From 291a1fff1f8db54a0d2c59faa689f23f3e35f4fe Mon Sep 17 00:00:00 2001
From: Ruslan Uzdenov <rxu@mail.ru>
Date: Mon, 15 Nov 2010 23:27:57 +0100
Subject: [PATCH] [ticket/9903] Fix XSS in BBcode-parser's Flash-BBcode.

Fix XSS in Flash-BBcode by validating that the supplied argument is a URL.

PHPBB3-9903
---
 phpBB/includes/message_parser.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/phpBB/includes/message_parser.php b/phpBB/includes/message_parser.php
index 952b55cc8c..b2d0b6c566 100644
--- a/phpBB/includes/message_parser.php
+++ b/phpBB/includes/message_parser.php
@@ -352,6 +352,15 @@ class bbcode_firstpass extends bbcode
 			return '[flash=' . $width . ',' . $height . ']' . $in . '[/flash]';
 		}
 
+		$in = str_replace(' ', '%20', $in);
+
+		// Make sure $in is a URL.
+		if (!preg_match('#^' . get_preg_expression('url') . '$#i', $in) &&
+			!preg_match('#^' . get_preg_expression('www_url') . '$#i', $in))
+		{
+			return '[flash=' . $width . ',' . $height . ']' . $in . '[/flash]';
+		}
+
 		// Apply the same size checks on flash files as on images
 		if ($config['max_' . $this->mode . '_img_height'] || $config['max_' . $this->mode . '_img_width'])
 		{