Project

General

Profile

Actions

Feature proposal #5279

closed

Remove webaddress schema stripping

Added by krileon over 9 years ago. Updated about 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Start date:
14 May 2015
Due date:
% Done:

100%

Estimated time:

Description

Currently web address field strip the schema and force all URLs to HTTP. This isn't valid depending on the destination and there isn't really any reason to strop the schema to begin with.

https://www.joomlapolis.com/forum/153-professional-member-support/229720-web-address-field-type-undesired-behaviour

This should be done during the fieldtype refactoring.

Actions #1

Updated by beat over 9 years ago

Schemes should be restricted to valid ones.

http and https are sure valid ones.

javascript:...
file:... (e.g. could be misused for / etc / pass)

are very dangerous ones and should not be allowed.

A positive restrictive list for http and https is sure ok, rest I don't see any real application.

Actions #2

Updated by krileon about 8 years ago

Right, only support for HTTP and HTTPS should be allowed.

Actions #3

Updated by krileon about 8 years ago

  • Status changed from Assigned to Resolved
  • % Done changed from 0 to 100

Implemented in MR !1190

Only http and https schemes allowed. ALL others will be stripped. This is now more secure than previously as previously we only stripped mailto:, http://, and https://. If no scheme is supplied it falls back to http://.

Actions #4

Updated by krileon about 8 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF