aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorhubzilla <git@macgirvin.com>2016-06-13 08:16:26 +1000
committerGitHub <noreply@github.com>2016-06-13 08:16:26 +1000
commit290a14d29e82fa33ec53d55a400b556e48e10b09 (patch)
tree27461e9de07590454f63ff7d9398e3f6361b692c
parent0cada39c8afe1858a8e710ada8dfc66f4cb8f1bf (diff)
parente109abbef7fed77898da7adb9d43e686dc96c29a (diff)
downloadvolse-hubzilla-290a14d29e82fa33ec53d55a400b556e48e10b09.tar.gz
volse-hubzilla-290a14d29e82fa33ec53d55a400b556e48e10b09.tar.bz2
volse-hubzilla-290a14d29e82fa33ec53d55a400b556e48e10b09.zip
Merge pull request #414 from anaqreon/1.8RC
Add filter to wiki content to prevent JavaScript code injection
-rw-r--r--Zotlabs/Module/Wiki.php18
-rw-r--r--include/wiki.php2
2 files changed, 4 insertions, 16 deletions
diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php
index fbf751ddf..1e6446904 100644
--- a/Zotlabs/Module/Wiki.php
+++ b/Zotlabs/Module/Wiki.php
@@ -167,7 +167,7 @@ class Wiki extends \Zotlabs\Web\Controller {
if((argc() > 2) && (argv(2) === 'preview')) {
$content = $_POST['content'];
require_once('library/markdown.php');
- $html = Markdown($content);
+ $html = purify_html(Markdown($content));
json_return_and_die(array('html' => $html, 'success' => true));
}
@@ -182,19 +182,7 @@ class Wiki extends \Zotlabs\Web\Controller {
// more detail permissions framework
if (local_channel() !== intval($channel['channel_id'])) {
goaway('/'.argv(0).'/'.$nick.'/');
- } else {
- /*
- $channel = get_channel_by_nick($nick);
- // Figure out who the page owner is.
- $perms = get_all_perms(intval($channel['channel_id']), $observer_hash);
- // TODO: Create a new permission setting for wiki analogous to webpages. Until
- // then, use webpage permissions
- if (!$perms['write_pages']) {
- notice(t('Permission denied.') . EOL);
- goaway('/'.argv(0).'/'.argv(1).'/');
- }
- */
- }
+ }
$wiki = array();
// Generate new wiki info from input name
$wiki['rawName'] = $_POST['wikiName'];
@@ -306,7 +294,7 @@ class Wiki extends \Zotlabs\Web\Controller {
$resource_id = $_POST['resource_id'];
$pageUrlName = $_POST['name'];
$pageHtmlName = escape_tags($_POST['name']);
- $content = escape_tags($_POST['content']); //Get new content
+ $content = $_POST['content']; //Get new content
$commitMsg = $_POST['commitMsg'];
if ($commitMsg === '') {
$commitMsg = 'Updated ' . $pageHtmlName;
diff --git a/include/wiki.php b/include/wiki.php
index f0785d549..4aa3fc1b4 100644
--- a/include/wiki.php
+++ b/include/wiki.php
@@ -279,7 +279,7 @@ function wiki_page_history($arr) {
function wiki_save_page($arr) {
$pageUrlName = ((array_key_exists('pageUrlName',$arr)) ? $arr['pageUrlName'] : '');
- $content = ((array_key_exists('content',$arr)) ? $arr['content'] : '');
+ $content = ((array_key_exists('content',$arr)) ? purify_html($arr['content']) : '');
$resource_id = ((array_key_exists('resource_id',$arr)) ? $arr['resource_id'] : '');
$w = wiki_get_wiki($resource_id);
if (!$w['path']) {