static function is_safe_url($url, $baseonly = false)
{
$cparams = JComponentHelper::getParams('com_flexicontent');
$allowed_redirecturls = $cparams->get('allowed_redirecturls', 'internal_base');
// Parameter does not exist YET
// prefix the URL if needed so that parse_url will work
$has_prefix = preg_match("#^http|^https|^ftp#i", $url);
$url = (!$has_prefix ? "http://" : "") . $url;
// Require baseonly internal url: (HOST only)
if ($baseonly || $allowed_redirecturls == 'internal_base') {
return flexicontent_html::get_basedomain($url) == flexicontent_html::get_basedomain(JURI::base());
} else {
// if ( $allowed_redirecturls == 'internal_full' )
return parse_url($url, PHP_URL_HOST) == parse_url(JURI::base(), PHP_URL_HOST);
}
// Allow any URL, (external too) this may be considered a vulnerability for unlogged/logged users, since
// users may be redirected to an offsite URL despite clicking an internal site URL received e.g. by an email
//else
// return true;
}
