From d80cc76ee7f3f1f347fc54cc300e5e38ba7d6e19 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Tue, 23 Mar 2021 14:52:04 +0100
Subject: Validate the website field input to be a valid URL

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 lib/private/Accounts/AccountManager.php | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

(limited to 'lib/private')

diff --git a/lib/private/Accounts/AccountManager.php b/lib/private/Accounts/AccountManager.php
index ea8f99e0216..eff025e511e 100644
--- a/lib/private/Accounts/AccountManager.php
+++ b/lib/private/Accounts/AccountManager.php
@@ -120,6 +120,25 @@ class AccountManager implements IAccountManager {
 		throw new \InvalidArgumentException(self::PROPERTY_PHONE);
 	}
 
+	/**
+	 *
+	 * @param string $input
+	 * @return string
+	 * @throws \InvalidArgumentException When the website did not have http(s) as protocol or the host name was empty
+	 */
+	protected function parseWebsite(string $input): string {
+		$parts = parse_url($input);
+		if (!isset($parts['scheme']) || ($parts['scheme'] !== 'https' && $parts['scheme'] !== 'http')) {
+			throw new \InvalidArgumentException(self::PROPERTY_WEBSITE);
+		}
+
+		if (!isset($parts['host']) || $parts['host'] === '') {
+			throw new \InvalidArgumentException(self::PROPERTY_WEBSITE);
+		}
+
+		return $input;
+	}
+
 	/**
 	 * update user record
 	 *
@@ -155,6 +174,17 @@ class AccountManager implements IAccountManager {
 			}
 		}
 
+		if (isset($data[self::PROPERTY_WEBSITE]) && $data[self::PROPERTY_WEBSITE]['value'] !== '') {
+			try {
+				$data[self::PROPERTY_WEBSITE]['value'] = $this->parseWebsite($data[self::PROPERTY_WEBSITE]['value']);
+			} catch (\InvalidArgumentException $e) {
+				if ($throwOnData) {
+					throw $e;
+				}
+				$data[self::PROPERTY_WEBSITE]['value'] = '';
+			}
+		}
+
 		$allowedScopes = [
 			self::SCOPE_PRIVATE,
 			self::SCOPE_LOCAL,
-- 
cgit v1.2.3