diff options
author | Andrew Manning <tamanning@zoho.com> | 2016-06-12 07:17:23 -0400 |
---|---|---|
committer | Andrew Manning <tamanning@zoho.com> | 2016-06-12 07:17:23 -0400 |
commit | e109abbef7fed77898da7adb9d43e686dc96c29a (patch) | |
tree | 27461e9de07590454f63ff7d9398e3f6361b692c /Zotlabs/Module | |
parent | 0cada39c8afe1858a8e710ada8dfc66f4cb8f1bf (diff) | |
download | volse-hubzilla-e109abbef7fed77898da7adb9d43e686dc96c29a.tar.gz volse-hubzilla-e109abbef7fed77898da7adb9d43e686dc96c29a.tar.bz2 volse-hubzilla-e109abbef7fed77898da7adb9d43e686dc96c29a.zip |
Apply purify_html to page content before preview and save to prevent JavaScript code injection.
Diffstat (limited to 'Zotlabs/Module')
-rw-r--r-- | Zotlabs/Module/Wiki.php | 18 |
1 files changed, 3 insertions, 15 deletions
diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php index fbf751ddf..1e6446904 100644 --- a/Zotlabs/Module/Wiki.php +++ b/Zotlabs/Module/Wiki.php @@ -167,7 +167,7 @@ class Wiki extends \Zotlabs\Web\Controller { if((argc() > 2) && (argv(2) === 'preview')) { $content = $_POST['content']; require_once('library/markdown.php'); - $html = Markdown($content); + $html = purify_html(Markdown($content)); json_return_and_die(array('html' => $html, 'success' => true)); } @@ -182,19 +182,7 @@ class Wiki extends \Zotlabs\Web\Controller { // more detail permissions framework if (local_channel() !== intval($channel['channel_id'])) { goaway('/'.argv(0).'/'.$nick.'/'); - } else { - /* - $channel = get_channel_by_nick($nick); - // Figure out who the page owner is. - $perms = get_all_perms(intval($channel['channel_id']), $observer_hash); - // TODO: Create a new permission setting for wiki analogous to webpages. Until - // then, use webpage permissions - if (!$perms['write_pages']) { - notice(t('Permission denied.') . EOL); - goaway('/'.argv(0).'/'.argv(1).'/'); - } - */ - } + } $wiki = array(); // Generate new wiki info from input name $wiki['rawName'] = $_POST['wikiName']; @@ -306,7 +294,7 @@ class Wiki extends \Zotlabs\Web\Controller { $resource_id = $_POST['resource_id']; $pageUrlName = $_POST['name']; $pageHtmlName = escape_tags($_POST['name']); - $content = escape_tags($_POST['content']); //Get new content + $content = $_POST['content']; //Get new content $commitMsg = $_POST['commitMsg']; if ($commitMsg === '') { $commitMsg = 'Updated ' . $pageHtmlName; |