From 39f85fd001bedf0e4dc3fb641936af48cc97df39 Mon Sep 17 00:00:00 2001
From: xiaomlove <1939737565@qq.com>
Date: Fri, 17 Oct 2025 22:00:39 +0700
Subject: [PATCH] format_comment() add filter_src()

---
 include/constants.php       |  2 +-
 include/functions.php       | 30 ++++++++++++++++++++++++++----
 include/globalfunctions.php | 29 ++++++++++++++++++++++++++++-
 3 files changed, 55 insertions(+), 6 deletions(-)

diff --git a/include/constants.php b/include/constants.php
index 47185bf5..93cf3442 100644
--- a/include/constants.php
+++ b/include/constants.php
@@ -1,6 +1,6 @@
 <?php
 defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.9.10');
-defined('RELEASE_DATE') || define('RELEASE_DATE', '2025-10-16');
+defined('RELEASE_DATE') || define('RELEASE_DATE', '2025-10-17');
 defined('IN_TRACKER') || define('IN_TRACKER', false);
 defined('PROJECTNAME') || define("PROJECTNAME","NexusPHP");
 defined('NEXUSPHPURL') || define("NEXUSPHPURL","https://nexusphp.org");
diff --git a/include/functions.php b/include/functions.php
index f22a229c..7fb9ff33 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -223,6 +223,10 @@ function formatAdUrl($adid, $url, $content, $newWindow=true)
 	return formatUrl("adredir.php?id=".$adid."&amp;url=".rawurlencode($url), $newWindow, $content);
 }
 function formatUrl($url, $newWindow = false, $text = '', $linkClass = '') {
+    $src = filter_src($url);
+    if (empty($src)) {
+        return "";
+    }
 	if (!$text) {
 		$text = $url;
 	}
@@ -234,16 +238,18 @@ function formatCode($text) {
 }
 
 function formatImg($src, $enableImageResizer, $image_max_width, $image_max_height, $imgId = "") {
-    if (is_danger_url($src)) {
-        $msg = "[DANGER_URL]: $src";
-        do_log($msg, "alert");
-        write_log($msg, "mod");
+    $src = filter_src($src);
+    if (empty($src)) {
         return "";
     }
 	return addTempCode("<img style=\"max-width: 100%\" id=\"$imgId\" alt=\"image\" src=\"$src\"" .($enableImageResizer ?  " onload=\"Scale(this,$image_max_width,$image_max_height);\" onclick=\"Preview(this);\"" : "") .  " />");
 }
 
 function formatFlash($src, $width, $height) {
+    $src = filter_src($src);
+    if (empty($src)) {
+        return "";
+    }
 	if (!$width) {
 		$width = 500;
 	}
@@ -253,6 +259,10 @@ function formatFlash($src, $width, $height) {
 	return addTempCode("<object width=\"$width\" height=\"$height\"><param name=\"movie\" value=\"$src\" /><embed src=\"$src\" width=\"$width\" height=\"$height\" type=\"application/x-shockwave-flash\"></embed></object>");
 }
 function formatFlv($src, $width, $height) {
+    $src = filter_src($src);
+    if (empty($src)) {
+        return "";
+    }
 	if (!$width) {
 		$width = 320;
 	}
@@ -263,6 +273,10 @@ function formatFlv($src, $width, $height) {
 }
 function formatYoutube($src, $width = '', $height = ''): string
 {
+    $src = filter_src($src);
+    if (empty($src)) {
+        return "";
+    }
     if (!$width) {
         $width = 560;
     }
@@ -283,6 +297,10 @@ function formatYoutube($src, $width = '', $height = ''): string
 }
 
 function formatVideo($src, $width, $height) {
+    $src = filter_src($src);
+    if (empty($src)) {
+        return "";
+    }
     if (!$width) {
         $width = 560;
     }
@@ -293,6 +311,10 @@ function formatVideo($src, $width, $height) {
 }
 
 function formatAudio($src) {
+    $src = filter_src($src);
+    if (empty($src)) {
+        return "";
+    }
     return addTempCode("<audio controls><source src=\"$src\" /><a href=\"$src\">$src</a></audio>");
 }
 
diff --git a/include/globalfunctions.php b/include/globalfunctions.php
index c0a0e89d..603b9f1d 100644
--- a/include/globalfunctions.php
+++ b/include/globalfunctions.php
@@ -1368,9 +1368,36 @@ function has_role_work_seeding($uid)
     return $result;
 }
 
+function filter_src($src)
+{
+    $path = parse_url($src, PHP_URL_PATH);
+    if (empty($path)) {
+        return $src;
+    }
+    $guessScriptFilename = sprintf("%s/%s", $_SERVER['DOCUMENT_ROOT'], trim($path, '/'));
+    if (!file_exists($guessScriptFilename)) {
+        return $src;
+    }
+    //log danger, deny directly
+    if (is_danger_url($src)) {
+        $msg = "[DANGER_URL]: $src";
+        do_log($msg, "alert");
+        write_log($msg, "mod");
+        return "";
+    }
+    //only allow these
+    $allowScriptPattern = "/(forums|details|offers)\.php/i";
+    $match = preg_match($allowScriptPattern, $src);
+    if ($match <= 0) {
+        do_log("[NOT_ALLOW_SRC]: $src");
+        return "";
+    }
+    return $src;
+}
+
 function is_danger_url($url): bool
 {
-    $dangerScriptsPattern = "/(logout|login|ajax|announce|scrape|adduser|modtask|take.*)\.php/i";
+    $dangerScriptsPattern = "/(logout|login|ajax|announce|scrape|adduser|modtask|docleanup|freeleech|take.*)\.php/i";
     $match = preg_match($dangerScriptsPattern, $url);
     if ($match > 0) {
         return true;