diff options
| author | DM42.Net (Matt Dent) <dentm42@dm42.net> | 2018-11-13 20:19:12 -0500 |
|---|---|---|
| committer | DM42.Net (Matt Dent) <dentm42@dm42.net> | 2018-11-13 20:19:12 -0500 |
| commit | ce8073d25eeddd212276656cc2d5c1df9474223e (patch) | |
| tree | b83ae37bce8e92bb2b47b9a30b6ddcaf764d0537 | |
| parent | 35e66770be6ca93c9090cdab221e6c33a410a569 (diff) | |
| parent | 31f4d9066b6bffcbe539f293bf814c418f1523cf (diff) | |
| download | volse-hubzilla-ce8073d25eeddd212276656cc2d5c1df9474223e.tar.gz volse-hubzilla-ce8073d25eeddd212276656cc2d5c1df9474223e.tar.bz2 volse-hubzilla-ce8073d25eeddd212276656cc2d5c1df9474223e.zip | |
Merge remote-tracking branch red/master into patch-20181113a. Add Mike's fix to search xss and Superblock fix.
| -rw-r--r-- | Zotlabs/Lib/Enotify.php | 14 | ||||
| -rw-r--r-- | Zotlabs/Module/Search.php | 6 |
2 files changed, 15 insertions, 5 deletions
diff --git a/Zotlabs/Lib/Enotify.php b/Zotlabs/Lib/Enotify.php index cfb0bd344..25c96d9cc 100644 --- a/Zotlabs/Lib/Enotify.php +++ b/Zotlabs/Lib/Enotify.php @@ -825,7 +825,7 @@ class Enotify { // convert this logic into a json array just like the system notifications - return array( + $x = array( 'notify_link' => $item['llink'], 'name' => $item['author']['xchan_name'], 'url' => $item['author']['xchan_url'], @@ -835,9 +835,19 @@ class Enotify { 'b64mid' => ((in_array($item['verb'], [ACTIVITY_LIKE, ACTIVITY_DISLIKE])) ? 'b64.' . base64url_encode($item['thr_parent']) : 'b64.' . base64url_encode($item['mid'])), 'notify_id' => 'undefined', 'thread_top' => (($item['item_thread_top']) ? true : false), - 'message' => strip_tags(bbcode($itemem_text)) + 'message' => strip_tags(bbcode($itemem_text)), + // these are for the superblock addon + 'hash' => $item['author']['xchan_hash'], + 'uid' => local_channel(), + 'display' => true ); + call_hooks('enotify_format',$x); + if(! $x['display']) { + return []; + } + + return $x; } } diff --git a/Zotlabs/Module/Search.php b/Zotlabs/Module/Search.php index e520c671d..272bbdac1 100644 --- a/Zotlabs/Module/Search.php +++ b/Zotlabs/Module/Search.php @@ -6,7 +6,7 @@ class Search extends \Zotlabs\Web\Controller { function init() { if(x($_REQUEST,'search')) - \App::$data['search'] = $_REQUEST['search']; + \App::$data['search'] = escape_tags($_REQUEST['search']); } @@ -46,12 +46,12 @@ class Search extends \Zotlabs\Web\Controller { if(x(\App::$data,'search')) $search = trim(\App::$data['search']); else - $search = ((x($_GET,'search')) ? trim(rawurldecode($_GET['search'])) : ''); + $search = ((x($_GET,'search')) ? trim(escape_tags(rawurldecode($_GET['search']))) : ''); $tag = false; if(x($_GET,'tag')) { $tag = true; - $search = ((x($_GET,'tag')) ? trim(rawurldecode($_GET['tag'])) : ''); + $search = ((x($_GET,'tag')) ? trim(escape_tags(rawurldecode($_GET['tag']))) : ''); } $static = ((array_key_exists('static',$_REQUEST)) ? intval($_REQUEST['static']) : 0); |