aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Lib
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2017-01-26 15:16:41 -0800
committerzotlabs <mike@macgirvin.com>2017-01-26 15:16:41 -0800
commit22839e48d013abdc46b609cd50b45b3bce6626f9 (patch)
treeb36a061ac82ce7aa4d99871ec228f53c841631f4 /Zotlabs/Lib
parentf7f39cf6c00d914efb1f2624d7a885ac912512e9 (diff)
downloadvolse-hubzilla-22839e48d013abdc46b609cd50b45b3bce6626f9.tar.gz
volse-hubzilla-22839e48d013abdc46b609cd50b45b3bce6626f9.tar.bz2
volse-hubzilla-22839e48d013abdc46b609cd50b45b3bce6626f9.zip
better handling of html special chars in wiki and wikipage names
Diffstat (limited to 'Zotlabs/Lib')
-rw-r--r--Zotlabs/Lib/NativeWiki.php27
-rw-r--r--Zotlabs/Lib/NativeWikiPage.php13
2 files changed, 18 insertions, 22 deletions
diff --git a/Zotlabs/Lib/NativeWiki.php b/Zotlabs/Lib/NativeWiki.php
index 1b7970c4e..ccb0ff150 100644
--- a/Zotlabs/Lib/NativeWiki.php
+++ b/Zotlabs/Lib/NativeWiki.php
@@ -10,7 +10,8 @@ class NativeWiki {
static public function listwikis($channel, $observer_hash) {
$sql_extra = item_permissions_sql($channel['channel_id'], $observer_hash);
- $wikis = q("SELECT * FROM item WHERE resource_type = '%s' AND mid = parent_mid AND uid = %d AND item_deleted = 0 $sql_extra",
+ $wikis = q("SELECT * FROM item
+ WHERE resource_type = '%s' AND mid = parent_mid AND uid = %d AND item_deleted = 0 $sql_extra",
dbesc(NWIKI_ITEM_RESOURCE_TYPE),
intval($channel['channel_id'])
);
@@ -18,8 +19,8 @@ class NativeWiki {
if($wikis) {
foreach($wikis as &$w) {
$w['rawName'] = get_iconfig($w, 'wiki', 'rawName');
- $w['htmlName'] = get_iconfig($w, 'wiki', 'htmlName');
- $w['urlName'] = get_iconfig($w, 'wiki', 'urlName');
+ $w['htmlName'] = escape_tags($w['rawName']);
+ $w['urlName'] = urlencode(urlencode($w['rawName']));
$w['mimeType'] = get_iconfig($w, 'wiki', 'mimeType');
$w['lock'] = (($w['item_private'] || $w['allow_cid'] || $w['allow_gid'] || $w['deny_cid'] || $w['deny_gid']) ? true : false);
}
@@ -61,7 +62,7 @@ class NativeWiki {
$arr['author_xchan'] = $observer_hash;
$arr['plink'] = z_root() . '/channel/' . $channel['channel_address'] . '/?f=&mid=' . urlencode($arr['mid']);
$arr['llink'] = $arr['plink'];
- $arr['title'] = $wiki['htmlName']; // name of new wiki;
+ $arr['title'] = $wiki['htmlName']; // name of new wiki;
$arr['allow_cid'] = $ac['allow_cid'];
$arr['allow_gid'] = $ac['allow_gid'];
$arr['deny_cid'] = $ac['deny_cid'];
@@ -78,17 +79,12 @@ class NativeWiki {
if(! set_iconfig($arr, 'wiki', 'rawName', $wiki['rawName'], true)) {
return array('item' => null, 'success' => false);
}
- if(! set_iconfig($arr, 'wiki', 'htmlName', $wiki['htmlName'], true)) {
- return array('item' => null, 'success' => false);
- }
- if(! set_iconfig($arr, 'wiki', 'urlName', $wiki['urlName'], true)) {
- return array('item' => null, 'success' => false);
- }
if(! set_iconfig($arr, 'wiki', 'mimeType', $wiki['mimeType'], true)) {
return array('item' => null, 'success' => false);
}
$post = item_store($arr);
+
$item_id = $post['item_id'];
if($item_id) {
@@ -151,15 +147,13 @@ class NativeWiki {
$w = $item[0]; // wiki item table record
// Get wiki metadata
$rawName = get_iconfig($w, 'wiki', 'rawName');
- $htmlName = get_iconfig($w, 'wiki', 'htmlName');
- $urlName = get_iconfig($w, 'wiki', 'urlName');
$mimeType = get_iconfig($w, 'wiki', 'mimeType');
return array(
'wiki' => $w,
'rawName' => $rawName,
- 'htmlName' => $htmlName,
- 'urlName' => $urlName,
+ 'htmlName' => escape_tags($rawName),
+ 'urlName' => urlencode(urlencode($rawName)),
'mimeType' => $mimeType
);
}
@@ -170,10 +164,11 @@ class NativeWiki {
$sql_extra = item_permissions_sql($uid);
- $item = q("SELECT id, resource_id FROM item WHERE resource_type = '%s' AND title = '%s' AND uid = %d
+ $item = q("SELECT item.id, resource_id FROM item left join iconfig on iconfig.iid = item.id
+ WHERE resource_type = '%s' AND iconfig.v = '%s' AND uid = %d
AND item_deleted = 0 $sql_extra limit 1",
dbesc(NWIKI_ITEM_RESOURCE_TYPE),
- dbesc(escape_tags(urldecode($urlName))),
+ dbesc(urldecode($urlName)),
intval($uid)
);
diff --git a/Zotlabs/Lib/NativeWikiPage.php b/Zotlabs/Lib/NativeWikiPage.php
index 9fbab791b..1467a1cfb 100644
--- a/Zotlabs/Lib/NativeWikiPage.php
+++ b/Zotlabs/Lib/NativeWikiPage.php
@@ -32,8 +32,8 @@ class NativeWikiPage {
if(urldecode($title) !== 'Home') {
$pages[] = [
'resource_id' => $resource_id,
- 'title' => urldecode($title),
- 'url' => $title,
+ 'title' => escape_tags($title),
+ 'url' => urlencode(urlencode($title)),
'link_id' => 'id_' . substr($resource_id, 0, 10) . '_' . $page_item['id']
];
}
@@ -59,7 +59,7 @@ class NativeWikiPage {
// We may wish to change this some day.
$arr['item_unpublished'] = 1;
- set_iconfig($arr,'nwikipage','pagetitle',urlencode(($name) ? $name : t('(No Title)')),true);
+ set_iconfig($arr,'nwikipage','pagetitle',(($name) ? $name : t('(No Title)')),true);
$p = post_activity_item($arr, false, false);
@@ -67,11 +67,11 @@ class NativeWikiPage {
$page = [
'rawName' => $name,
'htmlName' => escape_tags($name),
- 'urlName' => urlencode(escape_tags($name)),
- 'fileName' => urlencode(escape_tags($name)) . Zlib\NativeWikiPage::get_file_ext($w)
+ 'urlName' => urlencode($name),
+
];
- return array('page' => $page, 'item_id' => $p['item_id'], 'wiki' => $w, 'message' => '', 'success' => true);
+ return array('page' => $page, 'item_id' => $p['item_id'], 'item' => $p['activity'], 'wiki' => $w, 'message' => '', 'success' => true);
}
return [ 'success' => false, 'message' => t('Wiki page create failed.') ];
}
@@ -134,6 +134,7 @@ class NativeWikiPage {
$channel_id = ((array_key_exists('channel_id',$arr)) ? intval($arr['channel_id']) : 0);
$revision = ((array_key_exists('revision',$arr)) ? intval($arr['revision']) : (-1));
+
$w = Zlib\NativeWiki::get_wiki($channel_id, $observer_hash, $resource_id);
if (! $w['wiki']) {
return array('content' => null, 'message' => 'Error reading wiki', 'success' => false);