diff options
Diffstat (limited to 'include/items.php')
| -rwxr-xr-x | include/items.php | 53 |
1 files changed, 30 insertions, 23 deletions
diff --git a/include/items.php b/include/items.php index 10bdcb38f..66172ade3 100755 --- a/include/items.php +++ b/include/items.php @@ -1361,6 +1361,17 @@ function item_store($arr,$allow_exec = false) { return 0; } + // If a page layout is provided, ensure it exists and belongs to us. + + if(array_key_exists('layout_mid',$arr) && $arr['layout_mid']) { + $l = q("select item_restrict from item where mid = '%s' and uid = %d limit 1", + dbesc($arr['layout_mid']), + intval($arr['uid']) + ); + if((! $l) || (! ($l[0]['item_restrict'] & ITEM_PDL))) + unset($arr['layout_mid']); + } + // Don't let anybody set these, either intentionally or accidentally if(array_key_exists('id',$arr)) @@ -1386,14 +1397,10 @@ function item_store($arr,$allow_exec = false) { $arr['item_private'] = ((x($arr,'item_private')) ? intval($arr['item_private']) : 0 ); $arr['item_flags'] = ((x($arr,'item_flags')) ? intval($arr['item_flags']) : 0 ); - // this is a bit messy - we really need an input filter chain that temporarily undoes obscuring - if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') { - if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false)) - $arr['body'] = escape_tags($arr['body']); - if((strpos($arr['title'],'<') !== false) || (strpos($arr['title'],'>') !== false)) - $arr['title'] = escape_tags($arr['title']); - } + $arr['body'] = z_input_filter($arr['uid'],$arr['body'],$arr['mimetype']); + $arr['title'] = escape_tags($arr['title']); + // only detect language if we have text content, and if the post is private but not yet // obscured, make it so. @@ -2320,21 +2327,21 @@ function dfrn_deliver($owner,$contact,$atom, $dissolve = false) { if(! $rino_enable) $rino = 0; - $ssl_val = intval(get_config('system','ssl_policy')); - $ssl_policy = ''; - - switch($ssl_val){ - case SSL_POLICY_FULL: - $ssl_policy = 'full'; - break; - case SSL_POLICY_SELFSIGN: - $ssl_policy = 'self'; - break; - case SSL_POLICY_NONE: - default: - $ssl_policy = 'none'; - break; - } +// $ssl_val = intval(get_config('system','ssl_policy')); +// $ssl_policy = ''; + +// switch($ssl_val){ +// case SSL_POLICY_FULL: +// $ssl_policy = 'full'; +// break; +// case SSL_POLICY_SELFSIGN: +// $ssl_policy = 'self'; +// break; +// case SSL_POLICY_NONE: +// default: +// $ssl_policy = 'none'; +// break; +// } $url = $contact['notify'] . '&dfrn_id=' . $idtosend . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . (($rino) ? '&rino=1' : ''); @@ -2423,7 +2430,7 @@ function dfrn_deliver($owner,$contact,$atom, $dissolve = false) { $postvars['perm'] = 'r'; } - $postvars['ssl_policy'] = $ssl_policy; +// $postvars['ssl_policy'] = $ssl_policy; if($page) $postvars['page'] = $page; |