@@ -22,35 +22,39 @@ class SrcAttributeValidator implements AttributeValidatorInterface
22
22
private $ allowedHosts ;
23
23
24
24
/**
25
+ * SrcAttributeValidator constructor.
26
+ *
25
27
* @param string[] $allowedHosts
26
28
*/
27
29
public function __construct (array $ allowedHosts )
28
30
{
29
31
$ this ->allowedHosts = $ allowedHosts ;
30
32
}
31
33
34
+ /**
35
+ * @inheritDoc
36
+ */
32
37
public function validate (string $ tag , string $ attributeName , string $ value ): void
33
38
{
34
39
if ($ tag !== 'iframe ' || $ attributeName !== 'src ' ) {
35
40
return ;
36
41
}
37
42
38
43
if (mb_strpos ($ value , 'http ' ) !== 0 ) {
44
+ //Relative link
39
45
return ;
40
46
}
47
+ // phpcs:ignore Magento2.Functions.DiscouragedFunction
41
48
$ srcHost = parse_url ($ value , PHP_URL_HOST );
42
- if ($ srcHost && $ this ->allowedHosts ) {
43
- $ srcHostLength = mb_strlen ($ srcHost );
44
- $ allowed = false ;
45
- foreach ($ this ->allowedHosts as $ host ) {
46
- $ hostLength = mb_strlen ($ host );
47
- $ foundIndex = mb_strpos ($ srcHost , $ host );
48
- if ($ foundIndex !== false && ($ foundIndex + $ hostLength ) === $ srcHostLength ) {
49
- $ allowed = true ;
50
- break ;
51
- }
52
- }
53
- if ($ allowed ) {
49
+ if (!$ srcHost || !$ this ->allowedHosts ) {
50
+ //Either the link is invalid or we do not have the allowed list.
51
+ return ;
52
+ }
53
+ $ srcHostLength = mb_strlen ($ srcHost );
54
+ foreach ($ this ->allowedHosts as $ host ) {
55
+ $ hostLength = mb_strlen ($ host );
56
+ $ foundIndex = mb_strpos ($ srcHost , $ host );
57
+ if ($ foundIndex !== false && ($ foundIndex + $ hostLength ) === $ srcHostLength ) {
54
58
return ;
55
59
}
56
60
}
0 commit comments