Filters::safeUrl() accepts tel: and sms: [Closes #203]

nette · Jan 14, 2020 · e5592f8 · e5592f8
1 parent c7ff038
commit e5592f8
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/src/Latte/Runtime/Filters.php b/src/Latte/Runtime/Filters.php
@@ -293,7 +293,7 @@ public static function getConvertor(string $source, string $dest): ?callable
 	public static function safeUrl($s): string
 	{
 		$s = (string) $s;
-		return preg_match('~^(?:(?:https?|ftp)://[^@]+(?:/.*)?|mailto:.+|[/?#].*|[^:]+)$~Di', $s) ? $s : '';
+		return preg_match('~^(?:(?:https?|ftp)://[^@]+(?:/.*)?|(?:mailto|tel|sms):.+|[/?#].*|[^:]+)$~Di', $s) ? $s : '';
 	}
 
 

diff --git a/tests/Latte/Safe.url.phpt b/tests/Latte/Safe.url.phpt
@@ -20,6 +20,8 @@ $params['url2'] = ' javascript:alert(1)';
 $params['url3'] = 'data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+';
 $params['url4'] = 'ok';
 $params['url5'] = '';
+$params['url6'] = 'tel:+420123456789';
+$params['url7'] = 'sms:+420123456789';
 
 
 Assert::match('
@@ -32,6 +34,8 @@ Assert::match('
 <a href=""></a>
 <a href=ok>ok</a>
 <a href=""></a>
+<a href="tel:+420123456789"></a>
+<a href="sms:+420123456789"></a>
 <a href="data:%a%;base64,b2s="></a>
 <a href="data:%a%;base64,b2s="></a>
 <a href=""></a>
@@ -46,6 +50,8 @@ Assert::match('
 <a href={$url3}></a>
 <a href={$url4}>ok</a>
 <a href={$url5}></a>
+<a href={$url6}></a>
+<a href={$url7}></a>
 <a href={$url4|dataStream}></a>
 <a href={$url4|dataStream|noCheck}></a>
 <a href={$url4|dataStream|checkURL}></a>