2015-08-21, 07:12 AM
Hello,
I have found the following line in class_parser.php:
#\[url=([^\r\n\"<&\(\)]+?)\](.+?)\[/url\]#si
Now I have the question why it is disallowed here? I know, correct urls should match the previous regex (#\[url=([a-z]+?://)([^\r\n\"<]+?)\](.+?)\[/url\]#si), but still & is used very often in urls and if you forget http(s)://, your URL won't be matched.
My Questiona are:
Thanks in advance ...
Thomas
I have found the following line in class_parser.php:
#\[url=([^\r\n\"<&\(\)]+?)\](.+?)\[/url\]#si
Now I have the question why it is disallowed here? I know, correct urls should match the previous regex (#\[url=([a-z]+?://)([^\r\n\"<]+?)\](.+?)\[/url\]#si), but still & is used very often in urls and if you forget http(s)://, your URL won't be matched.
My Questiona are:
- What is this Regex for if all valid urls should match the one above?
- What is the security-Problem with matching & in this regex?
Thanks in advance ...
Thomas