Skip to content

Commit 87194b5

Browse files
oscaroterooscarotero
committed
fixed unescaped urls
1 parent 9d364f6 commit 87194b5

File tree

1 file changed

+22
-11
lines changed

1 file changed

+22
-11
lines changed

demo/index.php

Lines changed: 22 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -4,22 +4,33 @@
44

55
include '../src/autoloader.php';
66

7-
function get($name, $default = '')
7+
function getUrl()
88
{
9-
if (!isset($_GET[$name])) {
10-
return $default;
9+
if (!isset($_GET['url'])) {
10+
return '';
1111
}
1212

13-
if ($name === 'url' && !filter_var($_GET['url'], FILTER_VALIDATE_URL)) {
13+
$url = $_GET['url'];
14+
15+
//fix for unescaped urls
16+
foreach ($_GET as $name => $value) {
17+
if ($name === 'url') {
18+
continue;
19+
}
20+
21+
$url .= "&{$name}={$value}";
22+
}
23+
24+
if (!filter_var($url, FILTER_VALIDATE_URL)) {
1425
return 'http://doNotTryToXSS.invalid';
1526
}
1627

17-
return $_GET[$name];
28+
return $url;
1829
}
1930

20-
function getEscaped($name, $default = '')
31+
function getEscapedUrl()
2132
{
22-
return htmlspecialchars(get($name, $default), ENT_QUOTES, 'UTF-8');
33+
return htmlspecialchars(getUrl(), ENT_QUOTES, 'UTF-8');
2334
}
2435

2536
function printAny($text)
@@ -146,7 +157,7 @@ function printCode($code, $asHtml = true)
146157
<fieldset class="main">
147158
<label>
148159
<span>Url to test:</span>
149-
<input type="url" name="url" autofocus placeholder="http://" value="<?php echo getEscaped('url'); ?>">
160+
<input type="url" name="url" autofocus placeholder="http://" value="<?php echo getEscapedUrl(); ?>">
150161
</label>
151162
</fieldset>
152163

@@ -155,17 +166,17 @@ function printCode($code, $asHtml = true)
155166
&nbsp;&nbsp;&nbsp;
156167
<a href="https://github.com/oscarotero/Embed/">Get the source code from Github</a>
157168
&nbsp;&nbsp; - &nbsp;&nbsp;
158-
<a href="javascript:(function(){window.open('http://oscarotero.com/embed2/demo/index.php?url='+encodeURIComponent(document.location))})();">or the bookmarklet</a>
169+
<a href="javascript:(function(){window.open('http://oscarotero.com/embed2/demo/index.php?url='+document.location)})();">or the bookmarklet</a>
159170
</fieldset>
160171
</form>
161172

162-
<?php if (get('url')): ?>
173+
<?php if (getUrl()): ?>
163174
<section>
164175
<h1>Result:</h1>
165176

166177
<?php
167178
try {
168-
$info = Embed\Embed::create(get('url'));
179+
$info = Embed\Embed::create(getUrl());
169180
} catch (Exception $exception) {
170181
echo '<p>'.$exception->getMessage().'</p>';
171182
echo '</section>';

0 commit comments

Comments
 (0)