From e5592f819efd654ae0e7b7a9b7ce4c6a7f1682ea Mon Sep 17 00:00:00 2001
From: David Grudl <david@grudl.com>
Date: Tue, 14 Jan 2020 19:31:45 +0100
Subject: [PATCH] Filters::safeUrl() accepts tel: and sms: [Closes #203]

---
 src/Latte/Runtime/Filters.php | 2 +-
 tests/Latte/Safe.url.phpt     | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/Latte/Runtime/Filters.php b/src/Latte/Runtime/Filters.php
index 465ec5b0a..55fa36a0d 100644
--- a/src/Latte/Runtime/Filters.php
+++ b/src/Latte/Runtime/Filters.php
@@ -293,7 +293,7 @@ public static function getConvertor(string $source, string $dest): ?callable
 	public static function safeUrl($s): string
 	{
 		$s = (string) $s;
-		return preg_match('~^(?:(?:https?|ftp)://[^@]+(?:/.*)?|mailto:.+|[/?#].*|[^:]+)$~Di', $s) ? $s : '';
+		return preg_match('~^(?:(?:https?|ftp)://[^@]+(?:/.*)?|(?:mailto|tel|sms):.+|[/?#].*|[^:]+)$~Di', $s) ? $s : '';
 	}
 
 
diff --git a/tests/Latte/Safe.url.phpt b/tests/Latte/Safe.url.phpt
index 8662defb7..fac08a388 100644
--- a/tests/Latte/Safe.url.phpt
+++ b/tests/Latte/Safe.url.phpt
@@ -20,6 +20,8 @@ $params['url2'] = ' javascript:alert(1)';
 $params['url3'] = 'data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+';
 $params['url4'] = 'ok';
 $params['url5'] = '';
+$params['url6'] = 'tel:+420123456789';
+$params['url7'] = 'sms:+420123456789';
 
 
 Assert::match('
@@ -32,6 +34,8 @@ Assert::match('
 <a href=""></a>
 <a href=ok>ok</a>
 <a href=""></a>
+<a href="tel:+420123456789"></a>
+<a href="sms:+420123456789"></a>
 <a href="data:%a%;base64,b2s="></a>
 <a href="data:%a%;base64,b2s="></a>
 <a href=""></a>
@@ -46,6 +50,8 @@ Assert::match('
 <a href={$url3}></a>
 <a href={$url4}>ok</a>
 <a href={$url5}></a>
+<a href={$url6}></a>
+<a href={$url7}></a>
 <a href={$url4|dataStream}></a>
 <a href={$url4|dataStream|noCheck}></a>
 <a href={$url4|dataStream|checkURL}></a>