[ticket/security/211] Only run make_clickable() on URL type profile fields

SECURITY-211
2025-07-31 22:10:45 +02:00 · 2017-07-23 10:40:30 +02:00
parent 882a3c3831
commit 2749bfe26c
2 changed files with 15 additions and 1 deletions
--- a/phpBB/phpbb/profilefields/type/type_string_common.php
+++ b/phpBB/phpbb/profilefields/type/type_string_common.php
@@ -108,7 +108,6 @@ abstract class type_string_common extends type_base
 			return null;
 		}

-		$field_value = make_clickable($field_value);
 		$field_value = censor_text($field_value);
 		$field_value = bbcode_nl2br($field_value);
 		return $field_value;
--- a/phpBB/phpbb/profilefields/type/type_url.php
+++ b/phpBB/phpbb/profilefields/type/type_url.php
@@ -71,4 +71,19 @@ class type_url extends type_string

 		return false;
 	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	public function get_profile_value($field_value, $field_data)
+	{
+		if (!preg_match('#^' . get_preg_expression('url_http') . '$#iu', $field_value))
+		{
+			return null;
+		}
+
+		$field_value = make_clickable($field_value);
+
+		return parent::get_profile_value($field_value, $field_data);
+	}
 }