Validate the website field input to be a valid URL

Signed-off-by: Joas Schilling <coding@schilljs.com>

1 files changed, 30 insertions, 0 deletions

diff --git a/lib/private/Accounts/AccountManager.php b/lib/private/Accounts/AccountManager.php
index ea8f99e0216..eff025e511e 100644
--- a/lib/private/Accounts/AccountManager.php
+++ b/lib/private/Accounts/AccountManager.php
@@ -121,6 +121,25 @@ class AccountManager implements IAccountManager {
 	}
 
 	/**
+	 *
+	 * @param string $input
+	 * @return string
+	 * @throws \InvalidArgumentException When the website did not have http(s) as protocol or the host name was empty
+	 */
+	protected function parseWebsite(string $input): string {
+		$parts = parse_url($input);
+		if (!isset($parts['scheme']) || ($parts['scheme'] !== 'https' && $parts['scheme'] !== 'http')) {
+			throw new \InvalidArgumentException(self::PROPERTY_WEBSITE);
+		}
+
+		if (!isset($parts['host']) || $parts['host'] === '') {
+			throw new \InvalidArgumentException(self::PROPERTY_WEBSITE);
+		}
+
+		return $input;
+	}
+
+	/**
 	 * update user record
 	 *
 	 * @param IUser $user
@@ -155,6 +174,17 @@ class AccountManager implements IAccountManager {
 			}
 		}
 
+		if (isset($data[self::PROPERTY_WEBSITE]) && $data[self::PROPERTY_WEBSITE]['value'] !== '') {
+			try {
+				$data[self::PROPERTY_WEBSITE]['value'] = $this->parseWebsite($data[self::PROPERTY_WEBSITE]['value']);
+			} catch (\InvalidArgumentException $e) {
+				if ($throwOnData) {
+					throw $e;
+				}
+				$data[self::PROPERTY_WEBSITE]['value'] = '';
+			}
+		}
+
 		$allowedScopes = [
 			self::SCOPE_PRIVATE,
 			self::SCOPE_LOCAL,