Merge pull request #26259 from nextcloud/feature/noid/validate-website-to-be-valid

Validate the website field input to be a valid URL

1 files changed, 30 insertions, 0 deletions

diff --git a/lib/private/Accounts/AccountManager.php b/lib/private/Accounts/AccountManager.php
index d5df6557c8f..53792c70d27 100644
--- a/lib/private/Accounts/AccountManager.php
+++ b/lib/private/Accounts/AccountManager.php
@@ -121,6 +121,25 @@ class AccountManager implements IAccountManager {
 	}
 
 	/**
+	 *
+	 * @param string $input
+	 * @return string
+	 * @throws \InvalidArgumentException When the website did not have http(s) as protocol or the host name was empty
+	 */
+	protected function parseWebsite(string $input): string {
+		$parts = parse_url($input);
+		if (!isset($parts['scheme']) || ($parts['scheme'] !== 'https' && $parts['scheme'] !== 'http')) {
+			throw new \InvalidArgumentException(self::PROPERTY_WEBSITE);
+		}
+
+		if (!isset($parts['host']) || $parts['host'] === '') {
+			throw new \InvalidArgumentException(self::PROPERTY_WEBSITE);
+		}
+
+		return $input;
+	}
+
+	/**
 	 * update user record
 	 *
 	 * @param IUser $user
@@ -158,6 +177,17 @@ class AccountManager implements IAccountManager {
 			}
 		}
 
+		if (isset($data[self::PROPERTY_WEBSITE]) && $data[self::PROPERTY_WEBSITE]['value'] !== '') {
+			try {
+				$data[self::PROPERTY_WEBSITE]['value'] = $this->parseWebsite($data[self::PROPERTY_WEBSITE]['value']);
+			} catch (\InvalidArgumentException $e) {
+				if ($throwOnData) {
+					throw $e;
+				}
+				$data[self::PROPERTY_WEBSITE]['value'] = '';
+			}
+		}
+
 		$allowedScopes = [
 			self::SCOPE_PRIVATE,
 			self::SCOPE_LOCAL,