diff options
author | Friendika <info@friendika.com> | 2011-02-01 17:50:49 -0800 |
---|---|---|
committer | Friendika <info@friendika.com> | 2011-02-01 17:50:49 -0800 |
commit | bafae56b39d018dd2ef778399fd753302e0ab8c3 (patch) | |
tree | 21ab3f3c914f2187e2f577bc5ee414c985448e4e /include | |
parent | 968e8bb9c4a1183483e487a1c1ac557fa9c21ad0 (diff) | |
download | volse-hubzilla-bafae56b39d018dd2ef778399fd753302e0ab8c3.tar.gz volse-hubzilla-bafae56b39d018dd2ef778399fd753302e0ab8c3.tar.bz2 volse-hubzilla-bafae56b39d018dd2ef778399fd753302e0ab8c3.zip |
make sure content is unaltered
Diffstat (limited to 'include')
-rw-r--r-- | include/items.php | 33 |
1 files changed, 18 insertions, 15 deletions
diff --git a/include/items.php b/include/items.php index d06cc30cd..d091e4c03 100644 --- a/include/items.php +++ b/include/items.php @@ -388,7 +388,8 @@ function get_atom_elements($feed,$item) { $have_real_body = true; $res['body'] = $rawenv[0]['data']; $res['body'] = str_replace(array(' ',"\t","\r","\n"), array('','','',''),$res['body']); - $res['body'] = base64url_decode($res['body']); + // make sure nobody is trying to sneak some html tags by us + $res['body'] = notags(base64url_decode($res['body'])); $res['realbody'] = true; } @@ -407,27 +408,29 @@ function get_atom_elements($feed,$item) { // html. - if((! $have_real_body) || (strpos($res['body'],'<')) || (strpos($res['body'],'>'))) { + if(! $have_real_body) { + if((strpos($res['body'],'<')) || (strpos($res['body'],'>'))) { - $res['body'] = preg_replace('#<object[^>]+>.+?' . 'http://www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s', - '[youtube]$1[/youtube]', $res['body']); + $res['body'] = preg_replace('#<object[^>]+>.+?' . 'http://www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s', + '[youtube]$1[/youtube]', $res['body']); - $res['body'] = oembed_html2bbcode($res['body']); + $res['body'] = oembed_html2bbcode($res['body']); - $config = HTMLPurifier_Config::createDefault(); - $config->set('Cache.DefinitionImpl', null); + $config = HTMLPurifier_Config::createDefault(); + $config->set('Cache.DefinitionImpl', null); - // we shouldn't need a whitelist, because the bbcode converter - // will strip out any unsupported tags. - // $config->set('HTML.Allowed', 'p,b,a[href],i'); + // we shouldn't need a whitelist, because the bbcode converter + // will strip out any unsupported tags. + // $config->set('HTML.Allowed', 'p,b,a[href],i'); - $purifier = new HTMLPurifier($config); - $res['body'] = $purifier->purify($res['body']); + $purifier = new HTMLPurifier($config); + $res['body'] = $purifier->purify($res['body']); - $res['body'] = html2bbcode($res['body']); + $res['body'] = html2bbcode($res['body']); + } + else + $res['body'] = escape_tags($res['body']); } - else - $res['body'] = escape_tags($res['body']); $allow = $item->get_item_tags(NAMESPACE_DFRN,'comment-allow'); |