diff options
author | friendica <info@friendica.com> | 2013-09-02 01:38:17 -0700 |
---|---|---|
committer | friendica <info@friendica.com> | 2013-09-02 01:38:17 -0700 |
commit | 8b7757e033c4483da24700722c186057bb431164 (patch) | |
tree | c331db3262084b08b47970c20f2d8657d6ebef81 /include | |
parent | a35d440ff1fee806a8aa17a0297e1163db6a3ba5 (diff) | |
download | volse-hubzilla-8b7757e033c4483da24700722c186057bb431164.tar.gz volse-hubzilla-8b7757e033c4483da24700722c186057bb431164.tar.bz2 volse-hubzilla-8b7757e033c4483da24700722c186057bb431164.zip |
webpage content-type -- needs cleaning up and a security check once all the important bits are in place.
Diffstat (limited to 'include')
-rw-r--r-- | include/conversation.php | 8 | ||||
-rwxr-xr-x | include/items.php | 10 | ||||
-rwxr-xr-x | include/text.php | 60 |
3 files changed, 71 insertions, 7 deletions
diff --git a/include/conversation.php b/include/conversation.php index 2157f8291..a357e1480 100644 --- a/include/conversation.php +++ b/include/conversation.php @@ -1009,9 +1009,16 @@ function status_editor($a,$x,$popup=false) { $geotag = (($x['allow_location']) ? replace_macros(get_markup_template('jot_geotag.tpl'), array()) : ''); $plaintext = true; + if(feature_enabled(local_user(),'richtext')) $plaintext = false; + if(intval($x['plaintext'])) + $plaintext = true; + + if(intval($x['mimeselect'])) + $mimeselect = mimetype_select($x['profile_uid']); + $tpl = get_markup_template('jot-header.tpl'); $a->page['htmlhead'] .= replace_macros($tpl, array( @@ -1079,6 +1086,7 @@ function status_editor($a,$x,$popup=false) { '$emtitle' => t('Example: bob@example.com, mary@example.com'), '$lockstate' => $x['lockstate'], '$acl' => $x['acl'], + '$mimeselect' => $mimeselect, '$showacl' => ((array_key_exists('showacl',$x)) ? $x['showacl'] : 'yes'), '$bang' => $x['bang'], '$profile_uid' => $x['profile_uid'], diff --git a/include/items.php b/include/items.php index 712c416de..66172ade3 100755 --- a/include/items.php +++ b/include/items.php @@ -1397,14 +1397,10 @@ function item_store($arr,$allow_exec = false) { $arr['item_private'] = ((x($arr,'item_private')) ? intval($arr['item_private']) : 0 ); $arr['item_flags'] = ((x($arr,'item_flags')) ? intval($arr['item_flags']) : 0 ); - // this is a bit messy - we really need an input filter chain that temporarily undoes obscuring - if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') { - if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false)) - $arr['body'] = escape_tags($arr['body']); - if((strpos($arr['title'],'<') !== false) || (strpos($arr['title'],'>') !== false)) - $arr['title'] = escape_tags($arr['title']); - } + $arr['body'] = z_input_filter($arr['uid'],$arr['body'],$arr['mimetype']); + $arr['title'] = escape_tags($arr['title']); + // only detect language if we have text content, and if the post is private but not yet // obscured, make it so. diff --git a/include/text.php b/include/text.php index 99d5c9d78..606ef421c 100755 --- a/include/text.php +++ b/include/text.php @@ -81,6 +81,34 @@ function escape_tags($string) { } +function z_input_filter($channel_id,$s,$type = 'text/bbcode') { + + if($type === 'text/bbcode') + return escape_tags($s); + if($type === 'text/markdown') + return escape_tags($s); + if($type == 'text/plain') + return escape_tags($s); + $r = q("select account_id, account_roles from account left join channel on channel_account_id = account_id where channel_id = %d limit 1", + intval($channel_id) + ); + if($r && ($r[0]['account_roles'] & ACCOUNT_ROLE_ALLOWEXEC)) { + if(local_user() && (get_account_id() == $r[0]['account_id'])) { + return $s; + } + } + + if($type === 'text/html') + return purify_html($s); + + return escape_tags($s); + +} + + + + + function purify_html($s) { require_once('library/HTMLPurifier.auto.php'); require_once('include/html2bbcode.php'); @@ -1127,6 +1155,7 @@ function prepare_body(&$item,$attach = false) { function prepare_text($text,$content_type = 'text/bbcode') { + switch($content_type) { case 'text/plain': @@ -1291,6 +1320,37 @@ function unamp($s) { } +function mimetype_select($channel_id, $current = 'text/bbcode') { + + $x = array( + 'text/bbcode', + 'text/html', + 'text/markdown', + 'text/plain' + ); + + $r = q("select account_flags from account left join channel on account_id = channel_account_id where + channel_id = %d limit 1", + intval($channel_id) + ); + + if($r) { + if($r[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) { + $x[] = 'application/x-php'; + } + } + + $o = t('Page content type: '); + $o .= '<select name="mimetype" id="mimetype-select">'; + foreach($x as $y) { + $select = (($y == $current) ? ' selected="selected" ' : ''); + $o .= '<option name="' . $y . '"' . $select . '>' . $y . '</option>'; + } + $o .= '</select>'; + + return $o; + +} |