aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2017-12-05 16:33:24 -0800
committerzotlabs <mike@macgirvin.com>2017-12-05 16:33:24 -0800
commit8451ee20c913a76dd301375823bbda7364f18310 (patch)
treec7e202b7c4717d52c8861aa42dc859791e8e5569 /Zotlabs
parentd4acf4119226394b203d8bb52b75eec6d56d6631 (diff)
downloadvolse-hubzilla-8451ee20c913a76dd301375823bbda7364f18310.tar.gz
volse-hubzilla-8451ee20c913a76dd301375823bbda7364f18310.tar.bz2
volse-hubzilla-8451ee20c913a76dd301375823bbda7364f18310.zip
disallow backslashes in wiki and wiki-page names
Diffstat (limited to 'Zotlabs')
-rw-r--r--Zotlabs/Lib/NativeWikiPage.php4
-rw-r--r--Zotlabs/Module/Wiki.php20
2 files changed, 18 insertions, 6 deletions
diff --git a/Zotlabs/Lib/NativeWikiPage.php b/Zotlabs/Lib/NativeWikiPage.php
index 209a5ef3c..919c51276 100644
--- a/Zotlabs/Lib/NativeWikiPage.php
+++ b/Zotlabs/Lib/NativeWikiPage.php
@@ -68,6 +68,9 @@ class NativeWikiPage {
return array('content' => null, 'message' => 'Error reading wiki', 'success' => false);
}
+ // backslashes won't work well in the javascript functions
+ $name = str_replace('\\','',$name);
+
// create an empty activity
$arr = [];
@@ -351,6 +354,7 @@ class NativeWikiPage {
// fetch the most recently saved revision.
$item = self::load_page($arr);
+
if(! $item) {
return array('message' => t('Page not found'), 'success' => false);
}
diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php
index 2d2d8e2b7..f0fb7b387 100644
--- a/Zotlabs/Module/Wiki.php
+++ b/Zotlabs/Module/Wiki.php
@@ -430,11 +430,15 @@ class Wiki extends \Zotlabs\Web\Controller {
goaway('/' . argv(0) . '/' . $nick . '/');
}
$wiki = array();
+
+ // backslashes won't work well in the javascript functions
+ $name = str_replace('\\','',$_POST['wikiName']);
+
// Generate new wiki info from input name
$wiki['postVisible'] = ((intval($_POST['postVisible'])) ? 1 : 0);
- $wiki['rawName'] = $_POST['wikiName'];
- $wiki['htmlName'] = escape_tags($_POST['wikiName']);
- $wiki['urlName'] = urlencode(urlencode($_POST['wikiName']));
+ $wiki['rawName'] = $name;
+ $wiki['htmlName'] = escape_tags($name);
+ $wiki['urlName'] = urlencode(urlencode($name));
$wiki['mimeType'] = $_POST['mimeType'];
$wiki['typelock'] = $_POST['typelock'];
@@ -555,7 +559,11 @@ class Wiki extends \Zotlabs\Web\Controller {
}
$name = $_POST['pageName']; //Get new page name
- if(urlencode(escape_tags($_POST['pageName'])) === '') {
+
+ // backslashes won't work well in the javascript functions
+ $name = str_replace('\\','',$name);
+
+ if(urlencode(escape_tags($name)) === '') {
json_return_and_die(array('message' => 'Error creating page. Invalid name.', 'success' => false));
}
$page = Zlib\NativeWikiPage::create_page($owner['channel_id'],$observer_hash, $name, $resource_id, $mimetype);
@@ -626,7 +634,7 @@ class Wiki extends \Zotlabs\Web\Controller {
logger('Wiki write permission denied. ' . EOL);
json_return_and_die(array('success' => false));
}
-
+
$saved = Zlib\NativeWikiPage::save_page(array('channel_id' => $owner['channel_id'], 'observer_hash' => $observer_hash, 'resource_id' => $resource_id, 'pageUrlName' => $pageUrlName, 'content' => $content));
if($saved['success']) {
@@ -758,7 +766,7 @@ class Wiki extends \Zotlabs\Web\Controller {
if ((argc() === 4) && (argv(2) === 'rename') && (argv(3) === 'page')) {
$resource_id = $_POST['resource_id'];
$pageUrlName = $_POST['oldName'];
- $pageNewName = $_POST['newName'];
+ $pageNewName = str_replace('\\','',$_POST['newName']);
if ($pageUrlName === 'Home') {
json_return_and_die(array('message' => 'Cannot rename Home','success' => false));
}