diff options
author | zotlabs <mike@macgirvin.com> | 2017-01-26 15:16:41 -0800 |
---|---|---|
committer | zotlabs <mike@macgirvin.com> | 2017-01-26 15:16:41 -0800 |
commit | 22839e48d013abdc46b609cd50b45b3bce6626f9 (patch) | |
tree | b36a061ac82ce7aa4d99871ec228f53c841631f4 /Zotlabs | |
parent | f7f39cf6c00d914efb1f2624d7a885ac912512e9 (diff) | |
download | volse-hubzilla-22839e48d013abdc46b609cd50b45b3bce6626f9.tar.gz volse-hubzilla-22839e48d013abdc46b609cd50b45b3bce6626f9.tar.bz2 volse-hubzilla-22839e48d013abdc46b609cd50b45b3bce6626f9.zip |
better handling of html special chars in wiki and wikipage names
Diffstat (limited to 'Zotlabs')
-rw-r--r-- | Zotlabs/Lib/NativeWiki.php | 27 | ||||
-rw-r--r-- | Zotlabs/Lib/NativeWikiPage.php | 13 | ||||
-rw-r--r-- | Zotlabs/Module/Wiki.php | 19 |
3 files changed, 28 insertions, 31 deletions
diff --git a/Zotlabs/Lib/NativeWiki.php b/Zotlabs/Lib/NativeWiki.php index 1b7970c4e..ccb0ff150 100644 --- a/Zotlabs/Lib/NativeWiki.php +++ b/Zotlabs/Lib/NativeWiki.php @@ -10,7 +10,8 @@ class NativeWiki { static public function listwikis($channel, $observer_hash) { $sql_extra = item_permissions_sql($channel['channel_id'], $observer_hash); - $wikis = q("SELECT * FROM item WHERE resource_type = '%s' AND mid = parent_mid AND uid = %d AND item_deleted = 0 $sql_extra", + $wikis = q("SELECT * FROM item + WHERE resource_type = '%s' AND mid = parent_mid AND uid = %d AND item_deleted = 0 $sql_extra", dbesc(NWIKI_ITEM_RESOURCE_TYPE), intval($channel['channel_id']) ); @@ -18,8 +19,8 @@ class NativeWiki { if($wikis) { foreach($wikis as &$w) { $w['rawName'] = get_iconfig($w, 'wiki', 'rawName'); - $w['htmlName'] = get_iconfig($w, 'wiki', 'htmlName'); - $w['urlName'] = get_iconfig($w, 'wiki', 'urlName'); + $w['htmlName'] = escape_tags($w['rawName']); + $w['urlName'] = urlencode(urlencode($w['rawName'])); $w['mimeType'] = get_iconfig($w, 'wiki', 'mimeType'); $w['lock'] = (($w['item_private'] || $w['allow_cid'] || $w['allow_gid'] || $w['deny_cid'] || $w['deny_gid']) ? true : false); } @@ -61,7 +62,7 @@ class NativeWiki { $arr['author_xchan'] = $observer_hash; $arr['plink'] = z_root() . '/channel/' . $channel['channel_address'] . '/?f=&mid=' . urlencode($arr['mid']); $arr['llink'] = $arr['plink']; - $arr['title'] = $wiki['htmlName']; // name of new wiki; + $arr['title'] = $wiki['htmlName']; // name of new wiki; $arr['allow_cid'] = $ac['allow_cid']; $arr['allow_gid'] = $ac['allow_gid']; $arr['deny_cid'] = $ac['deny_cid']; @@ -78,17 +79,12 @@ class NativeWiki { if(! set_iconfig($arr, 'wiki', 'rawName', $wiki['rawName'], true)) { return array('item' => null, 'success' => false); } - if(! set_iconfig($arr, 'wiki', 'htmlName', $wiki['htmlName'], true)) { - return array('item' => null, 'success' => false); - } - if(! set_iconfig($arr, 'wiki', 'urlName', $wiki['urlName'], true)) { - return array('item' => null, 'success' => false); - } if(! set_iconfig($arr, 'wiki', 'mimeType', $wiki['mimeType'], true)) { return array('item' => null, 'success' => false); } $post = item_store($arr); + $item_id = $post['item_id']; if($item_id) { @@ -151,15 +147,13 @@ class NativeWiki { $w = $item[0]; // wiki item table record // Get wiki metadata $rawName = get_iconfig($w, 'wiki', 'rawName'); - $htmlName = get_iconfig($w, 'wiki', 'htmlName'); - $urlName = get_iconfig($w, 'wiki', 'urlName'); $mimeType = get_iconfig($w, 'wiki', 'mimeType'); return array( 'wiki' => $w, 'rawName' => $rawName, - 'htmlName' => $htmlName, - 'urlName' => $urlName, + 'htmlName' => escape_tags($rawName), + 'urlName' => urlencode(urlencode($rawName)), 'mimeType' => $mimeType ); } @@ -170,10 +164,11 @@ class NativeWiki { $sql_extra = item_permissions_sql($uid); - $item = q("SELECT id, resource_id FROM item WHERE resource_type = '%s' AND title = '%s' AND uid = %d + $item = q("SELECT item.id, resource_id FROM item left join iconfig on iconfig.iid = item.id + WHERE resource_type = '%s' AND iconfig.v = '%s' AND uid = %d AND item_deleted = 0 $sql_extra limit 1", dbesc(NWIKI_ITEM_RESOURCE_TYPE), - dbesc(escape_tags(urldecode($urlName))), + dbesc(urldecode($urlName)), intval($uid) ); diff --git a/Zotlabs/Lib/NativeWikiPage.php b/Zotlabs/Lib/NativeWikiPage.php index 9fbab791b..1467a1cfb 100644 --- a/Zotlabs/Lib/NativeWikiPage.php +++ b/Zotlabs/Lib/NativeWikiPage.php @@ -32,8 +32,8 @@ class NativeWikiPage { if(urldecode($title) !== 'Home') { $pages[] = [ 'resource_id' => $resource_id, - 'title' => urldecode($title), - 'url' => $title, + 'title' => escape_tags($title), + 'url' => urlencode(urlencode($title)), 'link_id' => 'id_' . substr($resource_id, 0, 10) . '_' . $page_item['id'] ]; } @@ -59,7 +59,7 @@ class NativeWikiPage { // We may wish to change this some day. $arr['item_unpublished'] = 1; - set_iconfig($arr,'nwikipage','pagetitle',urlencode(($name) ? $name : t('(No Title)')),true); + set_iconfig($arr,'nwikipage','pagetitle',(($name) ? $name : t('(No Title)')),true); $p = post_activity_item($arr, false, false); @@ -67,11 +67,11 @@ class NativeWikiPage { $page = [ 'rawName' => $name, 'htmlName' => escape_tags($name), - 'urlName' => urlencode(escape_tags($name)), - 'fileName' => urlencode(escape_tags($name)) . Zlib\NativeWikiPage::get_file_ext($w) + 'urlName' => urlencode($name), + ]; - return array('page' => $page, 'item_id' => $p['item_id'], 'wiki' => $w, 'message' => '', 'success' => true); + return array('page' => $page, 'item_id' => $p['item_id'], 'item' => $p['activity'], 'wiki' => $w, 'message' => '', 'success' => true); } return [ 'success' => false, 'message' => t('Wiki page create failed.') ]; } @@ -134,6 +134,7 @@ class NativeWikiPage { $channel_id = ((array_key_exists('channel_id',$arr)) ? intval($arr['channel_id']) : 0); $revision = ((array_key_exists('revision',$arr)) ? intval($arr['revision']) : (-1)); + $w = Zlib\NativeWiki::get_wiki($channel_id, $observer_hash, $resource_id); if (! $w['wiki']) { return array('content' => null, 'message' => 'Error reading wiki', 'success' => false); diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php index 2ba4df209..5397deebe 100644 --- a/Zotlabs/Module/Wiki.php +++ b/Zotlabs/Module/Wiki.php @@ -189,8 +189,8 @@ class Wiki extends \Zotlabs\Web\Controller { // GET /wiki/channel/wiki/page // Fetch the wiki info and determine observer permissions - $wikiUrlName = urlencode(argv(2)); - $pageUrlName = urlencode(argv(3)); + $wikiUrlName = urldecode(argv(2)); + $pageUrlName = urldecode(argv(3)); $w = Zlib\NativeWiki::exists_by_name($owner['channel_id'], $wikiUrlName); @@ -345,11 +345,11 @@ class Wiki extends \Zotlabs\Web\Controller { } $wiki = array(); // Generate new wiki info from input name - $wiki['postVisible'] = ((intval($_POST['postVisible']) === 0) ? 0 : 1); - $wiki['rawName'] = $_POST['wikiName']; - $wiki['htmlName'] = escape_tags($_POST['wikiName']); - $wiki['urlName'] = urlencode($_POST['wikiName']); - $wiki['mimeType'] = $_POST['mimeType']; + $wiki['postVisible'] = ((intval($_POST['postVisible'])) ? 1 : 0); + $wiki['rawName'] = $_POST['wikiName']; + $wiki['htmlName'] = escape_tags($_POST['wikiName']); + $wiki['urlName'] = urlencode(urlencode($_POST['wikiName'])); + $wiki['mimeType'] = $_POST['mimeType']; if($wiki['urlName'] === '') { notice( t('Error creating wiki. Invalid name.') . EOL); @@ -367,6 +367,7 @@ class Wiki extends \Zotlabs\Web\Controller { notice( t('Wiki created, but error creating Home page.')); goaway(z_root() . '/wiki/' . $nick . '/' . $wiki['urlName']); } + Zlib\NativeWiki::sync_a_wiki_item($owner['channel_id'],$homePage['item_id'],$r['item']['resource_id']); goaway(z_root() . '/wiki/' . $nick . '/' . $wiki['urlName'] . '/' . $homePage['page']['urlName']); } else { @@ -427,10 +428,10 @@ class Wiki extends \Zotlabs\Web\Controller { if($commit['success']) { Zlib\NativeWiki::sync_a_wiki_item($owner['channel_id'],$commit['item_id'],$resource_id); - json_return_and_die(array('url' => '/' . argv(0) . '/' . argv(1) . '/' . $page['wiki']['urlName'] . '/' . $page['page']['urlName'], 'success' => true)); + json_return_and_die(array('url' => '/' . argv(0) . '/' . argv(1) . '/' . urlencode($page['wiki']['urlName']) . '/' . urlencode($page['page']['urlName']), 'success' => true)); } else { - json_return_and_die(array('message' => 'Error making git commit','url' => '/' . argv(0) . '/' . argv(1) . '/' . $page['wiki']['urlName'] . '/' . urlencode($page['page']['urlName']),'success' => false)); + json_return_and_die(array('message' => 'Error making git commit','url' => '/' . argv(0) . '/' . argv(1) . '/' . urlencode($page['wiki']['urlName']) . '/' . urlencode($page['page']['urlName']),'success' => false)); } |