don't allow tags in app source

3 files changed, 3 insertions, 3 deletions

diff --git a/addon/facebook/facebook.php b/addon/facebook/facebook.php
index 4265ce801..e9290b10e 100644
--- a/addon/facebook/facebook.php
+++ b/addon/facebook/facebook.php
@@ -821,7 +821,7 @@ function fb_consume_stream($uid,$j,$wall = false) {
 				$datarray['owner-avatar'] = $self[0]['thumb'];
 			}
 			if(isset($entry->application) && isset($entry->application->name) && strlen($entry->application->name))
-				$datarray['app'] = $entry->application->name;
+				$datarray['app'] = strip_tags($entry->application->name);
 			else
 				$datarray['app'] = 'facebook';
 			$datarray['author-name'] = $from->name;
diff --git a/include/items.php b/include/items.php
index 5bcdaef99..3901927fc 100644
--- a/include/items.php
+++ b/include/items.php
@@ -338,7 +338,7 @@ function get_atom_elements($feed,$item) {
 
 	$apps = $item->get_item_tags(NAMESPACE_STATUSNET,'notice_info');
 	if($apps && $apps[0]['attribs']['']['source']) {
-		$res['app'] = $apps[0]['attribs']['']['source'];
+		$res['app'] = strip_tags(unxmlify($apps[0]['attribs']['']['source']));
 		if($res['app'] === 'web')
 			$res['app'] = 'OStatus';
 	}		   
diff --git a/mod/item.php b/mod/item.php
index 9d7b954a8..22eba7b3f 100644
--- a/mod/item.php
+++ b/mod/item.php
@@ -61,7 +61,7 @@ function item_post(&$a) {
 
 	$profile_uid = ((x($_POST,'profile_uid')) ? intval($_POST['profile_uid']) : 0);
 	$post_id     = ((x($_POST['post_id']))    ? intval($_POST['post_id'])     : 0);
-	$app         = ((x($_POST['source']))     ? notags($_POST['source'])      : '');
+	$app         = ((x($_POST['source']))     ? strip_tags($_POST['source'])  : '');
 
 	if(! can_write_wall($a,$profile_uid)) {
 		notice( t('Permission denied.') . EOL) ;