feed2js icon indicating copy to clipboard operation
feed2js copied to clipboard
verified publisher icon cogdog

Switch from strpos search from <script> tags to parse_url & filter_var approach

Open mclare opened this issue 3 years ago • 2 comments

This PR is related to issue #30

Many browsers will accept JavaScript inline in certain properties of tags. This approach strips all tags from the path, but after filter_var is used to verify the URL src is valid and that the host and path components are valid. There may still be vectors, but this closes many of them.

This approach does require an absolute URL, it will not work with relative paths. I think that's a small use case, but it'll take a lot more processing to work with absolute and relative URLs.

filter_var was introduced into PHP7

mclare avatar Jun 15 '22 02:06 mclare

Confirming @cogdog you're okay with me merging this?

bateller avatar Jun 17 '22 18:06 bateller

Oh yes, Matt knows what he's doing. Can you send me an email? My ftp creds no longer work.

cogdog avatar Jun 17 '22 19:06 cogdog

Late to the github pull but finally done.

cogdog avatar Jan 31 '23 18:01 cogdog