diff options
Diffstat (limited to 'include')
| -rw-r--r-- | include/bbcode.php | 55 | ||||
| -rw-r--r-- | include/conversation.php | 14 | ||||
| -rwxr-xr-x | include/items.php | 27 | ||||
| -rw-r--r-- | include/menu.php | 5 | ||||
| -rwxr-xr-x | include/text.php | 4 |
5 files changed, 98 insertions, 7 deletions
diff --git a/include/bbcode.php b/include/bbcode.php index 2e2faddd6..bd2c7d11a 100644 --- a/include/bbcode.php +++ b/include/bbcode.php @@ -262,6 +262,56 @@ function rpost_callback($match) { } } +function bb_sanitize_style($input) { + //whitelist property limits (0 = no limitation) + $w = array( // color properties + "color" => 0, + "background-color" => 0, + // box properties + "padding" => array("px"=>100, "%"=>0, "em"=>2, "ex"=>2, "mm"=>0, "cm"=>0, "in"=>0, "pt"=>0, "pc"=>0), + "margin" => array("px"=>100, "%"=>0, "em"=>2, "ex"=>2, "mm"=>0, "cm"=>0, "in"=>0, "pt"=>0, "pc"=>0), + "border" => array("px"=>100, "%"=>0, "em"=>2, "ex"=>2, "mm"=>0, "cm"=>0, "in"=>0, "pt"=>0, "pc"=>0), + "float" => 0, + "clear" => 0, + // text properties + "text-decoration" => 0, + + ); + + $css_string = $input[1]; + $a = explode(';',$css_string); + foreach($a as $parts){ + list($k, $v) = explode(':', $parts); + $css[ trim($k) ] = trim($v); + } + + // sanitize properties + $b = array_merge(array_diff_key($css, $w), array_diff_key($w, $css)); + $css = array_diff_key($css, $b); + + foreach($css as $key => $value) { + if($w[$key] != null) { + foreach($w[$key] as $limit_key => $limit_value) { + //sanitize values + if(strpos($value, $limit_key)) { + $value = preg_replace_callback( + "/(\S.*?)$limit_key/ism", + function($match) use($limit_value, $limit_key) { + if($match[1] > $limit_value) { + return $limit_value . $limit_key; + } else { + return $match[1] . $limit_key; + } + }, + $value + ); + } + } + } + $css_string_san .= $key . ":" . $value ."; "; + } + return "<span style=\"" . $css_string_san . "\">" . $input[2] . "</span>"; +} // BBcode 2 HTML was written by WAY2WEB.net // extended to work with Mistpark/Friendica/Red - Mike Macgirvin @@ -576,6 +626,11 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true) { $Text = preg_replace("/\[zmg\=([0-9]*)x([0-9]*) float=right\](.*?)\[\/zmg\]/ism", '<img class="zrl" src="$3" style="width: $1px; float: right;" alt="' . t('Image/photo') . '" >', $Text); } + // style (sanitized) + if (strpos($Text,'[/style]') !== false) { + $Text = preg_replace_callback("(\[style=(.*?)\](.*?)\[\/style\])ism", "bb_sanitize_style", $Text); + } + // crypt if (strpos($Text,'[/crypt]') !== false) { $x = random_string(); diff --git a/include/conversation.php b/include/conversation.php index 633435871..77c7bac70 100644 --- a/include/conversation.php +++ b/include/conversation.php @@ -1488,6 +1488,19 @@ function profile_tabs($a, $is_owner=False, $nickname=Null){ 'id' => 'files-tab', ); } + + require_once('include/chat.php'); + $chats = chatroom_list($a->profile['profile_uid']); + + $tabs[] = array( + 'label' => t('Chatrooms') . '(' . count($chats) . ')', + 'url' => $a->get_baseurl() . '/chat/' . $nickname, + 'sel' => ((argv(0) == 'chat') ? 'active' : ''), + 'title' => t('Chatrooms'), + 'id' => 'chat-tab', + ); + + if($is_owner) { $tabs[] = array( 'label' => t('Events'), @@ -1506,6 +1519,7 @@ function profile_tabs($a, $is_owner=False, $nickname=Null){ ); } + if($is_owner && feature_enabled($a->profile['profile_uid'],'webpages')) { $tabs[] = array( 'label' => t('Webpages'), diff --git a/include/items.php b/include/items.php index 860d714d1..8b9cc8d04 100755 --- a/include/items.php +++ b/include/items.php @@ -2107,6 +2107,15 @@ function send_status_notifications($post_id,$item) { } } + $link = get_app()->get_baseurl() . '/display/' . $item['mid']; + + $r = q("select id from notify where link = '%s' and uid = %d limit 1", + dbesc($link), + intval($item['uid']) + ); + if($r) + $notify = false; + if(! $notify) return; require_once('include/enotify.php'); @@ -2115,7 +2124,7 @@ function send_status_notifications($post_id,$item) { 'from_xchan' => $item['author_xchan'], 'to_xchan' => $r[0]['channel_hash'], 'item' => $item, - 'link' => get_app()->get_baseurl() . '/display/' . $item['mid'], + 'link' => $link, 'verb' => ACTIVITY_POST, 'otype' => 'item', 'parent' => $parent, @@ -2172,14 +2181,20 @@ function tag_deliver($uid,$item_id) { $terms = get_terms_oftype($item['term'],TERM_BOOKMARK); - if($terms && (! $i[0]['item_restrict'])) { + if($terms && (! $item['item_restrict'])) { logger('tag_deliver: found bookmark'); - if(perm_is_allowed($u[0]['channel_id'],$i[0]['author_xchan'],'bookmark') && ($i[0]['author_xchan'] != $u[0]['channel_hash'])) { + $bookmark_self = intval(get_pconfig($uid,'system','bookmark_self')); + if(perm_is_allowed($u[0]['channel_id'],$item['author_xchan'],'bookmark') && (($item['author_xchan'] != $u[0]['channel_hash']) || ($bookmark_self))) { require_once('include/bookmarks.php'); require_once('include/Contact.php'); - $s = channelx_by_hash($i[0]['author_xchan']); - foreach($terms as $t) { - bookmark_add($u[0],$s[0],$t,$i[0]['item_private']); + + $s = q("select * from xchan where xchan_hash = '%s' limit 1", + dbesc($item['author_xchan']) + ); + if($s) { + foreach($terms as $t) { + bookmark_add($u[0],$s[0],$t,$item['item_private']); + } } } } diff --git a/include/menu.php b/include/menu.php index 105e4216b..813d7bcdb 100644 --- a/include/menu.php +++ b/include/menu.php @@ -1,6 +1,7 @@ <?php /** @file */ require_once('include/security.php'); +require_once('include/bbcode.php'); function menu_fetch($name,$uid,$observer_xchan) { @@ -27,11 +28,13 @@ function menu_render($menu) { if(! $menu) return ''; - for($x = 0; $x < count($menu['items']); $x ++) + for($x = 0; $x < count($menu['items']); $x ++) { if($menu['items'][$x]['mitem_flags'] & MENU_ITEM_ZID) $menu['items'][$x]['mitem_link'] = zid($menu['items'][$x]['mitem_link']); if($menu['items'][$x]['mitem_flags'] & MENU_ITEM_NEWWIN) $menu['items'][$x]['newwin'] = '1'; + $menu['items'][$x]['mitem_desc'] = bbcode($menu['items'][$x]['mitem_desc']); + } return replace_macros(get_markup_template('usermenu.tpl'),array( '$menu' => $menu['menu'], diff --git a/include/text.php b/include/text.php index 266d8952b..2b334068f 100755 --- a/include/text.php +++ b/include/text.php @@ -565,6 +565,10 @@ function get_tags($s) { $s = preg_replace('/\[code\](.*?)\[\/code\]/sm','',$s); + // ignore anything in [style= ] + + $s = preg_replace('/\[style=(.*?)\]/sm','',$s); + // Match full names against @tags including the space between first and last // We will look these up afterward to see if they are full names or not recognisable. |