Merge branch '3'

2024-10-22 08:05:56 +02:00 · 2017-06-28 14:35:21 +01:00 · 2017-06-28 14:35:21 +01:00 · 9816efc97f
commit 9816efc97f
parent b89aa98402 44e9484aa4
3 changed files with 33 additions and 9 deletions
--- a/code/Model/RedirectorPage.php
+++ b/code/Model/RedirectorPage.php
@ -138,12 +138,23 @@ class RedirectorPage extends Page
    {
        parent::onBeforeWrite();

-        // Prefix the URL with "http://" if no prefix is found
-        if ($this->ExternalURL
-            && !parse_url($this->ExternalURL, PHP_URL_SCHEME)
-            && !preg_match('#^//#', $this->ExternalURL)
-        ) {
+        if ($this->ExternalURL && substr($this->ExternalURL, 0, 2) !== '//') {
+            $urlParts = parse_url($this->ExternalURL);
+            if ($urlParts) {
+                if (empty($urlParts['scheme'])) {
+                    // no scheme, assume http
                    $this->ExternalURL = 'http://' . $this->ExternalURL;
+                } elseif (!in_array($urlParts['scheme'], array(
+                    'http',
+                    'https',
+                ))) {
+                    // we only allow http(s) urls
+                    $this->ExternalURL = '';
+                }
+            } else {
+                // malformed URL to reject
+                $this->ExternalURL = '';
+            }
        }
    }

--- a/code/Model/SiteTree.php
+++ b/code/Model/SiteTree.php
@ -777,7 +777,9 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
            /** @var SiteTree $child */
            $sort = 0;
            foreach ($children as $child) {
-                $childClone = $child->duplicateWithChildren();
+                $childClone = method_exists($child, 'duplicateWithChildren')
+                    ? $child->duplicateWithChildren()
+                    : $child->duplicate();
                $childClone->ParentID = $clone->ID;
                //retain sort order by manually setting sort values
                $childClone->Sort = ++$sort;
@ -1812,7 +1814,7 @@ class SiteTree extends DataObject implements PermissionProvider, i18nEntityProvi
                'New {pagetype}',
                array('pagetype' => $this->i18n_singular_name())
            )));
-        $helpText = (self::config()->nested_urls && $this->Children()->count())
+        $helpText = (self::config()->nested_urls && $this->numChildren())
            ? $this->fieldLabel('LinkChangeNote')
            : '';
        if (!Config::inst()->get('SilverStripe\\View\\Parsers\\URLSegmentFilter', 'default_allow_multibyte')) {
--- a/tests/model/RedirectorPageTest.php
+++ b/tests/model/RedirectorPageTest.php
@ -99,4 +99,15 @@ class RedirectorPageTest extends FunctionalTest

        RedirectorPageController::remove_extension('RedirectorPageTest_RedirectExtension');
    }
+
+    public function testNoJSLinksAllowed()
+    {
+        $page = new RedirectorPage();
+        $js = 'javascript:alert("hello world")';
+        $page->ExternalURL = $js;
+        $this->assertEquals($js, $page->ExternalURL);
+
+        $page->write();
+        $this->assertEmpty($page->ExternalURL);
+    }
 }