diff options
| author | Friendika <info@friendika.com> | 2011-02-16 17:32:15 -0800 |
|---|---|---|
| committer | Friendika <info@friendika.com> | 2011-02-16 17:32:15 -0800 |
| commit | 527e050ecc1037973595fd5de12682cfa9e19d64 (patch) | |
| tree | 3f7f40a0a149e098855fd736cf25a5c6af0e3d9d | |
| parent | 9f1f9da89bb98d768b7a41b388e9c5c0d28ec946 (diff) | |
| download | volse-hubzilla-527e050ecc1037973595fd5de12682cfa9e19d64.tar.gz volse-hubzilla-527e050ecc1037973595fd5de12682cfa9e19d64.tar.bz2 volse-hubzilla-527e050ecc1037973595fd5de12682cfa9e19d64.zip | |
sanitise all incoming url's - also stop them from getting mangled by simplepie
| -rw-r--r-- | boot.php | 7 | ||||
| -rw-r--r-- | images/remote-link.gif | bin | 0 -> 357 bytes | |||
| -rw-r--r-- | include/items.php | 4 | ||||
| -rw-r--r-- | mod/follow.php | 38 | ||||
| -rw-r--r-- | simplepie/simplepie.inc | 1 |
5 files changed, 32 insertions, 18 deletions
@@ -2453,7 +2453,12 @@ if(! function_exists('get_plink')) { function get_plink($item) { $a = get_app(); $plink = (((x($item,'plink')) && (! $item['private'])) ? '<div class="wall-item-links-wrapper"><a href="' - . $item['plink'] . '" title="' . t('link to source') . '"><img src="' . $a->get_baseurl() . '/images/link-icon.gif" alt="' . t('link to source') . '" /></a></div>' : ''); + . $item['plink'] . '" title="' . t('link to source') . '"><img src="' . $a->get_baseurl() . '/images/remote-link.gif" alt="' . t('link to source') . '" /></a></div>' : ''); return $plink; }} +if(! function_exists('unamp')) { +function unamp($s) { + return str_replace('&', '&', $s); +}} + diff --git a/images/remote-link.gif b/images/remote-link.gif Binary files differnew file mode 100644 index 000000000..008397fe8 --- /dev/null +++ b/images/remote-link.gif diff --git a/include/items.php b/include/items.php index 153debd7d..0951adbae 100644 --- a/include/items.php +++ b/include/items.php @@ -350,7 +350,7 @@ function get_atom_elements($feed,$item) { '[youtube]$1[/youtube]', $res['body']); $res['body'] = oembed_html2bbcode($res['body']); - + $config = HTMLPurifier_Config::createDefault(); $config->set('Cache.DefinitionImpl', null); @@ -363,7 +363,7 @@ function get_atom_elements($feed,$item) { $res['body'] = html2bbcode($res['body']); } - + $allow = $item->get_item_tags(NAMESPACE_DFRN,'comment-allow'); if($allow && $allow[0]['data'] == 1) $res['last-child'] = 1; diff --git a/mod/follow.php b/mod/follow.php index eaee7d5ac..763ffb1b0 100644 --- a/mod/follow.php +++ b/mod/follow.php @@ -19,15 +19,15 @@ function follow_post(&$a) { if(count($links)) { foreach($links as $link) { if($link['@attributes']['rel'] === NAMESPACE_DFRN) - $dfrn = $link['@attributes']['href']; + $dfrn = unamp($link['@attributes']['href']); if($link['@attributes']['rel'] === 'salmon') - $notify = $link['@attributes']['href']; + $notify = unamp($link['@attributes']['href']); if($link['@attributes']['rel'] === NAMESPACE_FEED) - $poll = $link['@attributes']['href']; + $poll = unamp($link['@attributes']['href']); if($link['@attributes']['rel'] === 'http://microformats.org/profile/hcard') - $hcard = $link['@attributes']['href']; + $hcard = unamp($link['@attributes']['href']); if($link['@attributes']['rel'] === 'http://webfinger.net/rel/profile-page') - $profile = $link['@attributes']['href']; + $profile = unamp($link['@attributes']['href']); } @@ -43,10 +43,10 @@ function follow_post(&$a) { if(strpos($link['@attributes']['href'],'@') === false) { if(isset($profile)) { if($link['@attributes']['href'] !== $profile) - $alias = $link['@attributes']['href']; + $alias = unamp($link['@attributes']['href']); } else - $profile = $link['@attributes']['href']; + $profile = unamp($link['@attributes']['href']); } } } @@ -103,7 +103,7 @@ function follow_post(&$a) { $ret = scrape_feed($url); if(count($ret) && ($ret['feed_atom'] || $ret['feed_rss'])) { - $poll = ((x($ret,'feed_atom')) ? $ret['feed_atom'] : $ret['feed_rss']); + $poll = ((x($ret,'feed_atom')) ? unamp($ret['feed_atom']) : unamp($ret['feed_rss'])); $vcard = array(); require_once('simplepie/simplepie.inc'); $feed = new SimplePie(); @@ -116,27 +116,31 @@ function follow_post(&$a) { $vcard['photo'] = $feed->get_image_url(); $author = $feed->get_author(); if($author) { - $vcard['fn'] = trim($author->get_name()); - $vcard['nick'] = strtolower($vcard['fn']); + $vcard['fn'] = unxmlify(trim($author->get_name())); + $vcard['nick'] = strtolower(notags(unxmlify($vcard['fn']))); if(strpos($vcard['nick'],' ')) $vcard['nick'] = trim(substr($vcard['nick'],0,strpos($vcard['nick'],' '))); - $email = $author->get_email(); + $email = unxmlify($author->get_email()); } else { $item = $feed->get_item(0); if($item) { $author = $item->get_author(); if($author) { - $vcard['fn'] = trim($author->get_name()); - $vcard['nick'] = strtolower($vcard['fn']); + $vcard['fn'] = trim(unxmlify($author->get_name())); + if(! $vcard['fn']) + $vcard['fn'] = trim(unxmlify($author->get_email())); + if(strpos($vcard['fn'],'@') !== false) + $vcard['fn'] = substr($vcard['fn'],0,strpos($vcard['fn'],'@')); + $vcard['nick'] = strtolower(unxmlify($vcard['fn'])); if(strpos($vcard['nick'],' ')) $vcard['nick'] = trim(substr($vcard['nick'],0,strpos($vcard['nick'],' '))); - $email = $author->get_email(); + $email = unxmlify($author->get_email()); } if(! $vcard['photo']) { $rawmedia = $item->get_item_tags('http://search.yahoo.com/mrss/','thumbnail'); if($rawmedia && $rawmedia[0]['attribs']['']['url']) - $vcard['photo'] = $rawmedia[0]['attribs']['']['url']; + $vcard['photo'] = unxmlify($rawmedia[0]['attribs']['']['url']); } } } @@ -150,6 +154,9 @@ function follow_post(&$a) { logger('follow: poll=' . $poll . ' notify=' . $notify . ' profile=' . $profile . ' vcard=' . print_r($vcard,true)); + $vcard['fn'] = notags($vcard['fn']); + $vcard['nick'] = notags($vcard['nick']); + // do we have enough information? if(! ((x($vcard['fn'])) && ($poll) && ($profile))) { @@ -157,6 +164,7 @@ function follow_post(&$a) { goaway($_SESSION['return_url']); } + if(! $notify) { notice( t('Limited profile. This person will be unable to receive direct/personal notifications from you.') . EOL); } diff --git a/simplepie/simplepie.inc b/simplepie/simplepie.inc index 185e17bcc..c3ba02b7d 100644 --- a/simplepie/simplepie.inc +++ b/simplepie/simplepie.inc @@ -9226,6 +9226,7 @@ class SimplePie_Misc function absolutize_url($relative, $base) { +return $relative; $iri = SimplePie_IRI::absolutize(new SimplePie_IRI($base), $relative); return $iri->get_iri(); } |
