aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFriendika <info@friendika.com>2011-06-23 15:58:43 -0700
committerFriendika <info@friendika.com>2011-06-23 15:58:43 -0700
commit5633430a19624423ddd98655518d8a765f081230 (patch)
treebf954c96cfb9de5a99bc5a4a8f0b08782be788a2
parent0e809b930173e284bf4abaa958616b4d3aa9ed07 (diff)
downloadvolse-hubzilla-5633430a19624423ddd98655518d8a765f081230.tar.gz
volse-hubzilla-5633430a19624423ddd98655518d8a765f081230.tar.bz2
volse-hubzilla-5633430a19624423ddd98655518d8a765f081230.zip
don't allow tags in app source
-rw-r--r--addon/facebook/facebook.php2
-rw-r--r--include/items.php2
-rw-r--r--mod/item.php2
3 files changed, 3 insertions, 3 deletions
diff --git a/addon/facebook/facebook.php b/addon/facebook/facebook.php
index 4265ce801..e9290b10e 100644
--- a/addon/facebook/facebook.php
+++ b/addon/facebook/facebook.php
@@ -821,7 +821,7 @@ function fb_consume_stream($uid,$j,$wall = false) {
$datarray['owner-avatar'] = $self[0]['thumb'];
}
if(isset($entry->application) && isset($entry->application->name) && strlen($entry->application->name))
- $datarray['app'] = $entry->application->name;
+ $datarray['app'] = strip_tags($entry->application->name);
else
$datarray['app'] = 'facebook';
$datarray['author-name'] = $from->name;
diff --git a/include/items.php b/include/items.php
index 5bcdaef99..3901927fc 100644
--- a/include/items.php
+++ b/include/items.php
@@ -338,7 +338,7 @@ function get_atom_elements($feed,$item) {
$apps = $item->get_item_tags(NAMESPACE_STATUSNET,'notice_info');
if($apps && $apps[0]['attribs']['']['source']) {
- $res['app'] = $apps[0]['attribs']['']['source'];
+ $res['app'] = strip_tags(unxmlify($apps[0]['attribs']['']['source']));
if($res['app'] === 'web')
$res['app'] = 'OStatus';
}
diff --git a/mod/item.php b/mod/item.php
index 9d7b954a8..22eba7b3f 100644
--- a/mod/item.php
+++ b/mod/item.php
@@ -61,7 +61,7 @@ function item_post(&$a) {
$profile_uid = ((x($_POST,'profile_uid')) ? intval($_POST['profile_uid']) : 0);
$post_id = ((x($_POST['post_id'])) ? intval($_POST['post_id']) : 0);
- $app = ((x($_POST['source'])) ? notags($_POST['source']) : '');
+ $app = ((x($_POST['source'])) ? strip_tags($_POST['source']) : '');
if(! can_write_wall($a,$profile_uid)) {
notice( t('Permission denied.') . EOL) ;