static function is_safe_url($url, $baseonly = false) { $cparams = JComponentHelper::getParams('com_flexicontent'); $allowed_redirecturls = $cparams->get('allowed_redirecturls', 'internal_base'); // Parameter does not exist YET // prefix the URL if needed so that parse_url will work $has_prefix = preg_match("#^http|^https|^ftp#i", $url); $url = (!$has_prefix ? "http://" : "") . $url; // Require baseonly internal url: (HOST only) if ($baseonly || $allowed_redirecturls == 'internal_base') { return flexicontent_html::get_basedomain($url) == flexicontent_html::get_basedomain(JURI::base()); } else { // if ( $allowed_redirecturls == 'internal_full' ) return parse_url($url, PHP_URL_HOST) == parse_url(JURI::base(), PHP_URL_HOST); } // Allow any URL, (external too) this may be considered a vulnerability for unlogged/logged users, since // users may be redirected to an offsite URL despite clicking an internal site URL received e.g. by an email //else // return true; }