Merge pull request #5998 from 3liz/backport-5997-to-release_3_9

rldhont · web-flow · commit c73250458c53 · 2025-08-09T11:08:51.000+02:00
[Backport release_3_9] check URL when submitting AccessControlAllowOrigin in admin Form
diff --git a/lizmap/modules/admin/controllers/maps.classic.php b/lizmap/modules/admin/controllers/maps.classic.php
@@ -1,6 +1,7 @@
 <?php
 
 use Jelix\FileUtilities\Path;
+use Lizmap\Project\Repository;
 use Lizmap\Project\UnknownLizmapProjectException;
 use Lizmap\Request\Proxy;
 use LizmapAdmin\RepositoryRightsService;
@@ -488,7 +489,7 @@ public function saveSection()
                     $domain = 'https://'.$domain;
                 }
                 $urlParts = parse_url($domain);
-                if ($urlParts === false) {
+                if ($urlParts === false || !filter_var($domain, FILTER_VALIDATE_URL)) {
                     $form->setErrorOn('accessControlAllowOrigin', jLocale::get('admin~admin.form.admin_section.message.accessControlAllowOrigin.bad.domain'));
                     $ok = $okDomain = false;
 
@@ -530,7 +531,7 @@ public function saveSection()
 
         // Repository data
         $data = array();
-        foreach (lizmapRepository::getProperties() as $prop) {
+        foreach (Repository::getProperties() as $prop) {
             $data[$prop] = $form->getData($prop);
             // Check paths
             if ($prop == 'path') {
