N.466 HTML links with href="ftp://..." or "file://...". The filtering implemented by default (DOM Sanitization) now takes the configuration parameter url_validation_pattern into account. Thus aligning the behavior between HTML attributes and AttributeURL, and the automatic wiki formatting. By default, iTop allows the protocols http/https/ftp. To allow the 'file' protocol, edit the config file and change url_validation_pattern accordingly.

git-svn-id: http://svn.code.sf.net/p/itop/code/trunk@4455 a333f486-631f-4898-b8df-5754b55c2be0

core/htmlsanitizer.class.inc.php

@@ -187,14 +187,22 @@ class HTMLDOMSanitizer extends HTMLSanitizer
 	);
 	
 	protected static $aAttrsWhiteList = array(
-		'href' => '/^(http:|https:)/i',
 		'src' => '/^(http:|https:|data:)/i',
 	);
 	
 	protected static $aStylesWhiteList = array(
 		'background-color', 'color', 'float', 'font', 'font-style', 'font-size', 'font-family', 'padding', 'margin', 'border', 'cellpadding', 'cellspacing', 'bordercolor', 'border-collapse', 'width', 'height',
 	);
-	
+
+	public function __construct()
+	{
+		if (!array_key_exists('href', self::$aAttrsWhiteList))
+		{
+			$sPattern = '/'.str_replace('/', '\/', utils::GetConfig()->Get('url_validation_pattern')).'/i';
+			self::$aAttrsWhiteList['href'] = $sPattern;
+		}
+	}
+
 	public function DoSanitize($sHTML)
 	{
 		$this->oDoc = new DOMDocument();