aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2013-09-02 01:38:17 -0700
committerfriendica <info@friendica.com>2013-09-02 01:38:17 -0700
commit8b7757e033c4483da24700722c186057bb431164 (patch)
treec331db3262084b08b47970c20f2d8657d6ebef81 /include
parenta35d440ff1fee806a8aa17a0297e1163db6a3ba5 (diff)
downloadvolse-hubzilla-8b7757e033c4483da24700722c186057bb431164.tar.gz
volse-hubzilla-8b7757e033c4483da24700722c186057bb431164.tar.bz2
volse-hubzilla-8b7757e033c4483da24700722c186057bb431164.zip
webpage content-type -- needs cleaning up and a security check once all the important bits are in place.
Diffstat (limited to 'include')
-rw-r--r--include/conversation.php8
-rwxr-xr-xinclude/items.php10
-rwxr-xr-xinclude/text.php60
3 files changed, 71 insertions, 7 deletions
diff --git a/include/conversation.php b/include/conversation.php
index 2157f8291..a357e1480 100644
--- a/include/conversation.php
+++ b/include/conversation.php
@@ -1009,9 +1009,16 @@ function status_editor($a,$x,$popup=false) {
$geotag = (($x['allow_location']) ? replace_macros(get_markup_template('jot_geotag.tpl'), array()) : '');
$plaintext = true;
+
if(feature_enabled(local_user(),'richtext'))
$plaintext = false;
+ if(intval($x['plaintext']))
+ $plaintext = true;
+
+ if(intval($x['mimeselect']))
+ $mimeselect = mimetype_select($x['profile_uid']);
+
$tpl = get_markup_template('jot-header.tpl');
$a->page['htmlhead'] .= replace_macros($tpl, array(
@@ -1079,6 +1086,7 @@ function status_editor($a,$x,$popup=false) {
'$emtitle' => t('Example: bob@example.com, mary@example.com'),
'$lockstate' => $x['lockstate'],
'$acl' => $x['acl'],
+ '$mimeselect' => $mimeselect,
'$showacl' => ((array_key_exists('showacl',$x)) ? $x['showacl'] : 'yes'),
'$bang' => $x['bang'],
'$profile_uid' => $x['profile_uid'],
diff --git a/include/items.php b/include/items.php
index 712c416de..66172ade3 100755
--- a/include/items.php
+++ b/include/items.php
@@ -1397,14 +1397,10 @@ function item_store($arr,$allow_exec = false) {
$arr['item_private'] = ((x($arr,'item_private')) ? intval($arr['item_private']) : 0 );
$arr['item_flags'] = ((x($arr,'item_flags')) ? intval($arr['item_flags']) : 0 );
- // this is a bit messy - we really need an input filter chain that temporarily undoes obscuring
- if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') {
- if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false))
- $arr['body'] = escape_tags($arr['body']);
- if((strpos($arr['title'],'<') !== false) || (strpos($arr['title'],'>') !== false))
- $arr['title'] = escape_tags($arr['title']);
- }
+ $arr['body'] = z_input_filter($arr['uid'],$arr['body'],$arr['mimetype']);
+ $arr['title'] = escape_tags($arr['title']);
+
// only detect language if we have text content, and if the post is private but not yet
// obscured, make it so.
diff --git a/include/text.php b/include/text.php
index 99d5c9d78..606ef421c 100755
--- a/include/text.php
+++ b/include/text.php
@@ -81,6 +81,34 @@ function escape_tags($string) {
}
+function z_input_filter($channel_id,$s,$type = 'text/bbcode') {
+
+ if($type === 'text/bbcode')
+ return escape_tags($s);
+ if($type === 'text/markdown')
+ return escape_tags($s);
+ if($type == 'text/plain')
+ return escape_tags($s);
+ $r = q("select account_id, account_roles from account left join channel on channel_account_id = account_id where channel_id = %d limit 1",
+ intval($channel_id)
+ );
+ if($r && ($r[0]['account_roles'] & ACCOUNT_ROLE_ALLOWEXEC)) {
+ if(local_user() && (get_account_id() == $r[0]['account_id'])) {
+ return $s;
+ }
+ }
+
+ if($type === 'text/html')
+ return purify_html($s);
+
+ return escape_tags($s);
+
+}
+
+
+
+
+
function purify_html($s) {
require_once('library/HTMLPurifier.auto.php');
require_once('include/html2bbcode.php');
@@ -1127,6 +1155,7 @@ function prepare_body(&$item,$attach = false) {
function prepare_text($text,$content_type = 'text/bbcode') {
+
switch($content_type) {
case 'text/plain':
@@ -1291,6 +1320,37 @@ function unamp($s) {
}
+function mimetype_select($channel_id, $current = 'text/bbcode') {
+
+ $x = array(
+ 'text/bbcode',
+ 'text/html',
+ 'text/markdown',
+ 'text/plain'
+ );
+
+ $r = q("select account_flags from account left join channel on account_id = channel_account_id where
+ channel_id = %d limit 1",
+ intval($channel_id)
+ );
+
+ if($r) {
+ if($r[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) {
+ $x[] = 'application/x-php';
+ }
+ }
+
+ $o = t('Page content type: ');
+ $o .= '<select name="mimetype" id="mimetype-select">';
+ foreach($x as $y) {
+ $select = (($y == $current) ? ' selected="selected" ' : '');
+ $o .= '<option name="' . $y . '"' . $select . '>' . $y . '</option>';
+ }
+ $o .= '</select>';
+
+ return $o;
+
+}