second try ... in fixing this XSS in sanitizing.lib.php

libraries/sanitizing.lib.php

@@ -40,31 +40,30 @@ function PMA_sanitize($message)
         '[br]'      => '<br />',
         '[/a]'      => '</a>',
     );
-    $sanitized_message = strtr($message, $replace_pairs);
+    $message = strtr($message, $replace_pairs);
-    $sanitized_message = preg_replace(
-        '/\[a@([^"@]*)@([^]"]*)\]/e',
-        '\'<a href="\' . PMA_sanitizeUri(\'$1\') . \'" target="\2">\'',
-        $sanitized_message);
 
-    return $sanitized_message;
+    $pattern = '/\[a@([^"@]*)@([^]"]*)\]/';
-}
 
-/**
+    if (preg_match_all($pattern, $message, $founds, PREG_SET_ORDER)) {
- * removes javascript
+        $valid_links = array(
- *
+            'http',  // default http:// links (and https://)
- * @uses    trim()
+            './Do',  // ./Documentation
- * @uses    strtolower()
+        );
- * @uses    substr()
- * @param   string  uri
- */
-function PMA_sanitizeUri($uri)
-{
-    $uri = trim($uri);
 
-    if (strtolower(substr($uri, 0, 10)) === 'javascript') {
+        foreach ($founds as $found) {
-        return '';
+            // only http... and ./Do... allowed
+            if (! in_array(substr($found[1], 0, 4), $valid_links)) {
+                return $message;
+            }
+            // a-z and _ allowed in target
+            if (! empty($found[2]) && preg_match('/[^a-z_]+/i', $found[2])) {
+                return $message;
+            }
+        }
+
+        $message = preg_replace($pattern, '<a href="\1" target="\2">', $message);
     }
 
-    return $uri;
+    return $message;
 }
 ?>