diff options
author | zotlabs <mike@macgirvin.com> | 2017-12-05 16:33:24 -0800 |
---|---|---|
committer | zotlabs <mike@macgirvin.com> | 2017-12-05 16:33:24 -0800 |
commit | 8451ee20c913a76dd301375823bbda7364f18310 (patch) | |
tree | c7e202b7c4717d52c8861aa42dc859791e8e5569 | |
parent | d4acf4119226394b203d8bb52b75eec6d56d6631 (diff) | |
download | volse-hubzilla-8451ee20c913a76dd301375823bbda7364f18310.tar.gz volse-hubzilla-8451ee20c913a76dd301375823bbda7364f18310.tar.bz2 volse-hubzilla-8451ee20c913a76dd301375823bbda7364f18310.zip |
disallow backslashes in wiki and wiki-page names
-rw-r--r-- | Zotlabs/Lib/NativeWikiPage.php | 4 | ||||
-rw-r--r-- | Zotlabs/Module/Wiki.php | 20 |
2 files changed, 18 insertions, 6 deletions
diff --git a/Zotlabs/Lib/NativeWikiPage.php b/Zotlabs/Lib/NativeWikiPage.php index 209a5ef3c..919c51276 100644 --- a/Zotlabs/Lib/NativeWikiPage.php +++ b/Zotlabs/Lib/NativeWikiPage.php @@ -68,6 +68,9 @@ class NativeWikiPage { return array('content' => null, 'message' => 'Error reading wiki', 'success' => false); } + // backslashes won't work well in the javascript functions + $name = str_replace('\\','',$name); + // create an empty activity $arr = []; @@ -351,6 +354,7 @@ class NativeWikiPage { // fetch the most recently saved revision. $item = self::load_page($arr); + if(! $item) { return array('message' => t('Page not found'), 'success' => false); } diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php index 2d2d8e2b7..f0fb7b387 100644 --- a/Zotlabs/Module/Wiki.php +++ b/Zotlabs/Module/Wiki.php @@ -430,11 +430,15 @@ class Wiki extends \Zotlabs\Web\Controller { goaway('/' . argv(0) . '/' . $nick . '/'); } $wiki = array(); + + // backslashes won't work well in the javascript functions + $name = str_replace('\\','',$_POST['wikiName']); + // Generate new wiki info from input name $wiki['postVisible'] = ((intval($_POST['postVisible'])) ? 1 : 0); - $wiki['rawName'] = $_POST['wikiName']; - $wiki['htmlName'] = escape_tags($_POST['wikiName']); - $wiki['urlName'] = urlencode(urlencode($_POST['wikiName'])); + $wiki['rawName'] = $name; + $wiki['htmlName'] = escape_tags($name); + $wiki['urlName'] = urlencode(urlencode($name)); $wiki['mimeType'] = $_POST['mimeType']; $wiki['typelock'] = $_POST['typelock']; @@ -555,7 +559,11 @@ class Wiki extends \Zotlabs\Web\Controller { } $name = $_POST['pageName']; //Get new page name - if(urlencode(escape_tags($_POST['pageName'])) === '') { + + // backslashes won't work well in the javascript functions + $name = str_replace('\\','',$name); + + if(urlencode(escape_tags($name)) === '') { json_return_and_die(array('message' => 'Error creating page. Invalid name.', 'success' => false)); } $page = Zlib\NativeWikiPage::create_page($owner['channel_id'],$observer_hash, $name, $resource_id, $mimetype); @@ -626,7 +634,7 @@ class Wiki extends \Zotlabs\Web\Controller { logger('Wiki write permission denied. ' . EOL); json_return_and_die(array('success' => false)); } - + $saved = Zlib\NativeWikiPage::save_page(array('channel_id' => $owner['channel_id'], 'observer_hash' => $observer_hash, 'resource_id' => $resource_id, 'pageUrlName' => $pageUrlName, 'content' => $content)); if($saved['success']) { @@ -758,7 +766,7 @@ class Wiki extends \Zotlabs\Web\Controller { if ((argc() === 4) && (argv(2) === 'rename') && (argv(3) === 'page')) { $resource_id = $_POST['resource_id']; $pageUrlName = $_POST['oldName']; - $pageNewName = $_POST['newName']; + $pageNewName = str_replace('\\','',$_POST['newName']); if ($pageUrlName === 'Home') { json_return_and_die(array('message' => 'Cannot rename Home','success' => false)); } |