diff options
author | Mario <mario@mariovavti.com> | 2024-02-21 10:44:56 +0000 |
---|---|---|
committer | Mario <mario@mariovavti.com> | 2024-02-21 10:44:56 +0000 |
commit | 17e2877c91dfc889ab5edb62fc6e00dd7dcbba01 (patch) | |
tree | 27ec3a55fd853caec3877cadb1b80433b00a00b3 | |
parent | b7bc28c33356e95f4d45a7d5d2585e67ebd04648 (diff) | |
download | volse-hubzilla-17e2877c91dfc889ab5edb62fc6e00dd7dcbba01.tar.gz volse-hubzilla-17e2877c91dfc889ab5edb62fc6e00dd7dcbba01.tar.bz2 volse-hubzilla-17e2877c91dfc889ab5edb62fc6e00dd7dcbba01.zip |
make sure to decode html special chars before sending over the wire and
-rw-r--r-- | Zotlabs/Lib/Activity.php | 10 | ||||
-rw-r--r-- | Zotlabs/Module/Item.php | 5 | ||||
-rw-r--r-- | include/text.php | 7 |
3 files changed, 14 insertions, 8 deletions
diff --git a/Zotlabs/Lib/Activity.php b/Zotlabs/Lib/Activity.php index ab96423d7..4db116b5e 100644 --- a/Zotlabs/Lib/Activity.php +++ b/Zotlabs/Lib/Activity.php @@ -517,7 +517,7 @@ class Activity { } if ($i['title']) - $ret['name'] = $i['title']; + $ret['name'] = unescape_tags($i['title']); $ret['published'] = datetime_convert('UTC', 'UTC', $i['created'], ATOM_TIME); if ($i['created'] !== $i['edited']) @@ -564,11 +564,11 @@ class Activity { if ($i['mimetype'] === 'text/bbcode') { if ($i['title']) - $ret['name'] = bbcode($i['title'], ['cache' => true]); + $ret['name'] = unescape_tags($i['title']); if ($i['summary']) - $ret['summary'] = bbcode($i['summary'], ['cache' => true]); - $ret['content'] = bbcode($i['body'], ['cache' => true]); - $ret['source'] = ['content' => $i['body'], 'mediaType' => 'text/bbcode']; + $ret['summary'] = unescape_tags($i['summary']); + $ret['content'] = bbcode(unescape_tags($i['body']), ['cache' => true]); + $ret['source'] = ['content' => unescape_tags($i['body']), 'mediaType' => 'text/bbcode']; } $actor = self::encode_person($i['author'], false); diff --git a/Zotlabs/Module/Item.php b/Zotlabs/Module/Item.php index 09e4904c1..574dffc69 100644 --- a/Zotlabs/Module/Item.php +++ b/Zotlabs/Module/Item.php @@ -679,7 +679,7 @@ class Item extends Controller { $verb = $orig_post['verb']; $app = $orig_post['app']; $title = escape_tags(trim($_REQUEST['title'])); - $summary = trim($_REQUEST['summary']); + $summary = escape_tags(trim($_REQUEST['summary'])); $body = trim($_REQUEST['body']); $item_flags = $orig_post['item_flags']; $item_origin = $orig_post['item_origin']; @@ -740,7 +740,7 @@ class Item extends Controller { $coord = ((isset($_REQUEST['coord'])) ? notags(trim($_REQUEST['coord'])) : ''); $verb = ((isset($_REQUEST['verb'])) ? notags(trim($_REQUEST['verb'])) : ''); $title = ((isset($_REQUEST['title'])) ? escape_tags(trim($_REQUEST['title'])) : ''); - $summary = ((isset($_REQUEST['summary'])) ? trim($_REQUEST['summary']) : ''); + $summary = ((isset($_REQUEST['summary'])) ? escape_tags(trim($_REQUEST['summary'])) : ''); $body = ((isset($_REQUEST['body'])) ? trim($_REQUEST['body']) : ''); $body .= ((isset($_REQUEST['attachment'])) ? trim($_REQUEST['attachment']) : ''); $postopts = ''; @@ -793,7 +793,6 @@ class Item extends Controller { && ($channel['channel_pageflags'] & PAGE_ALLOWCODE)) ? true : false); if ($preview) { - $summary = z_input_filter($summary, $mimetype, $execflag); $body = z_input_filter($body, $mimetype, $execflag); } diff --git a/include/text.php b/include/text.php index 9d276642a..052c26594 100644 --- a/include/text.php +++ b/include/text.php @@ -114,6 +114,13 @@ function escape_tags($string) { return (htmlspecialchars($string, ENT_COMPAT, 'UTF-8', false)); } +function unescape_tags($string) { + if (!$string) { + return EMPTY_STR; + } + return (htmlspecialchars_decode($string, ENT_COMPAT)); +} + /** * Escape URL's so they're safe for use in HTML and in HTML element attributes. */ |