10 files changed, 90 insertions, 44 deletions
diff --git a/include/attach.php b/include/attach.php
index 2a9badaac..202412263 100644
--- a/include/attach.php
+++ b/include/attach.php
@@ -2325,6 +2325,7 @@ function attach_move($channel_id, $resource_id, $new_folder_hash) {
 			return false;
 
 		$newdirname = $n[0]['filename'];
+		$newalbumname = $n[0]['display_path'];
 		$newstorepath = dbunescbin($n[0]['content']) . '/' . $resource_id;
 	}
 	else {
@@ -2332,6 +2333,7 @@ function attach_move($channel_id, $resource_id, $new_folder_hash) {
 		// root directory
 
 		$newdirname = EMPTY_STR;
+		$newalbumname = EMPTY_STR;
 		$newstorepath = 'store/' . $c['channel_address'] . '/' . $resource_id;
 	}
 
@@ -2419,7 +2421,7 @@ function attach_move($channel_id, $resource_id, $new_folder_hash) {
 	if($r[0]['is_photo']) {
 		$t = q("update photo set album = '%s', filename = '%s', os_path = '%s', display_path = '%s'
 			where resource_id = '%s' and uid = %d",
-			dbesc($newdirname),
+			dbesc($newalbumname),
 			dbesc($filename),
 			dbesc($x['os_path']),
 			dbesc($x['path']),
diff --git a/include/channel.php b/include/channel.php
index d26056171..d7c5a2511 100644
--- a/include/channel.php
+++ b/include/channel.php
@@ -1710,9 +1710,9 @@ function zid_init() {
 			// try to avoid recursion - but send them home to do a proper magic auth
 			$query = App::$query_string;
 			$query = str_replace(array('?zid=','&zid='),array('?rzid=','&rzid='),$query);
-			$dest = '/' . urlencode($query);
+			$dest = '/' . $query;
 			if($r && ($r[0]['hubloc_url'] != z_root()) && (! strstr($dest,'/magic')) && (! strstr($dest,'/rmagic'))) {
-				goaway($r[0]['hubloc_url'] . '/magic' . '?f=&rev=1&owa=1&dest=' . z_root() . $dest);
+				goaway($r[0]['hubloc_url'] . '/magic' . '?f=&rev=1&owa=1&bdest=' . bin2hex(z_root() . $dest));
 			}
 			else
 				logger('No hubloc found.');
diff --git a/include/connections.php b/include/connections.php
index 20f7c24ff..129bcdc8d 100644
--- a/include/connections.php
+++ b/include/connections.php
@@ -120,7 +120,7 @@ function vcard_from_xchan($xchan, $observer = null, $mode = '') {
 		App::$profile_uid = $xchan['channel_id'];
 
 	$url = (($observer) 
-		? z_root() . '/magic?f=&owa=1&dest=' . $xchan['xchan_url'] . '&addr=' . $xchan['xchan_addr'] 
+		? z_root() . '/magic?f=&owa=1&bdest=' . bin2hex($xchan['xchan_url']) . '&addr=' . $xchan['xchan_addr'] 
 		: $xchan['xchan_url']
 	);
 					
@@ -380,7 +380,7 @@ function contact_remove($channel_id, $abook_id) {
 	);
 	if($r) {
 		foreach($r as $rr) {
-			$x = q("select uid from term where otype = %d and oid = %d ttype = %d limit 1",
+			$x = q("select uid from term where otype = %d and oid = %d and ttype = %d limit 1",
 				intval(TERM_OBJ_POST),
 				intval($rr['id']),
 				intval(TERM_FILE)
diff --git a/include/markdown.php b/include/markdown.php
index de9862801..058b79909 100644
--- a/include/markdown.php
+++ b/include/markdown.php
@@ -74,8 +74,11 @@ function markdown_to_bb($s, $use_zrl = false, $options = []) {
 
 	// Convert everything that looks like a link to a link
 	if($use_zrl) {
-		$s = str_replace(['[img', '/img]'], ['[zmg', '/zmg]'], $s);
-		$s = preg_replace("/([^\]\=\{]|^)(https?\:\/\/)([a-zA-Z0-9\pL\:\/\-\?\&\;\.\=\_\~\#\%\$\!\+\,\@\(\)]+)/ismu", '$1[zrl=$2$3]$2$3[/zrl]',$s);
+		if (strpos($s,'[/img]') !== false) {
+			$s = preg_replace_callback("/\[img\](.*?)\[\/img\]/ism", 'use_zrl_cb_img', $s);
+			$s = preg_replace_callback("/\[img\=([0-9]*)x([0-9]*)\](.*?)\[\/img\]/ism", 'use_zrl_cb_img_x', $s);
+		}
+		$s = preg_replace_callback("/([^\]\=\{]|^)(https?\:\/\/)([a-zA-Z0-9\pL\:\/\-\?\&\;\.\=\_\~\#\%\$\!\+\,\@\(\)]+)/ismu", 'use_zrl_cb_link',$s);
 	}
 	else {
 		$s = preg_replace("/([^\]\=\{]|^)(https?\:\/\/)([a-zA-Z0-9\pL\:\/\-\?\&\;\.\=\_\~\#\%\$\!\+\,\@\(\)]+)/ismu", '$1[url=$2$3]$2$3[/url]',$s);
@@ -96,6 +99,41 @@ function markdown_to_bb($s, $use_zrl = false, $options = []) {
 	return $s;
 }
 
+function use_zrl_cb_link($match) {
+	$res = '';
+	$is_zid = is_matrix_url(trim($match[0]));
+
+	if($is_zid)
+		$res = $match[1] . '[zrl=' . $match[2] . $match[3] . ']' . $match[2] . $match[3] . '[/zrl]';
+	else
+		$res = $match[1] . '[url=' . $match[2] . $match[3] . ']' . $match[2] . $match[3] . '[/url]';
+
+	return $res;
+}
+
+function use_zrl_cb_img($match) {
+	$res = '';
+	$is_zid = is_matrix_url(trim($match[1]));
+
+	if($is_zid)
+		$res = '[zmg]' . $match[1] . '[/zmg]';
+	else
+		$res = $match[0];
+
+	return $res;
+}
+
+function use_zrl_cb_img_x($match) {
+	$res = '';
+	$is_zid = is_matrix_url(trim($match[3]));
+
+	if($is_zid)
+		$res = '[zmg=' . $match[1] . 'x' . $match[2] . ']' . $match[3] . '[/zmg]';
+	else
+		$res = $match[0];
+
+	return $res;
+}
 
 /**
  * @brief
diff --git a/include/nav.php b/include/nav.php
index 41358c93e..56fe9b901 100644
--- a/include/nav.php
+++ b/include/nav.php
@@ -105,12 +105,12 @@ function nav($template = 'default') {
 		$nav['logout'] = ['logout',t('Logout'), "", t('End this session'),'logout_nav_btn'];
 		
 		// user menu
-		$nav['usermenu'][] = ['profile/' . $channel['channel_address'], t('View Profile'), ((\App::$nav_sel['name'] == 'Profile') ? 'active' : ''), t('Your profile page'),'profile_nav_btn'];
+		$nav['usermenu'][] = ['profile/' . $channel['channel_address'], t('View Profile'), ((\App::$nav_sel['raw_name'] == 'Profile') ? 'active' : ''), t('Your profile page'),'profile_nav_btn'];
 
 		if(feature_enabled(local_channel(),'multi_profiles'))
-			$nav['usermenu'][]   = ['profiles', t('Edit Profiles'), ((\App::$nav_sel['name'] == 'Profiles') ? 'active' : '') , t('Manage/Edit profiles'),'profiles_nav_btn'];
+			$nav['usermenu'][]   = ['profiles', t('Edit Profiles'), ((\App::$nav_sel['raw_name'] == 'Profiles') ? 'active' : '') , t('Manage/Edit profiles'),'profiles_nav_btn'];
 		else
-			$nav['usermenu'][]   = ['profiles/' . $prof[0]['id'], t('Edit Profile'), ((\App::$nav_sel['name'] == 'Profiles') ? 'active' : ''), t('Edit your profile'),'profiles_nav_btn'];
+			$nav['usermenu'][]   = ['profiles/' . $prof[0]['id'], t('Edit Profile'), ((\App::$nav_sel['raw_name'] == 'Profiles') ? 'active' : ''), t('Edit your profile'),'profiles_nav_btn'];
 
 	}
 	else {
@@ -175,7 +175,7 @@ function nav($template = 'default') {
 			$search_form_action = 'network';
 			break;
 		case 'channel':
-			$search_form_action = 'channel';
+			$search_form_action = 'channel/' . App::$profile['channel_address'];
 			break;
 		default:
 			$search_form_action = 'search';
diff --git a/include/network.php b/include/network.php
index 91a39a6cb..6961bf0ba 100644
--- a/include/network.php
+++ b/include/network.php
@@ -1923,23 +1923,23 @@ function scrape_vcard($url) {
 			$level2 = $item->getElementsByTagName('*');
 			foreach($level2 as $x) {
 				if(attribute_contains($x->getAttribute('id'),'pod_location'))
-					$ret['pod_location'] = $x->textContent;
+					$ret['pod_location'] = escape_tags($x->textContent);
 				if(attribute_contains($x->getAttribute('class'),'fn'))
-					$ret['fn'] = $x->textContent;
+					$ret['fn'] = escape_tags($x->textContent);
 				if(attribute_contains($x->getAttribute('class'),'uid'))
-					$ret['uid'] = $x->textContent;
+					$ret['uid'] = escape_tags($x->textContent);
 				if(attribute_contains($x->getAttribute('class'),'nickname'))
-					$ret['nick'] = $x->textContent;
+					$ret['nick'] = escape_tags($x->textContent);
 				if(attribute_contains($x->getAttribute('class'),'searchable'))
-					$ret['searchable'] = $x->textContent;
+					$ret['searchable'] = escape_tags($x->textContent);
 				if(attribute_contains($x->getAttribute('class'),'key'))
 					$ret['public_key'] = $x->textContent;
 				if(attribute_contains($x->getAttribute('class'),'given_name'))
-					$ret['given_name'] = $x->textContent;
+					$ret['given_name'] = escape_tags($x->textContent);
 				if(attribute_contains($x->getAttribute('class'),'family_name'))
-					$ret['family_name'] = $x->textContent;
+					$ret['family_name'] = escape_tags($x->textContent);
 				if(attribute_contains($x->getAttribute('class'),'url'))
-					$ret['url'] = $x->textContent;
+					$ret['url'] = escape_tags($x->textContent);
 
 				if((attribute_contains($x->getAttribute('class'),'photo'))
 					|| (attribute_contains($x->getAttribute('class'),'avatar'))) {
diff --git a/include/permissions.php b/include/permissions.php
index 185d37b6a..115d96eca 100644
--- a/include/permissions.php
+++ b/include/permissions.php
@@ -16,11 +16,14 @@ require_once('include/security.php');
  *
  * @param int $uid The channel_id associated with the resource owner
  * @param string $observer_xchan The xchan_hash representing the observer
- * @param bool $internal_use (default true)
+ * @param bool $check_siteblock (default true)
+ *          if false, bypass check for "Block Public" on the site
+ * @param bool $default_ignored (default true)
+ *          if false, lie and pretend the ignored person has permissions you are ignoring (used in channel discovery)
  *
  * @returns array of all permissions, key is permission name, value is true or false
  */
-function get_all_perms($uid, $observer_xchan, $internal_use = true) {
+function get_all_perms($uid, $observer_xchan, $check_siteblock = true, $default_ignored = true) {
 
 	$api = App::get_oauth_key();
 	if($api)
@@ -111,7 +114,7 @@ function get_all_perms($uid, $observer_xchan, $internal_use = true) {
 			$blocked_anon_perms = \Zotlabs\Access\Permissions::BlockedAnonPerms();
 
 
-			if(($x) && ($internal_use) && in_array($perm_name,$blocked_anon_perms) && intval($x[0]['abook_ignored'])) {
+			if(($x) && ($default_ignored) && in_array($perm_name,$blocked_anon_perms) && intval($x[0]['abook_ignored'])) {
 				$ret[$perm_name] = false;
 				continue;
 			}
@@ -119,7 +122,7 @@ function get_all_perms($uid, $observer_xchan, $internal_use = true) {
 
 		// system is blocked to anybody who is not authenticated
 
-		if((! $observer_xchan) && intval(get_config('system', 'block_public'))) {
+		if(($check_siteblock) && (! $observer_xchan) && intval(get_config('system', 'block_public'))) {
 			$ret[$perm_name] = false;
 			continue;
 		}
@@ -251,9 +254,11 @@ function get_all_perms($uid, $observer_xchan, $internal_use = true) {
  * @param int $uid The channel_id associated with the resource owner
  * @param string $observer_xchan The xchan_hash representing the observer
  * @param string $permission
+ * @param boolean $check_siteblock (default true)
+ *     if false bypass check for "Block Public" at the site level
  * @return bool true if permission is allowed for observer on channel
  */
-function perm_is_allowed($uid, $observer_xchan, $permission) {
+function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock = true) {
 
 	$api = App::get_oauth_key();
 	if($api)
@@ -326,7 +331,7 @@ function perm_is_allowed($uid, $observer_xchan, $permission) {
 
 	// system is blocked to anybody who is not authenticated
 
-	if((! $observer_xchan) && intval(get_config('system', 'block_public')))
+	if(($check_siteblock) && (! $observer_xchan) && intval(get_config('system', 'block_public')))
 		return false;
 
 	// Check if this $uid is actually the $observer_xchan
diff --git a/include/plugin.php b/include/plugin.php
index 734c20d79..13652c620 100755
--- a/include/plugin.php
+++ b/include/plugin.php
@@ -14,17 +14,17 @@
  * @param bool $uninstall uninstall plugin
  */
 function handleerrors_plugin($plugin,$notice,$log,$uninstall=false){
-        logger("Addons: [" . $plugin . "] Error: ".$log, LOGGER_ERROR);
-        if ($notice != '') {
-                notice("[" . $plugin . "] Error: ".$notice, LOGGER_ERROR);
-        }
+	logger("Addons: [" . $plugin . "] Error: ".$log, LOGGER_ERROR);
+	if ($notice != '') {
+			notice("[" . $plugin . "] Error: ".$notice, LOGGER_ERROR);
+	}
 
-        if ($uninstall) {
-                $idx = array_search($plugin, \App::$plugins);
-                unset(\App::$plugins[$idx]);
-                uninstall_plugin($plugin);
-                set_config("system","addon", implode(", ",\App::$plugins));
-        }
+	if ($uninstall) {
+		$idx = array_search($plugin, \App::$plugins);
+		unset(\App::$plugins[$idx]);
+		uninstall_plugin($plugin);
+		set_config("system","addon", implode(", ",\App::$plugins));
+	}
 }
 
 /**
@@ -206,19 +206,19 @@ function reload_plugins() {
 							if(function_exists($pl . '_unload')) {
 								$func = $pl . '_unload';
 								try {
-        								$func();
+										$func();
 								} catch (Exception $e) {
 									handleerrors_plugin($plugin,"","UNLOAD FAILED (uninstalling) : ".$e->getMessage(),true);
-                                                                        continue;
+																		continue;
 								}
 							}
 							if(function_exists($pl . '_load')) {
 								$func = $pl . '_load';
 								try {
-        								$func();
+										$func();
 								} catch (Exception $e) {
 									handleerrors_plugin($plugin,"","LOAD FAILED (uninstalling): ".$e->getMessage(),true);
-                                                                        continue;
+																		continue;
 								}
 							}
 							q("UPDATE addon SET tstamp = %d WHERE id = %d",
@@ -431,6 +431,7 @@ function insert_hook($hook, $fn, $version = 0, $priority = 0) {
  */
 function call_hooks($name, &$data = null) {
 	$a = 0;
+
 	if((is_array(App::$hooks)) && (array_key_exists($name, App::$hooks))) {
 		foreach(App::$hooks[$name] as $hook) {
 			$origfn = $hook[1];
diff --git a/include/text.php b/include/text.php
index 122605443..e894c5ce5 100644
--- a/include/text.php
+++ b/include/text.php
@@ -1018,7 +1018,7 @@ function chanlink_cid($d) {
 
 function magiclink_url($observer,$myaddr,$url) {
 	return (($observer)
-		? z_root() . '/magic?f=&owa=1&dest=' . $url . '&addr=' . $myaddr
+		? z_root() . '/magic?f=&owa=1&bdest=' . bin2hex($url) . '&addr=' . $myaddr
 		: $url
 	);
 }
@@ -1454,7 +1454,7 @@ function theme_attachments(&$item) {
 			if(is_foreigner($item['author_xchan']))
 				$url = $r['href'];
 			else
-				$url = z_root() . '/magic?f=&owa=1&hash=' . $item['author_xchan'] . '&dest=' . $r['href'] . '/' . $r['revision'];
+				$url = z_root() . '/magic?f=&owa=1&hash=' . $item['author_xchan'] . '&bdest=' . bin2hex($r['href'] . '/' . $r['revision']);
 
 			//$s .= '<a href="' . $url . '" title="' . $title . '" class="attachlink"  >' . $icon . '</a>';
 			$attaches[] = array('label' => $label, 'url' => $url, 'icon' => $icon, 'title' => $title);
diff --git a/include/zot.php b/include/zot.php
index 5c74947d6..5c79dd4fa 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -491,7 +491,7 @@ function zot_refresh($them, $channel = null, $force = false) {
 			$profile_assign = get_pconfig($channel['channel_id'],'system','profile_assign','');
 
 			// Keep original perms to check if we need to notify them
-			$previous_perms = get_all_perms($channel['channel_id'],$x['hash']);
+			$previous_perms = get_all_perms($channel['channel_id'],$x['hash'],false);
 
 			$r = q("select * from abook where abook_xchan = '%s' and abook_channel = %d and abook_self = 0 limit 1",
 				dbesc($x['hash']),
@@ -560,7 +560,7 @@ function zot_refresh($them, $channel = null, $force = false) {
 
 				if($y) {
 					logger("New introduction received for {$channel['channel_name']}");
-					$new_perms = get_all_perms($channel['channel_id'],$x['hash']);
+					$new_perms = get_all_perms($channel['channel_id'],$x['hash'],false);
 
 					// Send a clone sync packet and a permissions update if permissions have changed
 
@@ -4419,7 +4419,7 @@ function zotinfo($arr) {
 	if(! $ret['follow_url'])
 		$ret['follow_url'] = z_root() . '/follow?f=&url=%s';
 
-	$permissions = get_all_perms($e['channel_id'],$ztarget_hash,false);
+	$permissions = get_all_perms($e['channel_id'],$ztarget_hash,false,false);
 
 	if($ztarget_hash) {
 		$permissions['connected'] = false;