Small fixes

sympa-community · Jan 13, 2023 · 020a74b · 020a74b
1 parent aa131c8
commit 020a74b
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 6 deletions.
diff --git a/src/lib/Sympa/Config/Schema.pm b/src/lib/Sympa/Config/Schema.pm
@@ -1389,7 +1389,7 @@ our %pinfo = (
         gettext_id => 'Allowed external links in sanitized HTML',
         gettext_comment =>
             'When the HTML content of a message must be sanitized, links ("href" or "src" attributes) with the hosts listed in this parameter will not be scrubbed. If "*" character is included, it matches any subdomains. Single "*" allows any hosts.',
-        format     => '[-\w*]+(?:[.][-\w*]+)+',
+        format     => '(?:[^\@]+\@)?[-\w*]+(?:[.][-\w*]+)*(?:[:][\d*]+)?',
         split_char => ',',
         sample     => '*.example.org,www.example.com',
         not_before => '6.2.19b.2',

diff --git a/src/lib/Sympa/HTMLSanitizer.pm b/src/lib/Sympa/HTMLSanitizer.pm
@@ -176,7 +176,7 @@ sub validate_src_attribute {
         # Relative ref.
         ;
     } elsif (($uri->scheme // '') !~ /\Ahttps?\z/
-        or not length($uri->authority // '')) {
+        or not length($uri->host // '')) {
         return undef;
     } elsif ($uri->authority !~ $self->{_shsAllowedOriginRe}) {
         # Allow links with the same origin, i.e. URLs with the same host etc.

diff --git a/t/HTMLSanitizer.t b/t/HTMLSanitizer.t
@@ -54,10 +54,6 @@ is $sanitizer->sanitize_html(
     '<html><body><a href="../&hearts;"></a></body></html>'),
     '<html><body><a href="../%E2%99%A5"></a></body></html>',
     'not filter relative URI reference';
-is $sanitizer->sanitize_html(
-    '<html><body><a href="https://"></a></body></html>'),
-    '<html><body><a></a></body></html>',
-    'filter URI with empty host';
 is $sanitizer->sanitize_html(
     '<html><body><a href="https://web.example.org"></a></body></html>'),
     '<html><body><a href="https://web.example.org/"></a></body></html>',
@@ -67,6 +63,13 @@ is $sanitizer->sanitize_html(
     '<html><body><a></a></body></html>',
     'filter https URI with the other origin';
 
+$Conf::Conf{allowed_external_origin} = '*';
+$sanitizer = Sympa::HTMLSanitizer->new('*');
+is $sanitizer->sanitize_html(
+    '<html><body><a href="https://user:secret@:8443"></a></body></html>'),
+    '<html><body><a></a></body></html>',
+    'filter URI with empty host';
+
 done_testing();
 
 __END__