. Because you always can inject " onLoad="javascript:alert('XSS')" <- which tags should strip_tags remove?
Use htmlspecialchars or similar for escaping.

@pirate pirate closed this Oct 10, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@peterprochaska peterprochaska peterprochaska requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pirate @PVince81 @peterprochaska