diff options
| author | Thomas Willingham <founder@kakste.com> | 2013-08-14 20:44:17 +0100 |
|---|---|---|
| committer | Thomas Willingham <founder@kakste.com> | 2013-08-14 20:44:17 +0100 |
| commit | a0dfd44f9178796eaf55e4a2ab0194c12e7dfd21 (patch) | |
| tree | 31a43380cbe93e28f27c69a7d676fe6bfafbb0f4 /include/text.php | |
| parent | 94335f237fdadd93b86b271526c25c2a77de9c40 (diff) | |
| parent | de4e4c5ebd1ab746432b21d122b5f0cfb70a9bdd (diff) | |
| download | volse-hubzilla-a0dfd44f9178796eaf55e4a2ab0194c12e7dfd21.tar.gz volse-hubzilla-a0dfd44f9178796eaf55e4a2ab0194c12e7dfd21.tar.bz2 volse-hubzilla-a0dfd44f9178796eaf55e4a2ab0194c12e7dfd21.zip | |
Merge remote-tracking branch 'upstream/master'
Diffstat (limited to 'include/text.php')
| -rwxr-xr-x | include/text.php | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/include/text.php b/include/text.php index 61b39cb59..99d5c9d78 100755 --- a/include/text.php +++ b/include/text.php @@ -1142,6 +1142,22 @@ function prepare_text($text,$content_type = 'text/bbcode') { $s = Markdown($text); break; + // No security checking is done here at display time - so we need to verify + // that the author is allowed to use PHP before storing. We also cannot allow + // importation of PHP text bodies from other sites. Therefore this content + // type is only valid for web pages (and profile details). + + // It may be possible to provide a PHP message body which is evaluated on the + // sender's site before sending it elsewhere. In that case we will have a + // different content-type here. + + case 'application/x-php': + ob_start(); + eval($text); + $s = ob_get_contents(); + ob_end_clean(); + break; + case 'text/bbcode': case '': default: |