diff options
| author | friendica <info@friendica.com> | 2013-05-22 18:22:41 -0700 |
|---|---|---|
| committer | friendica <info@friendica.com> | 2013-05-22 18:22:41 -0700 |
| commit | aa1eb2d89e7e4011ed43fdb391e6ced695a9521f (patch) | |
| tree | 2d45ab19258541d2b771d0ee645b583a0c64630b | |
| parent | 75e4d446ef8d84ba1e07612b9a8a8ec839defb41 (diff) | |
| download | volse-hubzilla-aa1eb2d89e7e4011ed43fdb391e6ced695a9521f.tar.gz volse-hubzilla-aa1eb2d89e7e4011ed43fdb391e6ced695a9521f.tar.bz2 volse-hubzilla-aa1eb2d89e7e4011ed43fdb391e6ced695a9521f.zip | |
add basic input filtering to the simple activity posting
| -rwxr-xr-x | boot.php | 15 | ||||
| -rwxr-xr-x | include/items.php | 20 | ||||
| -rw-r--r-- | version.inc | 2 |
3 files changed, 29 insertions, 8 deletions
@@ -590,6 +590,13 @@ class App { startup(); + set_include_path( + 'include' . PATH_SEPARATOR + . 'library' . PATH_SEPARATOR + . 'library/phpsec' . PATH_SEPARATOR + . 'library/langdet' . PATH_SEPARATOR + . '.' ); + $this->scheme = 'http'; if(x($_SERVER,'HTTPS') && $_SERVER['HTTPS']) @@ -612,13 +619,7 @@ class App { $this->path = $path; } - set_include_path( - "include/$this->hostname" . PATH_SEPARATOR - . 'include' . PATH_SEPARATOR - . 'library' . PATH_SEPARATOR - . 'library/phpsec' . PATH_SEPARATOR - . 'library/langdet' . PATH_SEPARATOR - . '.' ); + set_include_path("include/$this->hostname" . PATH_SEPARATOR . get_include_path()); if((x($_SERVER,'QUERY_STRING')) && substr($_SERVER['QUERY_STRING'],0,2) === "q=") { $this->query_string = substr($_SERVER['QUERY_STRING'],2); diff --git a/include/items.php b/include/items.php index dc2d6b11b..37a6d5fed 100755 --- a/include/items.php +++ b/include/items.php @@ -113,6 +113,12 @@ function post_activity_item($arr) { return $ret; } + if(array_key_exists('content_type',$arr) && $arr['content_type'] == 'text/html') + $arr['body'] = purify_html($arr['body']); + else + $arr['body'] = escape_tags($arr['body']); + + $arr['mid'] = ((x($arr,'mid')) ? $arr['mid'] : item_message_id()); $arr['parent_mid'] = ((x($arr,'parent_mid')) ? $arr['parent_mid'] : $arr['mid']); $arr['thr_parent'] = ((x($arr,'thr_parent')) ? $arr['thr_parent'] : $arr['mid']); @@ -160,6 +166,20 @@ function post_activity_item($arr) { } +function purify_html($s) { + require_once('library/HTMLPurifier.auto.php'); + require_once('include/html2bbcode.php'); + +// FIXME this function has html output, not bbcode - so safely purify these +// $s = html2bb_video($s); +// $s = oembed_html2bbcode($s); + + $config = HTMLPurifier_Config::createDefault(); + $config->set('Cache.DefinitionImpl', null); + + $purifier = new HTMLPurifier($config); + return $purifier->purify($s); +} function get_public_feed($channel,$params) { diff --git a/version.inc b/version.inc index 6f17f8169..68d7bf797 100644 --- a/version.inc +++ b/version.inc @@ -1 +1 @@ -2013-05-21.320 +2013-05-22.321 |