Project

General

Profile

Actions
Copy link

Feature proposal #5279

closed

Remove webaddress schema stripping

Added by krileon over 9 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
krileon
Target version:
CB 2.1
Start date:
14 May 2015
Due date:
% Done:

100%

Estimated time:

Description

Currently web address field strip the schema and force all URLs to HTTP. This isn't valid depending on the destination and there isn't really any reason to strop the schema to begin with.

https://www.joomlapolis.com/forum/153-professional-member-support/229720-web-address-field-type-undesired-behaviour

This should be done during the fieldtype refactoring.

Actions
Copy link
 #1

Updated by beat over 9 years ago

Schemes should be restricted to valid ones.

http and https are sure valid ones.

javascript:...
file:... (e.g. could be misused for / etc / pass)

are very dangerous ones and should not be allowed.

A positive restrictive list for http and https is sure ok, rest I don't see any real application.

Actions
Copy link
 #2

Updated by krileon almost 8 years ago

Right, only support for HTTP and HTTPS should be allowed.

Actions
Copy link
 #3

Updated by krileon almost 8 years ago

  • Status changed from Assigned to Resolved
  • % Done changed from 0 to 100

Implemented in MR !1190

Only http and https schemes allowed. ALL others will be stripped. This is now more secure than previously as previously we only stripped mailto:, http://, and https://. If no scheme is supplied it falls back to http://.

Actions
Copy link
 #4

Updated by krileon almost 8 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF