aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/bbcode.php55
-rw-r--r--include/conversation.php14
-rwxr-xr-xinclude/items.php27
-rw-r--r--include/menu.php5
-rwxr-xr-xinclude/text.php4
5 files changed, 98 insertions, 7 deletions
diff --git a/include/bbcode.php b/include/bbcode.php
index 2e2faddd6..bd2c7d11a 100644
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -262,6 +262,56 @@ function rpost_callback($match) {
}
}
+function bb_sanitize_style($input) {
+ //whitelist property limits (0 = no limitation)
+ $w = array( // color properties
+ "color" => 0,
+ "background-color" => 0,
+ // box properties
+ "padding" => array("px"=>100, "%"=>0, "em"=>2, "ex"=>2, "mm"=>0, "cm"=>0, "in"=>0, "pt"=>0, "pc"=>0),
+ "margin" => array("px"=>100, "%"=>0, "em"=>2, "ex"=>2, "mm"=>0, "cm"=>0, "in"=>0, "pt"=>0, "pc"=>0),
+ "border" => array("px"=>100, "%"=>0, "em"=>2, "ex"=>2, "mm"=>0, "cm"=>0, "in"=>0, "pt"=>0, "pc"=>0),
+ "float" => 0,
+ "clear" => 0,
+ // text properties
+ "text-decoration" => 0,
+
+ );
+
+ $css_string = $input[1];
+ $a = explode(';',$css_string);
+ foreach($a as $parts){
+ list($k, $v) = explode(':', $parts);
+ $css[ trim($k) ] = trim($v);
+ }
+
+ // sanitize properties
+ $b = array_merge(array_diff_key($css, $w), array_diff_key($w, $css));
+ $css = array_diff_key($css, $b);
+
+ foreach($css as $key => $value) {
+ if($w[$key] != null) {
+ foreach($w[$key] as $limit_key => $limit_value) {
+ //sanitize values
+ if(strpos($value, $limit_key)) {
+ $value = preg_replace_callback(
+ "/(\S.*?)$limit_key/ism",
+ function($match) use($limit_value, $limit_key) {
+ if($match[1] > $limit_value) {
+ return $limit_value . $limit_key;
+ } else {
+ return $match[1] . $limit_key;
+ }
+ },
+ $value
+ );
+ }
+ }
+ }
+ $css_string_san .= $key . ":" . $value ."; ";
+ }
+ return "<span style=\"" . $css_string_san . "\">" . $input[2] . "</span>";
+}
// BBcode 2 HTML was written by WAY2WEB.net
// extended to work with Mistpark/Friendica/Red - Mike Macgirvin
@@ -576,6 +626,11 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true) {
$Text = preg_replace("/\[zmg\=([0-9]*)x([0-9]*) float=right\](.*?)\[\/zmg\]/ism", '<img class="zrl" src="$3" style="width: $1px; float: right;" alt="' . t('Image/photo') . '" >', $Text);
}
+ // style (sanitized)
+ if (strpos($Text,'[/style]') !== false) {
+ $Text = preg_replace_callback("(\[style=(.*?)\](.*?)\[\/style\])ism", "bb_sanitize_style", $Text);
+ }
+
// crypt
if (strpos($Text,'[/crypt]') !== false) {
$x = random_string();
diff --git a/include/conversation.php b/include/conversation.php
index 633435871..77c7bac70 100644
--- a/include/conversation.php
+++ b/include/conversation.php
@@ -1488,6 +1488,19 @@ function profile_tabs($a, $is_owner=False, $nickname=Null){
'id' => 'files-tab',
);
}
+
+ require_once('include/chat.php');
+ $chats = chatroom_list($a->profile['profile_uid']);
+
+ $tabs[] = array(
+ 'label' => t('Chatrooms') . '(' . count($chats) . ')',
+ 'url' => $a->get_baseurl() . '/chat/' . $nickname,
+ 'sel' => ((argv(0) == 'chat') ? 'active' : ''),
+ 'title' => t('Chatrooms'),
+ 'id' => 'chat-tab',
+ );
+
+
if($is_owner) {
$tabs[] = array(
'label' => t('Events'),
@@ -1506,6 +1519,7 @@ function profile_tabs($a, $is_owner=False, $nickname=Null){
);
}
+
if($is_owner && feature_enabled($a->profile['profile_uid'],'webpages')) {
$tabs[] = array(
'label' => t('Webpages'),
diff --git a/include/items.php b/include/items.php
index 860d714d1..8b9cc8d04 100755
--- a/include/items.php
+++ b/include/items.php
@@ -2107,6 +2107,15 @@ function send_status_notifications($post_id,$item) {
}
}
+ $link = get_app()->get_baseurl() . '/display/' . $item['mid'];
+
+ $r = q("select id from notify where link = '%s' and uid = %d limit 1",
+ dbesc($link),
+ intval($item['uid'])
+ );
+ if($r)
+ $notify = false;
+
if(! $notify)
return;
require_once('include/enotify.php');
@@ -2115,7 +2124,7 @@ function send_status_notifications($post_id,$item) {
'from_xchan' => $item['author_xchan'],
'to_xchan' => $r[0]['channel_hash'],
'item' => $item,
- 'link' => get_app()->get_baseurl() . '/display/' . $item['mid'],
+ 'link' => $link,
'verb' => ACTIVITY_POST,
'otype' => 'item',
'parent' => $parent,
@@ -2172,14 +2181,20 @@ function tag_deliver($uid,$item_id) {
$terms = get_terms_oftype($item['term'],TERM_BOOKMARK);
- if($terms && (! $i[0]['item_restrict'])) {
+ if($terms && (! $item['item_restrict'])) {
logger('tag_deliver: found bookmark');
- if(perm_is_allowed($u[0]['channel_id'],$i[0]['author_xchan'],'bookmark') && ($i[0]['author_xchan'] != $u[0]['channel_hash'])) {
+ $bookmark_self = intval(get_pconfig($uid,'system','bookmark_self'));
+ if(perm_is_allowed($u[0]['channel_id'],$item['author_xchan'],'bookmark') && (($item['author_xchan'] != $u[0]['channel_hash']) || ($bookmark_self))) {
require_once('include/bookmarks.php');
require_once('include/Contact.php');
- $s = channelx_by_hash($i[0]['author_xchan']);
- foreach($terms as $t) {
- bookmark_add($u[0],$s[0],$t,$i[0]['item_private']);
+
+ $s = q("select * from xchan where xchan_hash = '%s' limit 1",
+ dbesc($item['author_xchan'])
+ );
+ if($s) {
+ foreach($terms as $t) {
+ bookmark_add($u[0],$s[0],$t,$item['item_private']);
+ }
}
}
}
diff --git a/include/menu.php b/include/menu.php
index 105e4216b..813d7bcdb 100644
--- a/include/menu.php
+++ b/include/menu.php
@@ -1,6 +1,7 @@
<?php /** @file */
require_once('include/security.php');
+require_once('include/bbcode.php');
function menu_fetch($name,$uid,$observer_xchan) {
@@ -27,11 +28,13 @@ function menu_render($menu) {
if(! $menu)
return '';
- for($x = 0; $x < count($menu['items']); $x ++)
+ for($x = 0; $x < count($menu['items']); $x ++) {
if($menu['items'][$x]['mitem_flags'] & MENU_ITEM_ZID)
$menu['items'][$x]['mitem_link'] = zid($menu['items'][$x]['mitem_link']);
if($menu['items'][$x]['mitem_flags'] & MENU_ITEM_NEWWIN)
$menu['items'][$x]['newwin'] = '1';
+ $menu['items'][$x]['mitem_desc'] = bbcode($menu['items'][$x]['mitem_desc']);
+ }
return replace_macros(get_markup_template('usermenu.tpl'),array(
'$menu' => $menu['menu'],
diff --git a/include/text.php b/include/text.php
index 266d8952b..2b334068f 100755
--- a/include/text.php
+++ b/include/text.php
@@ -565,6 +565,10 @@ function get_tags($s) {
$s = preg_replace('/\[code\](.*?)\[\/code\]/sm','',$s);
+ // ignore anything in [style= ]
+
+ $s = preg_replace('/\[style=(.*?)\]/sm','',$s);
+
// Match full names against @tags including the space between first and last
// We will look these up afterward to see if they are full names or not recognisable.