diff options
author | redmatrix <git@macgirvin.com> | 2016-06-26 22:26:45 -0700 |
---|---|---|
committer | redmatrix <git@macgirvin.com> | 2016-06-26 22:26:45 -0700 |
commit | 8d298d5a068845856c9827c0d2ea3f02f1399d72 (patch) | |
tree | caf7b545d84fab3aeeaee2dea8e36726e96cfe51 | |
parent | 3035c792dcef91cd679034ee67eb2b28ed6f3d35 (diff) | |
download | volse-hubzilla-8d298d5a068845856c9827c0d2ea3f02f1399d72.tar.gz volse-hubzilla-8d298d5a068845856c9827c0d2ea3f02f1399d72.tar.bz2 volse-hubzilla-8d298d5a068845856c9827c0d2ea3f02f1399d72.zip |
fix for the rendering side of issue #412. We traditionally store all
"user generated" content with ENT_COMPAT encoding to reduce the attack
vector for JS CSS exploits. This may present compatibility issues sharing
wikis to platforms which do not provide such CSS protection. We can either
decide that wikis are inherently insecure and filter them on render (with
an associated performance penalty), or keep the existing method of filtering
on store. I'm not making that choice. I'm merely fixing the obvious rendering
issue in mono-platform viewing.
-rw-r--r-- | Zotlabs/Module/Wiki.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php index 6a8bdf0db..38b49effc 100644 --- a/Zotlabs/Module/Wiki.php +++ b/Zotlabs/Module/Wiki.php @@ -125,7 +125,7 @@ class Wiki extends \Zotlabs\Web\Controller { notice('Error retrieving page content' . EOL); goaway('/'.argv(0).'/'.argv(1).'/'.$wikiUrlName); } - $content = ($p['content'] !== '' ? $p['content'] : '"# New page\n"'); + $content = ($p['content'] !== '' ? htmlspecialchars_decode($p['content'],ENT_COMPAT) : '"# New page\n"'); // Render the Markdown-formatted page content in HTML require_once('library/markdown.php'); $renderedContent = wiki_convert_links(Markdown(json_decode($content)),argv(0).'/'.argv(1).'/'.$wikiUrlName); |