diff options
author | Mario <mario@mariovavti.com> | 2018-10-08 21:20:17 +0200 |
---|---|---|
committer | Mario <mario@mariovavti.com> | 2018-10-08 21:20:17 +0200 |
commit | 37b94bf5fa71835fe50af6f862e124e24b5db4b4 (patch) | |
tree | 012afad21875e324bd43051c843fef371c3ddd9d | |
parent | a00a849952eec8f7d7d480f8663446dc1fb7238c (diff) | |
parent | 709665846e66f093109730691b31d9e094d02088 (diff) | |
download | volse-hubzilla-37b94bf5fa71835fe50af6f862e124e24b5db4b4.tar.gz volse-hubzilla-37b94bf5fa71835fe50af6f862e124e24b5db4b4.tar.bz2 volse-hubzilla-37b94bf5fa71835fe50af6f862e124e24b5db4b4.zip |
Merge branch 'fix-wiki-escaping' into 'dev'
Fix wiki escaping (Regression tests needed)
See merge request hubzilla/core!1321
-rw-r--r-- | Zotlabs/Lib/NativeWiki.php | 37 | ||||
-rw-r--r-- | Zotlabs/Lib/NativeWikiPage.php | 13 | ||||
-rw-r--r-- | Zotlabs/Module/Wiki.php | 70 | ||||
-rw-r--r-- | Zotlabs/Widget/Wiki_pages.php | 8 | ||||
-rw-r--r-- | view/tpl/wiki.tpl | 3 | ||||
-rw-r--r-- | view/tpl/wiki_page_not_found.tpl | 2 |
6 files changed, 92 insertions, 41 deletions
diff --git a/Zotlabs/Lib/NativeWiki.php b/Zotlabs/Lib/NativeWiki.php index 6f916216e..65f40748c 100644 --- a/Zotlabs/Lib/NativeWiki.php +++ b/Zotlabs/Lib/NativeWiki.php @@ -26,7 +26,8 @@ class NativeWiki { $w['rawName'] = get_iconfig($w, 'wiki', 'rawName'); $w['htmlName'] = escape_tags($w['rawName']); - $w['urlName'] = urlencode(urlencode($w['rawName'])); + //$w['urlName'] = urlencode(urlencode($w['rawName'])); + $w['urlName'] = self::name_encode($w['rawName']); $w['mimeType'] = get_iconfig($w, 'wiki', 'mimeType'); $w['typelock'] = get_iconfig($w, 'wiki', 'typelock'); $w['lockstate'] = (($w['allow_cid'] || $w['allow_gid'] || $w['deny_cid'] || $w['deny_gid']) ? 'lock' : 'unlock'); @@ -233,7 +234,8 @@ class NativeWiki { 'wiki' => $w, 'rawName' => $rawName, 'htmlName' => escape_tags($rawName), - 'urlName' => urlencode(urlencode($rawName)), + //'urlName' => urlencode(urlencode($rawName)), + 'urlName' => self::name_encode($rawName), 'mimeType' => $mimeType, 'typelock' => $typelock ); @@ -249,7 +251,8 @@ class NativeWiki { WHERE resource_type = '%s' AND iconfig.v = '%s' AND uid = %d AND item_deleted = 0 $sql_extra limit 1", dbesc(NWIKI_ITEM_RESOURCE_TYPE), - dbesc(urldecode($urlName)), + //dbesc(urldecode($urlName)), + dbesc($urlName), intval($uid) ); @@ -286,4 +289,32 @@ class NativeWiki { return array('read' => true, 'write' => $write, 'success' => true); } } + + public static function name_encode ($string) { + + $string = html_entity_decode($string); + $encoding = mb_internal_encoding(); + mb_internal_encoding("UTF-8"); + $ret = mb_ereg_replace_callback ('[^A-Za-z0-9\-\_\.\~]',function ($char) { + $charhex = unpack('H*',$char[0]); + $ret = '('.$charhex[1].')'; + return $ret; + } + ,$string); + mb_internal_encoding($encoding); + return $ret; + } + + public static function name_decode ($string) { + + $encoding = mb_internal_encoding(); + mb_internal_encoding("UTF-8"); + $ret = mb_ereg_replace_callback ('(\(([0-9a-f]+)\))',function ($chars) { + return pack('H*',$chars[2]); + } + ,$string); + mb_internal_encoding($encoding); + return $ret; + } + } diff --git a/Zotlabs/Lib/NativeWikiPage.php b/Zotlabs/Lib/NativeWikiPage.php index d4875bbaf..ebdcb4740 100644 --- a/Zotlabs/Lib/NativeWikiPage.php +++ b/Zotlabs/Lib/NativeWikiPage.php @@ -44,7 +44,8 @@ class NativeWikiPage { $pages[] = [ 'resource_id' => $resource_id, 'title' => escape_tags($title), - 'url' => str_replace('%2F','/',urlencode(str_replace('%2F','/',urlencode($title)))), + //'url' => str_replace('%2F','/',urlencode(str_replace('%2F','/',urlencode($title)))), + 'url' => Zlib\NativeWiki::name_encode($title), 'link_id' => 'id_' . substr($resource_id, 0, 10) . '_' . $page_item['id'] ]; } @@ -98,7 +99,8 @@ class NativeWikiPage { $page = [ 'rawName' => $name, 'htmlName' => escape_tags($name), - 'urlName' => urlencode($name), + //'urlName' => urlencode($name), + 'urlName' => Zlib\NativeWiki::name_encode($name) ]; @@ -154,7 +156,8 @@ class NativeWikiPage { $page = [ 'rawName' => $pageNewName, 'htmlName' => escape_tags($pageNewName), - 'urlName' => urlencode(escape_tags($pageNewName)) + //'urlName' => urlencode(escape_tags($pageNewName)) + Zlib\NativeWiki::name_encode($pageNewName) ]; return [ 'success' => true, 'page' => $page ]; @@ -365,7 +368,6 @@ class NativeWikiPage { unset($item['id']); unset($item['author']); - $item['parent'] = 0; $item['body'] = $content; $item['author_xchan'] = $observer_hash; @@ -527,7 +529,8 @@ class NativeWikiPage { $pages = $pageURLs = array(); foreach ($match[1] as $m) { // TODO: Why do we need to double urlencode for this to work? - $pageURLs[] = urlencode(urlencode(escape_tags($m))); + //$pageURLs[] = urlencode(urlencode(escape_tags($m))); + $pageURLs[] = Zlib\NativeWiki::name_encode(escape_tags($m)); $pages[] = $m; } $idx = 0; diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php index 6be39214e..ead7eea6a 100644 --- a/Zotlabs/Module/Wiki.php +++ b/Zotlabs/Module/Wiki.php @@ -237,7 +237,8 @@ class Wiki extends Controller { // /wiki/channel/wiki -> No page was specified, so redirect to Home.md - $wikiUrlName = urlencode(argv(2)); + //$wikiUrlName = urlencode(argv(2)); + $wikiUrlName = NativeWiki::name_encode(argv(2)); goaway(z_root() . '/' . argv(0) . '/' . argv(1) . '/' . $wikiUrlName . '/Home'); case 4: @@ -246,7 +247,8 @@ class Wiki extends Controller { // GET /wiki/channel/wiki/page // Fetch the wiki info and determine observer permissions - $wikiUrlName = urldecode(argv(2)); + //$wikiUrlName = urldecode(argv(2)); + $wikiUrlName = NativeWiki::name_decode(argv(2)); $page_name = ''; $ignore_language = false; @@ -262,8 +264,9 @@ class Wiki extends Controller { $page_name .= argv($x); } - $pageUrlName = urldecode($page_name); - $langPageUrlName = urldecode(\App::$language . '/' . $page_name); + //$pageUrlName = urldecode($page_name); + $pageUrlName = NativeWiki::name_decode($page_name); + $langPageUrlName = \App::$language . '/' . $pageUrlName; $w = NativeWiki::exists_by_name($owner['channel_id'], $wikiUrlName); @@ -289,8 +292,10 @@ class Wiki extends Controller { $wiki_editor = true; } - $wikiheaderName = urldecode($wikiUrlName); - $wikiheaderPage = urldecode($pageUrlName); + //$wikiheaderName = urldecode($wikiUrlName); + $wikiheaderName = $wikiUrlName; + //$wikiheaderPage = urldecode($pageUrlName); + $wikiheaderPage = $pageUrlName; $renamePage = (($wikiheaderPage === 'Home') ? '' : t('Rename page')); $sharePage = t('Share'); @@ -315,7 +320,7 @@ class Wiki extends Controller { //json_return_and_die(array('pages' => $page_list_html, 'message' => '', 'success' => true)); notice( t('Error retrieving page content') . EOL); //goaway(z_root() . '/' . argv(0) . '/' . argv(1) ); - $renderedContent = NativeWikiPage::convert_links($html, argv(0) . '/' . argv(1) . '/' . $wikiUrlName); + $renderedContent = NativeWikiPage::convert_links($html, argv(0) . '/' . argv(1) . '/' . NativeWiki::name_encode($wikiUrlName)); $showPageControls = $wiki_editor; } else { @@ -329,21 +334,25 @@ class Wiki extends Controller { // Render the Markdown-formatted page content in HTML if($mimeType == 'text/bbcode') { - $renderedContent = NativeWikiPage::convert_links(zidify_links(smilies(bbcode($content))), argv(0) . '/' . argv(1) . '/' . $wikiUrlName); + $renderedContent = NativeWikiPage::convert_links($content,argv(0) . '/' . argv(1) . '/' . NativeWiki::name_encode($wikiUrlName)); + $renderedContent = zidify_links(smilies(bbcode($renderedContent))); + //$renderedContent = NativeWikiPage::convert_links(zidify_links(smilies(bbcode($content))), argv(0) . '/' . argv(1) . '/' . $wikiUrlName); } elseif($mimeType === 'text/plain') { $renderedContent = str_replace(["\n",' ',"\t"],[EOL,' ',' '],htmlentities($content,ENT_COMPAT,'UTF-8',false)); } elseif($mimeType === 'text/markdown') { $content = MarkdownSoap::unescape($content); - $html = NativeWikiPage::generate_toc(zidify_text(MarkdownExtra::defaultTransform(NativeWikiPage::bbcode($content)))); - $renderedContent = NativeWikiPage::convert_links($html, argv(0) . '/' . argv(1) . '/' . $wikiUrlName); + //$html = NativeWikiPage::generate_toc(zidify_text(MarkdownExtra::defaultTransform(NativeWikiPage::bbcode($content)))); + //$renderedContent = NativeWikiPage::convert_links($html, argv(0) . '/' . argv(1) . '/' . $wikiUrlName); + $html = NativeWikiPage::convert_links($content, argv(0) . '/' . argv(1) . '/' . NativeWiki::name_encode($wikiUrlName)); + $renderedContent = NativeWikiPage::generate_toc(zidify_text(MarkdownExtra::defaultTransform(NativeWikiPage::bbcode($html)))); } $showPageControls = $wiki_editor; } break; // default: // Strip the extraneous URL components -// goaway('/' . argv(0) . '/' . argv(1) . '/' . $wikiUrlName . '/' . $pageUrlName); +// goaway('/' . argv(0) . '/' . argv(1) . '/' . NativeWiki::name_encode($wikiUrlName) . '/' . $pageUrlName); } @@ -360,13 +369,14 @@ class Wiki extends Controller { $currenttype = $types[$mimeType]; $placeholder = t('Short description of your changes (optional)'); - + + $zrl = urlencode( z_root() . '/wiki/' . argv(1) . '/' . NativeWiki::name_encode($wikiUrlName) . '/' . NativeWiki::name_encode($pageUrlName) ); $o .= replace_macros(get_markup_template('wiki.tpl'),array( '$wikiheaderName' => $wikiheaderName, '$wikiheaderPage' => $wikiheaderPage, '$renamePage' => $renamePage, '$sharePage' => $sharePage, - '$shareLink' => urlencode('#^[zrl=' . z_root() . '/wiki/' . argv(1) . '/' . $wikiUrlName . '/' . $pageUrlName . ']' . '[ ' . $owner['channel_name'] . ' ] ' . $wikiheaderName . ' - ' . $wikiheaderPage . '[/zrl]'), + '$shareLink' => '#^[zrl=' . $zrl . ']' . '[ ' . $owner['channel_name'] . ' ] ' . $wikiheaderName . ' - ' . $wikiheaderPage . '[/zrl]', '$showPageControls' => $showPageControls, '$editOrSourceLabel' => (($showPageControls) ? t('Edit') : t('Source')), '$tools_label' => 'Page Tools', @@ -429,16 +439,17 @@ class Wiki extends Controller { $mimeType = $_POST['mimetype']; if($mimeType === 'text/bbcode') { - $html = NativeWikiPage::convert_links(zidify_links(smilies(bbcode($content))),$wikiURL); + $linkconverted = NativeWikiPage::convert_links($content,$wikiURL); + $html = zidify_links(smilies(bbcode($linkconverted))); } elseif($mimeType === 'text/markdown') { - $bb = NativeWikiPage::bbcode($content); + $linkconverted = NativeWikiPage::convert_links($content,$wikiURL); + $bb = NativeWikiPage::bbcode($linkconverted); $x = new MarkdownSoap($bb); $md = $x->clean(); $md = MarkdownSoap::unescape($md); $html = MarkdownExtra::defaultTransform($md); $html = NativeWikiPage::generate_toc(zidify_text($html)); - $html = NativeWikiPage::convert_links($html,$wikiURL); } elseif($mimeType === 'text/plain') { $html = str_replace(["\n",' ',"\t"],[EOL,' ',' '],htmlentities($content,ENT_COMPAT,'UTF-8',false)); @@ -465,7 +476,8 @@ class Wiki extends Controller { $wiki['postVisible'] = ((intval($_POST['postVisible'])) ? 1 : 0); $wiki['rawName'] = $name; $wiki['htmlName'] = escape_tags($name); - $wiki['urlName'] = urlencode(urlencode($name)); + //$wiki['urlName'] = urlencode(urlencode($name)); + $wiki['urlName'] = NativeWiki::name_encode($name); $wiki['mimeType'] = $_POST['mimeType']; $wiki['typelock'] = $_POST['typelock']; @@ -491,10 +503,10 @@ class Wiki extends Controller { $homePage = NativeWikiPage::create_page($owner['channel_id'],$observer_hash,'Home', $r['item']['resource_id'], $wiki['mimeType']); if(! $homePage['success']) { notice( t('Wiki created, but error creating Home page.')); - goaway(z_root() . '/wiki/' . $nick . '/' . $wiki['urlName']); + goaway(z_root() . '/wiki/' . $nick . '/' . NativeWiki::name_encode($wiki['urlName'])); } NativeWiki::sync_a_wiki_item($owner['channel_id'],$homePage['item_id'],$r['item']['resource_id']); - goaway(z_root() . '/wiki/' . $nick . '/' . $wiki['urlName'] . '/' . $homePage['page']['urlName']); + goaway(z_root() . '/wiki/' . $nick . '/' . NativeWiki::name_encode($wiki['urlName']) . '/' . NativeWiki::name_encode($homePage['page']['urlName'])); } else { notice( t('Error creating wiki')); @@ -514,7 +526,8 @@ class Wiki extends Controller { $arr = []; - $arr['urlName'] = urlencode(urlencode($_POST['origRawName'])); + //$arr['urlName'] = urlencode(urlencode($_POST['origRawName'])); + $arr['urlName'] = NativeWiki::name_encode($_POST['origRawName']); if($_POST['updateRawName']) $arr['updateRawName'] = $_POST['updateRawName']; @@ -525,7 +538,7 @@ class Wiki extends Controller { return; //not reached } - $wiki = NativeWiki::exists_by_name($owner['channel_id'], urldecode($arr['urlName'])); + $wiki = NativeWiki::exists_by_name($owner['channel_id'], $arr['urlName']); if($wiki['resource_id']) { @@ -585,12 +598,12 @@ class Wiki extends Controller { json_return_and_die(array('success' => false)); } - $name = $_POST['pageName']; //Get new page name + $name = isset($_POST['pageName']) ? $_POST['pageName'] : $_POST['missingPageName']; //Get new page name // backslashes won't work well in the javascript functions $name = str_replace('\\','',$name); - if(urlencode(escape_tags($name)) === '') { + if(NativeWiki::name_encode(escape_tags($name)) === '') { json_return_and_die(array('message' => 'Error creating page. Invalid name (' . print_r($_POST,true) . ').', 'success' => false)); } @@ -607,10 +620,11 @@ class Wiki extends Controller { if($commit['success']) { NativeWiki::sync_a_wiki_item($owner['channel_id'],$commit['item_id'],$resource_id); - json_return_and_die(array('url' => '/' . argv(0) . '/' . argv(1) . '/' . urlencode($page['wiki']['urlName']) . '/' . urlencode($page['page']['urlName']), 'success' => true)); + //json_return_and_die(array('url' => '/' . argv(0) . '/' . argv(1) . '/' . urlencode($page['wiki']['urlName']) . '/' . urlencode($page['page']['urlName']), 'success' => true)); + json_return_and_die(array('url' => '/' . argv(0) . '/' . argv(1) . '/' . $page['wiki']['urlName'] . '/' . $page['page']['urlName'], 'success' => true)); } else { - json_return_and_die(array('message' => 'Error making git commit','url' => '/' . argv(0) . '/' . argv(1) . '/' . urlencode($page['wiki']['urlName']) . '/' . urlencode($page['page']['urlName']),'success' => false)); + json_return_and_die(array('message' => 'Error making git commit','url' => '/' . argv(0) . '/' . argv(1) . '/' . NativeWiki::name_encode($page['wiki']['urlName']) . '/' . NativeWiki::name_encode($page['page']['urlName']),'success' => false)); } @@ -677,7 +691,7 @@ class Wiki extends Controller { if($commit['success']) { NativeWiki::sync_a_wiki_item($owner['channel_id'],$commit['item_id'],$resource_id); - json_return_and_die(array('message' => 'Wiki git repo commit made', 'success' => true)); + json_return_and_die(array('message' => 'Wiki git repo commit made', 'success' => true , 'content' => $content)); } else { json_return_and_die(array('message' => 'Error making git commit','success' => false)); @@ -798,7 +812,7 @@ class Wiki extends Controller { if ($pageUrlName === 'Home') { json_return_and_die(array('message' => 'Cannot rename Home','success' => false)); } - if(urlencode(escape_tags($pageNewName)) === '') { + if(NativeWiki::encode_name(escape_tags($pageNewName)) === '') { json_return_and_die(array('message' => 'Error renaming page. Invalid name.', 'success' => false)); } // Determine if observer has permission to rename pages @@ -814,7 +828,7 @@ class Wiki extends Controller { if($renamed['success']) { $commit = NativeWikiPage::commit(array( 'channel_id' => $owner['channel_id'], - 'commit_msg' => 'Renamed ' . urldecode($pageUrlName) . ' to ' . $renamed['page']['htmlName'], + 'commit_msg' => 'Renamed ' . NativeWiki::name_decode($pageUrlName) . ' to ' . $renamed['page']['htmlName'], 'resource_id' => $resource_id, 'observer_hash' => $observer_hash, 'pageUrlName' => $pageNewName diff --git a/Zotlabs/Widget/Wiki_pages.php b/Zotlabs/Widget/Wiki_pages.php index ecd2c9100..dee0a2229 100644 --- a/Zotlabs/Widget/Wiki_pages.php +++ b/Zotlabs/Widget/Wiki_pages.php @@ -2,6 +2,7 @@ namespace Zotlabs\Widget; +use Zotlabs\Lib\NativeWiki; class Wiki_pages { @@ -10,7 +11,7 @@ class Wiki_pages { return; $c = channelx_by_nick(argv(1)); - $w = \Zotlabs\Lib\NativeWiki::exists_by_name($c['channel_id'],urldecode(argv(2))); + $w = \Zotlabs\Lib\NativeWiki::exists_by_name($c['channel_id'],NativeWiki::name_decode(argv(2))); $arr = array( 'resource_id' => $w['resource_id'], 'channel_id' => $c['channel_id'], @@ -21,8 +22,9 @@ class Wiki_pages { $can_create = perm_is_allowed(\App::$profile['uid'],get_observer_hash(),'write_wiki'); $can_delete = ((local_channel() && (local_channel() == \App::$profile['uid'])) ? true : false); - $pageName = addslashes(escape_tags(urldecode(argv(3)))); + $pageName = NativeWiki::name_decode(escape_tags(argv(3))); + $wikiname = $w['urlName']; return replace_macros(get_markup_template('wiki_page_not_found.tpl'), array( '$resource_id' => $arr['resource_id'], '$channel_address' => $arr['channel_address'], @@ -48,7 +50,7 @@ class Wiki_pages { if(! $arr['resource_id']) { $c = channelx_by_nick(argv(1)); - $w = \Zotlabs\Lib\NativeWiki::exists_by_name($c['channel_id'],urldecode(argv(2))); + $w = \Zotlabs\Lib\NativeWiki::exists_by_name($c['channel_id'],NativeWiki::name_decode(argv(2))); $arr = array( 'resource_id' => $w['resource_id'], 'channel_id' => $c['channel_id'], diff --git a/view/tpl/wiki.tpl b/view/tpl/wiki.tpl index 2aabc7b5f..0f6fad8e3 100644 --- a/view/tpl/wiki.tpl +++ b/view/tpl/wiki.tpl @@ -262,7 +262,8 @@ if (data.success) { window.saved = true; window.console.log('Page saved successfully.'); - window.wiki_page_content = currentContent; + //window.wiki_page_content = currentContent; + window.wiki_page_content = data.content; $('#id_commitMsg').val(''); // Clear the commit message box $('#save-page').addClass('disabled'); // Disable the save button {{if !$mimeType || $mimeType == 'text/markdown'}} diff --git a/view/tpl/wiki_page_not_found.tpl b/view/tpl/wiki_page_not_found.tpl index de98efdf8..bc8afeb53 100644 --- a/view/tpl/wiki_page_not_found.tpl +++ b/view/tpl/wiki_page_not_found.tpl @@ -1,7 +1,7 @@ <h3>Page does not exist</h3> <br /><br /><br /> {{if $canadd}} - <form id="new-page-form" action="wiki/{{$channel_address}}/create/page" method="post" > + <form id="new-page-form" action="/wiki/{{$channel_address}}/create/page" method="post" > <input type="hidden" name="resource_id" value="{{$resource_id}}"> {{include file="field_input.tpl" field=$pageName}} {{if $typelock}} |