add $deliver flag to item_store() and item_store_update() [default true]. If false, do not send any notifications or process tag_deliver. This should avoid any network activity from happening as the result of a channel (actually item) import. Other minor fixes in the handling of the $allow_exec flag and further protecting CSS passed to widgets from rogue code and XSS.

2 files changed, 1 insertions, 7 deletions

diff --git a/mod/import_items.php b/mod/import_items.php
index 6b97939c9..f369ad780 100644
--- a/mod/import_items.php
+++ b/mod/import_items.php
@@ -86,14 +86,11 @@ function import_items_post(&$a) {
 
 	$channel = $a->get_channel();
 
-	$saved_notification_flags = notifications_off($channel['channel_id']);
 
 	if(array_key_exists('item',$data) && $data['item']) {
 		import_items($channel,$data['item']);
 	}
 
-	notifications_on($channel['channel_id'],$saved_notification_flags);
-
 	if(array_key_exists('item_id',$data) && $data['item_id']) {
 		import_item_ids($channel,$data['item_id']);
 	}
@@ -107,9 +104,6 @@ function import_items_post(&$a) {
 
 function import_items_content(&$a) {
 
-
-
-
 	if(! local_channel()) {
 		notice( t('Permission denied') . EOL);
 		return login();
diff --git a/mod/item.php b/mod/item.php
index b6d00e030..f100c9dfe 100644
--- a/mod/item.php
+++ b/mod/item.php
@@ -446,7 +446,7 @@ function item_post(&$a) {
 
 	$execflag = false;
 
-	if($mimetype === 'application/x-php') {
+	if($mimetype !== 'text/bbcode') {
 		$z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1",
 			intval($profile_uid)
 		);