diff options
| author | Andrew Manning <tamanning@zoho.com> | 2016-06-12 07:17:23 -0400 |
|---|---|---|
| committer | Andrew Manning <tamanning@zoho.com> | 2016-06-12 07:17:23 -0400 |
| commit | e109abbef7fed77898da7adb9d43e686dc96c29a (patch) | |
| tree | 27461e9de07590454f63ff7d9398e3f6361b692c | |
| parent | 0cada39c8afe1858a8e710ada8dfc66f4cb8f1bf (diff) | |
| download | volse-hubzilla-e109abbef7fed77898da7adb9d43e686dc96c29a.tar.gz volse-hubzilla-e109abbef7fed77898da7adb9d43e686dc96c29a.tar.bz2 volse-hubzilla-e109abbef7fed77898da7adb9d43e686dc96c29a.zip | |
Apply purify_html to page content before preview and save to prevent JavaScript code injection.
| -rw-r--r-- | Zotlabs/Module/Wiki.php | 18 | ||||
| -rw-r--r-- | include/wiki.php | 2 |
2 files changed, 4 insertions, 16 deletions
diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php index fbf751ddf..1e6446904 100644 --- a/Zotlabs/Module/Wiki.php +++ b/Zotlabs/Module/Wiki.php @@ -167,7 +167,7 @@ class Wiki extends \Zotlabs\Web\Controller { if((argc() > 2) && (argv(2) === 'preview')) { $content = $_POST['content']; require_once('library/markdown.php'); - $html = Markdown($content); + $html = purify_html(Markdown($content)); json_return_and_die(array('html' => $html, 'success' => true)); } @@ -182,19 +182,7 @@ class Wiki extends \Zotlabs\Web\Controller { // more detail permissions framework if (local_channel() !== intval($channel['channel_id'])) { goaway('/'.argv(0).'/'.$nick.'/'); - } else { - /* - $channel = get_channel_by_nick($nick); - // Figure out who the page owner is. - $perms = get_all_perms(intval($channel['channel_id']), $observer_hash); - // TODO: Create a new permission setting for wiki analogous to webpages. Until - // then, use webpage permissions - if (!$perms['write_pages']) { - notice(t('Permission denied.') . EOL); - goaway('/'.argv(0).'/'.argv(1).'/'); - } - */ - } + } $wiki = array(); // Generate new wiki info from input name $wiki['rawName'] = $_POST['wikiName']; @@ -306,7 +294,7 @@ class Wiki extends \Zotlabs\Web\Controller { $resource_id = $_POST['resource_id']; $pageUrlName = $_POST['name']; $pageHtmlName = escape_tags($_POST['name']); - $content = escape_tags($_POST['content']); //Get new content + $content = $_POST['content']; //Get new content $commitMsg = $_POST['commitMsg']; if ($commitMsg === '') { $commitMsg = 'Updated ' . $pageHtmlName; diff --git a/include/wiki.php b/include/wiki.php index f0785d549..4aa3fc1b4 100644 --- a/include/wiki.php +++ b/include/wiki.php @@ -279,7 +279,7 @@ function wiki_page_history($arr) { function wiki_save_page($arr) { $pageUrlName = ((array_key_exists('pageUrlName',$arr)) ? $arr['pageUrlName'] : ''); - $content = ((array_key_exists('content',$arr)) ? $arr['content'] : ''); + $content = ((array_key_exists('content',$arr)) ? purify_html($arr['content']) : ''); $resource_id = ((array_key_exists('resource_id',$arr)) ? $arr['resource_id'] : ''); $w = wiki_get_wiki($resource_id); if (!$w['path']) { |