From e92369543959772adcdab4f36c837faa27490346 Mon Sep 17 00:00:00 2001
From: Thorsten Rinne <thorsten@phpmyfaq.de>
Date: Wed, 30 Aug 2023 18:54:21 +0200
Subject: [PATCH] fix: only URLs should be allowed

---
 phpmyfaq/admin/ajax.config_list.php | 4 ++--
 phpmyfaq/admin/configuration.php    | 7 +++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/phpmyfaq/admin/ajax.config_list.php b/phpmyfaq/admin/ajax.config_list.php
index b675ca1b73..a936ef18e9 100755
--- a/phpmyfaq/admin/ajax.config_list.php
+++ b/phpmyfaq/admin/ajax.config_list.php
@@ -86,8 +86,8 @@ function renderInputForm($key, $type)
                     $type = 'url';
                     break;
                 default:
-                  $type = 'text';
-                  break;
+                    $type = 'text';
+                    break;
             }
 
             printf(
diff --git a/phpmyfaq/admin/configuration.php b/phpmyfaq/admin/configuration.php
index 8e5867b6c6..974f607542 100644
--- a/phpmyfaq/admin/configuration.php
+++ b/phpmyfaq/admin/configuration.php
@@ -58,6 +58,13 @@
             unset($editData['edit']['main.currentVersion']); // don't update the version number
         }
 
+        if (
+            isset($editData['edit']['main.referenceURL']) &&
+            is_null(Filter::filterVar($editData['edit']['main.referenceURL'], FILTER_VALIDATE_URL))
+        ) {
+            unset($editData['edit']['main.referenceURL']);
+        }
+
         foreach ($editData['edit'] as $key => $value) {
             // Remove forbidden characters
             $newConfigValues[$key] = str_replace($forbiddenValues, '', $value);