Disallow `href` attribute for `user` template plugin
authorMatthias Schmidt <gravatronics@live.com>
Sun, 6 Sep 2020 12:48:10 +0000 (14:48 +0200)
committerMatthias Schmidt <gravatronics@live.com>
Sun, 6 Sep 2020 12:48:10 +0000 (14:48 +0200)
wcfsetup/install/files/lib/system/template/plugin/UserFunctionTemplatePlugin.class.php

index 5b56dd2c52229ab6661038a6cf117656bd3603b0..0b856353927c8555760d3476fa5337fdadc3815c 100644 (file)
@@ -80,6 +80,10 @@ class UserFunctionTemplatePlugin implements IFunctionTemplatePlugin {
                        }
                }
                
+               if (isset($tagArgs['href'])) {
+                       throw new \InvalidArgumentException("'href' attribute is not allowed.");
+               }
+               
                $append = '';
                if (isset($tagArgs['append'])) {
                        $append = $tagArgs['append'];