diff options
| author | friendica <info@friendica.com> | 2013-08-11 16:56:06 -0700 |
|---|---|---|
| committer | friendica <info@friendica.com> | 2013-08-11 16:56:06 -0700 |
| commit | d7a9db10881b8d9de1b5f7e2a2dfae3df396fb45 (patch) | |
| tree | 1687d18e67706b14acc31d38cfabcf39e5bbc501 /include/text.php | |
| parent | 5aa508dba77ed69e1aa8810623e75d15ad15c2ad (diff) | |
| download | volse-hubzilla-d7a9db10881b8d9de1b5f7e2a2dfae3df396fb45.tar.gz volse-hubzilla-d7a9db10881b8d9de1b5f7e2a2dfae3df396fb45.tar.bz2 volse-hubzilla-d7a9db10881b8d9de1b5f7e2a2dfae3df396fb45.zip | |
important bits we need to allow php executable content. These must be explicitly allowed - but only if the account has ACCOUNT_ROLE_ALLOWCODE and *only* for web pages and profile fields. This content cannot be transmitted to other sites.
Diffstat (limited to 'include/text.php')
| -rwxr-xr-x | include/text.php | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/include/text.php b/include/text.php index 61b39cb59..99d5c9d78 100755 --- a/include/text.php +++ b/include/text.php @@ -1142,6 +1142,22 @@ function prepare_text($text,$content_type = 'text/bbcode') { $s = Markdown($text); break; + // No security checking is done here at display time - so we need to verify + // that the author is allowed to use PHP before storing. We also cannot allow + // importation of PHP text bodies from other sites. Therefore this content + // type is only valid for web pages (and profile details). + + // It may be possible to provide a PHP message body which is evaluated on the + // sender's site before sending it elsewhere. In that case we will have a + // different content-type here. + + case 'application/x-php': + ob_start(); + eval($text); + $s = ob_get_contents(); + ob_end_clean(); + break; + case 'text/bbcode': case '': default: |