From 442e395bfe590644d370b8af3fd15b6e552f3178 Mon Sep 17 00:00:00 2001
From: John Flatness <john@zerocrates.org>
Date: Wed, 10 Feb 2021 13:32:57 -0500
Subject: [PATCH] Forbid javascript: URLs for url data type

(#1688)
---
 application/src/DataType/Uri.php | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/application/src/DataType/Uri.php b/application/src/DataType/Uri.php
index 100608f93c..e69d9d51f6 100644
--- a/application/src/DataType/Uri.php
+++ b/application/src/DataType/Uri.php
@@ -25,13 +25,16 @@ public function form(PhpRenderer $view)
 
     public function isValid(array $valueObject)
     {
-        if (isset($valueObject['@id'])
-            && is_string($valueObject['@id'])
-            && '' !== trim($valueObject['@id'])
+        if (!isset($valueObject['@id'])
+            || !is_string($valueObject['@id'])
         ) {
-            return true;
+            return false;
         }
-        return false;
+
+        $trimmed = trim($valueObject['@id']);
+        $scheme = parse_url($trimmed, \PHP_URL_SCHEME);
+
+        return !('' === $trimmed || $scheme === 'javascript');
     }
 
     public function hydrate(array $valueObject, Value $value, AbstractEntityAdapter $adapter)