From 17e2877c91dfc889ab5edb62fc6e00dd7dcbba01 Mon Sep 17 00:00:00 2001 From: Mario Date: Wed, 21 Feb 2024 10:44:56 +0000 Subject: make sure to decode html special chars before sending over the wire and --- Zotlabs/Lib/Activity.php | 10 +++++----- Zotlabs/Module/Item.php | 5 ++--- include/text.php | 7 +++++++ 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/Zotlabs/Lib/Activity.php b/Zotlabs/Lib/Activity.php index ab96423d7..4db116b5e 100644 --- a/Zotlabs/Lib/Activity.php +++ b/Zotlabs/Lib/Activity.php @@ -517,7 +517,7 @@ class Activity { } if ($i['title']) - $ret['name'] = $i['title']; + $ret['name'] = unescape_tags($i['title']); $ret['published'] = datetime_convert('UTC', 'UTC', $i['created'], ATOM_TIME); if ($i['created'] !== $i['edited']) @@ -564,11 +564,11 @@ class Activity { if ($i['mimetype'] === 'text/bbcode') { if ($i['title']) - $ret['name'] = bbcode($i['title'], ['cache' => true]); + $ret['name'] = unescape_tags($i['title']); if ($i['summary']) - $ret['summary'] = bbcode($i['summary'], ['cache' => true]); - $ret['content'] = bbcode($i['body'], ['cache' => true]); - $ret['source'] = ['content' => $i['body'], 'mediaType' => 'text/bbcode']; + $ret['summary'] = unescape_tags($i['summary']); + $ret['content'] = bbcode(unescape_tags($i['body']), ['cache' => true]); + $ret['source'] = ['content' => unescape_tags($i['body']), 'mediaType' => 'text/bbcode']; } $actor = self::encode_person($i['author'], false); diff --git a/Zotlabs/Module/Item.php b/Zotlabs/Module/Item.php index 09e4904c1..574dffc69 100644 --- a/Zotlabs/Module/Item.php +++ b/Zotlabs/Module/Item.php @@ -679,7 +679,7 @@ class Item extends Controller { $verb = $orig_post['verb']; $app = $orig_post['app']; $title = escape_tags(trim($_REQUEST['title'])); - $summary = trim($_REQUEST['summary']); + $summary = escape_tags(trim($_REQUEST['summary'])); $body = trim($_REQUEST['body']); $item_flags = $orig_post['item_flags']; $item_origin = $orig_post['item_origin']; @@ -740,7 +740,7 @@ class Item extends Controller { $coord = ((isset($_REQUEST['coord'])) ? notags(trim($_REQUEST['coord'])) : ''); $verb = ((isset($_REQUEST['verb'])) ? notags(trim($_REQUEST['verb'])) : ''); $title = ((isset($_REQUEST['title'])) ? escape_tags(trim($_REQUEST['title'])) : ''); - $summary = ((isset($_REQUEST['summary'])) ? trim($_REQUEST['summary']) : ''); + $summary = ((isset($_REQUEST['summary'])) ? escape_tags(trim($_REQUEST['summary'])) : ''); $body = ((isset($_REQUEST['body'])) ? trim($_REQUEST['body']) : ''); $body .= ((isset($_REQUEST['attachment'])) ? trim($_REQUEST['attachment']) : ''); $postopts = ''; @@ -793,7 +793,6 @@ class Item extends Controller { && ($channel['channel_pageflags'] & PAGE_ALLOWCODE)) ? true : false); if ($preview) { - $summary = z_input_filter($summary, $mimetype, $execflag); $body = z_input_filter($body, $mimetype, $execflag); } diff --git a/include/text.php b/include/text.php index 9d276642a..052c26594 100644 --- a/include/text.php +++ b/include/text.php @@ -114,6 +114,13 @@ function escape_tags($string) { return (htmlspecialchars($string, ENT_COMPAT, 'UTF-8', false)); } +function unescape_tags($string) { + if (!$string) { + return EMPTY_STR; + } + return (htmlspecialchars_decode($string, ENT_COMPAT)); +} + /** * Escape URL's so they're safe for use in HTML and in HTML element attributes. */ -- cgit v1.2.3