Wiki source for ArchiveLinkFormattingFix
The link formatting code had several security holes, and some incorrect regular expressions. The changes on this page fix these problems:
- external links are only allowed to well known schemes: ##http:##, ##https:## and ##ftp:##; this fixes all bugs where links have the form ##javascript:...##
- ##formatter/wakka.php## had its own link formatter for some links; this removes another avenue for bugs
This also adds two features I like:
- external links have their own CSS class, so you can style them differently
- external links are followed by a little mark (a small superscripted infinity sign) so you can easily tell which links go off-site.
**Enjoy!** --""MarkLentczner""
----
==== wakka.php ====
Change the function **Link** to
%% function Link($tag, $method = "", $text = "", $track = 1) {
if (!$text) $text = $tag;
$text = htmlspecialchars($text);
$url = '';
if (preg_match("/^([A-Z][a-zA-Z]+):([^\\s\"<>&]+)$/", $tag, $matches))
{
$url = $this->GetInterWikiUrl($matches[1], $matches[2]);
}
else if (preg_match("/^(http|https|ftp):\/\/([^\\s\"<>&]+)$/", $tag))
{
$url = $tag; // this is a vaild external URL
}
else if (preg_match("/^[^\\s\"<>&]+\@[^\\s\"<>&]+$/", $tag))
{
$url = "mailto:".$tag;
}
else if (preg_match("/^([-A-Za-z0-9_]+\\.)+[A-Za-z][-A-Za-z0-9_]+$/", $tag))
{
$url = "http://".$tag;
}
elseif (preg_match("/^[A-Za-z0-9]+$/", $tag))
{
// it's a Wakka link!
if ($_SESSION["linktracking"] && $track) $this->TrackLinkTo($tag);
return ($this->LoadPage($tag) ? "<a href=\"".$this->href($method, $tag)."\">".$text."</a>" : "<span class=\"missingpage\">".$text."</span><a href=\"".$this->href("edit", $tag)."\">?</a>");
}
$tail = "<span class=\"exttail\">∞</span>"; // set this to the empty string if you don't like it
return $url ? "<a class=\"ext\" href=\"$url\">$text</a>$tail" : $text;
}
%%
Change the function **IsWikiName** to
%% function IsWikiName($text) { return preg_match("/^[A-Z][a-z]+[A-Z0-9][A-Za-z0-9]*$/", $text); }
%%
While you're at it, fix the bug with link tracking in headers and footers (these links shouldn't count as back links to a page):
%% function Header() { return $this->Action($this->GetConfigValue("header_action"), 0); }
function Footer() { return $this->Action($this->GetConfigValue("footer_action"), 0); }
%%
----
==== formatters/wakka.php ====
Make this patch:
%%@@ -57,1 +57,1 @@
- return "<a href=\"$url\">$url</a>".$matches[2];
+ return $wakka->Link($url).$matches[2];
%%
----
====css/wakka.css====
Add these CSS classes, editing to suit your taste:
%%a.ext {
color: #933;
}
.exttail {
color: #999;
position: relative;
bottom: 0.5ex;
}
%%
- external links are only allowed to well known schemes: ##http:##, ##https:## and ##ftp:##; this fixes all bugs where links have the form ##javascript:...##
- ##formatter/wakka.php## had its own link formatter for some links; this removes another avenue for bugs
This also adds two features I like:
- external links have their own CSS class, so you can style them differently
- external links are followed by a little mark (a small superscripted infinity sign) so you can easily tell which links go off-site.
**Enjoy!** --""MarkLentczner""
----
==== wakka.php ====
Change the function **Link** to
%% function Link($tag, $method = "", $text = "", $track = 1) {
if (!$text) $text = $tag;
$text = htmlspecialchars($text);
$url = '';
if (preg_match("/^([A-Z][a-zA-Z]+):([^\\s\"<>&]+)$/", $tag, $matches))
{
$url = $this->GetInterWikiUrl($matches[1], $matches[2]);
}
else if (preg_match("/^(http|https|ftp):\/\/([^\\s\"<>&]+)$/", $tag))
{
$url = $tag; // this is a vaild external URL
}
else if (preg_match("/^[^\\s\"<>&]+\@[^\\s\"<>&]+$/", $tag))
{
$url = "mailto:".$tag;
}
else if (preg_match("/^([-A-Za-z0-9_]+\\.)+[A-Za-z][-A-Za-z0-9_]+$/", $tag))
{
$url = "http://".$tag;
}
elseif (preg_match("/^[A-Za-z0-9]+$/", $tag))
{
// it's a Wakka link!
if ($_SESSION["linktracking"] && $track) $this->TrackLinkTo($tag);
return ($this->LoadPage($tag) ? "<a href=\"".$this->href($method, $tag)."\">".$text."</a>" : "<span class=\"missingpage\">".$text."</span><a href=\"".$this->href("edit", $tag)."\">?</a>");
}
$tail = "<span class=\"exttail\">∞</span>"; // set this to the empty string if you don't like it
return $url ? "<a class=\"ext\" href=\"$url\">$text</a>$tail" : $text;
}
%%
Change the function **IsWikiName** to
%% function IsWikiName($text) { return preg_match("/^[A-Z][a-z]+[A-Z0-9][A-Za-z0-9]*$/", $text); }
%%
While you're at it, fix the bug with link tracking in headers and footers (these links shouldn't count as back links to a page):
%% function Header() { return $this->Action($this->GetConfigValue("header_action"), 0); }
function Footer() { return $this->Action($this->GetConfigValue("footer_action"), 0); }
%%
----
==== formatters/wakka.php ====
Make this patch:
%%@@ -57,1 +57,1 @@
- return "<a href=\"$url\">$url</a>".$matches[2];
+ return $wakka->Link($url).$matches[2];
%%
----
====css/wakka.css====
Add these CSS classes, editing to suit your taste:
%%a.ext {
color: #933;
}
.exttail {
color: #999;
position: relative;
bottom: 0.5ex;
}
%%