From 8d298d5a068845856c9827c0d2ea3f02f1399d72 Mon Sep 17 00:00:00 2001
From: redmatrix <git@macgirvin.com>
Date: Sun, 26 Jun 2016 22:26:45 -0700
Subject: fix for the rendering side of issue #412. We traditionally store all
 "user generated" content with ENT_COMPAT encoding to reduce the attack vector
 for JS CSS exploits. This may present compatibility issues sharing wikis to
 platforms which do not provide such CSS protection. We can either decide that
 wikis are inherently insecure and filter them on render (with an associated
 performance penalty), or keep the existing method of filtering on store. I'm
 not making that choice. I'm merely fixing the obvious rendering issue in
 mono-platform viewing.

---
 Zotlabs/Module/Wiki.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php
index 6a8bdf0db..38b49effc 100644
--- a/Zotlabs/Module/Wiki.php
+++ b/Zotlabs/Module/Wiki.php
@@ -125,7 +125,7 @@ class Wiki extends \Zotlabs\Web\Controller {
 					notice('Error retrieving page content' . EOL);
 					goaway('/'.argv(0).'/'.argv(1).'/'.$wikiUrlName);
 				}
-				$content = ($p['content'] !== '' ? $p['content'] : '"# New page\n"');
+				$content = ($p['content'] !== '' ? htmlspecialchars_decode($p['content'],ENT_COMPAT) : '"# New page\n"');
 				// Render the Markdown-formatted page content in HTML
 				require_once('library/markdown.php');	
 				$renderedContent = wiki_convert_links(Markdown(json_decode($content)),argv(0).'/'.argv(1).'/'.$wikiUrlName);
-- 
cgit v1.2.3