From 96fdb88690fcb572b5bc4948a7df71b3c257a97d Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 23 Feb 2017 15:15:19 -0800 Subject: nativewiki: only apply markdown filter to markdown input --- Zotlabs/Lib/NativeWikiPage.php | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/NativeWikiPage.php b/Zotlabs/Lib/NativeWikiPage.php index cdb2a5134..af0286997 100644 --- a/Zotlabs/Lib/NativeWikiPage.php +++ b/Zotlabs/Lib/NativeWikiPage.php @@ -333,18 +333,26 @@ class NativeWikiPage { static public function save_page($arr) { - $pageUrlName = ((array_key_exists('pageUrlName',$arr)) ? $arr['pageUrlName'] : ''); - $content = ((array_key_exists('content',$arr)) ? purify_html(Zlib\NativeWikiPage::prepare_content($arr['content'])) : ''); - $resource_id = ((array_key_exists('resource_id',$arr)) ? $arr['resource_id'] : ''); + $pageUrlName = ((array_key_exists('pageUrlName',$arr)) ? $arr['pageUrlName'] : ''); + $content = ((array_key_exists('content',$arr)) ? $arr['content'] : ''); + $resource_id = ((array_key_exists('resource_id',$arr)) ? $arr['resource_id'] : ''); $observer_hash = ((array_key_exists('observer_hash',$arr)) ? $arr['observer_hash'] : ''); $channel_id = ((array_key_exists('channel_id',$arr)) ? $arr['channel_id'] : 0); - $revision = ((array_key_exists('revision',$arr)) ? $arr['revision'] : 0); + $revision = ((array_key_exists('revision',$arr)) ? $arr['revision'] : 0); $w = Zlib\NativeWiki::get_wiki($channel_id, $observer_hash, $resource_id); if (!$w['wiki']) { return array('message' => t('Error reading wiki'), 'success' => false); } + + $mimetype = $w['mimeType']; + if($mimetype === 'text/markdown') { + $content = purify_html(Zlib\NativeWikiPage::prepare_content($content)); + } + else { + $content = escape_tags($content); + } // fetch the most recently saved revision. -- cgit v1.2.3 From d7e24b24945a909f2bf2825200234db622a8e9fb Mon Sep 17 00:00:00 2001 From: zotlabs Date: Wed, 1 Mar 2017 20:05:52 -0800 Subject: make system.expire_delivery_reports default setting consistent (10 days) --- Zotlabs/Lib/ThreadItem.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/ThreadItem.php b/Zotlabs/Lib/ThreadItem.php index 07b782309..799a606d6 100644 --- a/Zotlabs/Lib/ThreadItem.php +++ b/Zotlabs/Lib/ThreadItem.php @@ -276,7 +276,7 @@ class ThreadItem { $keep_reports = intval(get_config('system','expire_delivery_reports')); if($keep_reports === 0) - $keep_reports = 30; + $keep_reports = 10; if((! get_config('system','disable_dreport')) && strcmp(datetime_convert('UTC','UTC',$item['created']),datetime_convert('UTC','UTC',"now - $keep_reports days")) > 0) $dreport = t('Delivery Report'); -- cgit v1.2.3 From eaefb362129b9d1731d809822232f1d35c95b871 Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Sat, 4 Mar 2017 16:56:52 +0100 Subject: we need item edited for wiki page history, not item created --- Zotlabs/Lib/NativeWikiPage.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/NativeWikiPage.php b/Zotlabs/Lib/NativeWikiPage.php index af0286997..25e454cb7 100644 --- a/Zotlabs/Lib/NativeWikiPage.php +++ b/Zotlabs/Lib/NativeWikiPage.php @@ -188,7 +188,7 @@ class NativeWikiPage { $processed ++; $history[] = [ 'revision' => $item['revision'], - 'date' => datetime_convert('UTC',date_default_timezone_get(),$item['created']), + 'date' => datetime_convert('UTC',date_default_timezone_get(),$item['edited']), 'name' => $item['author']['xchan_name'], 'title' => get_iconfig($item,'nwikipage','commit_msg') ]; -- cgit v1.2.3 From 9e44b0727513d820336cd4c51350d62b13cf8479 Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Mon, 6 Mar 2017 22:32:05 +0100 Subject: allow unauthenticated access to public wiki pages --- Zotlabs/Lib/NativeWikiPage.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/NativeWikiPage.php b/Zotlabs/Lib/NativeWikiPage.php index 25e454cb7..e9f8a32c9 100644 --- a/Zotlabs/Lib/NativeWikiPage.php +++ b/Zotlabs/Lib/NativeWikiPage.php @@ -232,7 +232,11 @@ class NativeWikiPage { } } - $sql_extra = item_permissions_sql($channel_id,$observer_hash); + $sql_extra = ''; + + if($w['wiki']['allow_cid'] || $w['wiki']['allow_gid'] || $w['wiki']['deny_cid'] || $w['wiki']['deny_gid']) + $sql_extra .= item_permissions_sql($channel_id,$observer_hash); + if($revision == (-1)) $sql_extra .= " order by revision desc "; elseif($revision) @@ -284,7 +288,11 @@ class NativeWikiPage { } } - $sql_extra = item_permissions_sql($channel_id,$observer_hash); + $sql_extra = ''; + + if($w['wiki']['allow_cid'] || $w['wiki']['allow_gid'] || $w['wiki']['deny_cid'] || $w['wiki']['deny_gid']) + $sql_extra .= item_permissions_sql($channel_id,$observer_hash); + $sql_extra .= " order by revision desc "; $r = null; -- cgit v1.2.3 From 595cb13d8f2793fcefdc1566715848479460e479 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Mon, 6 Mar 2017 15:33:10 -0800 Subject: correct fix for wiki anonymous read issue (items_permissions_sql checks item.public_policy which was set for posts, not wikis) --- Zotlabs/Lib/NativeWikiPage.php | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/NativeWikiPage.php b/Zotlabs/Lib/NativeWikiPage.php index e9f8a32c9..941ade90c 100644 --- a/Zotlabs/Lib/NativeWikiPage.php +++ b/Zotlabs/Lib/NativeWikiPage.php @@ -64,6 +64,8 @@ class NativeWikiPage { $arr['deny_cid'] = $w['wiki']['deny_cid']; $arr['deny_gid'] = $w['wiki']['deny_gid']; + $arr['public_policy'] = map_scope(\Zotlabs\Access\PermissionLimits::Get($channel_id,'view_wiki'),true); + // We may wish to change this some day. $arr['item_unpublished'] = 1; @@ -232,10 +234,7 @@ class NativeWikiPage { } } - $sql_extra = ''; - - if($w['wiki']['allow_cid'] || $w['wiki']['allow_gid'] || $w['wiki']['deny_cid'] || $w['wiki']['deny_gid']) - $sql_extra .= item_permissions_sql($channel_id,$observer_hash); + $sql_extra = item_permissions_sql($channel_id,$observer_hash); if($revision == (-1)) $sql_extra .= " order by revision desc "; @@ -288,10 +287,7 @@ class NativeWikiPage { } } - $sql_extra = ''; - - if($w['wiki']['allow_cid'] || $w['wiki']['allow_gid'] || $w['wiki']['deny_cid'] || $w['wiki']['deny_gid']) - $sql_extra .= item_permissions_sql($channel_id,$observer_hash); + $sql_extra = item_permissions_sql($channel_id,$observer_hash); $sql_extra .= " order by revision desc "; -- cgit v1.2.3 From a18e8e1ede672f8733ef41250099880836efa7f7 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Mon, 6 Mar 2017 17:59:34 -0800 Subject: add public_policy to the nwiki container also. This should not affect the recent bug as presented, but is being added for consistency. --- Zotlabs/Lib/NativeWiki.php | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/NativeWiki.php b/Zotlabs/Lib/NativeWiki.php index 519102d24..7786ec25a 100644 --- a/Zotlabs/Lib/NativeWiki.php +++ b/Zotlabs/Lib/NativeWiki.php @@ -75,6 +75,8 @@ class NativeWiki { $arr['obj_type'] = ACTIVITY_OBJ_WIKI; $arr['body'] = '[table][tr][td][h1]New Wiki[/h1][/td][/tr][tr][td][zrl=' . $wiki_url . ']' . $wiki['htmlName'] . '[/zrl][/td][/tr][/table]'; + $arr['public_policy'] = map_scope(\Zotlabs\Access\PermissionLimits::Get($channel['channel_id'],'view_wiki'),true); + // Save the wiki name information using iconfig. This is shareable. if(! set_iconfig($arr, 'wiki', 'rawName', $wiki['rawName'], true)) { return array('item' => null, 'success' => false); -- cgit v1.2.3 From 8aabc6bc3dfccb85f44b5db4708a756124277e1e Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Sun, 12 Mar 2017 21:11:28 +0100 Subject: many dropdown and class fixes. still a long way to go... --- Zotlabs/Lib/ThreadItem.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/ThreadItem.php b/Zotlabs/Lib/ThreadItem.php index 799a606d6..6534a5345 100644 --- a/Zotlabs/Lib/ThreadItem.php +++ b/Zotlabs/Lib/ThreadItem.php @@ -183,7 +183,7 @@ class ThreadItem { $like_list = ((x($conv_responses['like'],$item['mid'])) ? $conv_responses['like'][$item['mid'] . '-l'] : ''); if (count($like_list) > MAX_LIKERS) { $like_list_part = array_slice($like_list, 0, MAX_LIKERS); - array_push($like_list_part, '' . t('View all') . ''); + array_push($like_list_part, '' . t('View all') . ''); } else { $like_list_part = ''; } @@ -195,7 +195,7 @@ class ThreadItem { $dislike_button_label = tt('Dislike','Dislikes',$dislike_count,'noun'); if (count($dislike_list) > MAX_LIKERS) { $dislike_list_part = array_slice($dislike_list, 0, MAX_LIKERS); - array_push($dislike_list_part, '' . t('View all') . ''); + array_push($dislike_list_part, '' . t('View all') . ''); } else { $dislike_list_part = ''; } -- cgit v1.2.3 From 700c05a55bab34c40f24fbe4f83a0fa9882559b2 Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Mon, 13 Mar 2017 16:34:23 +0100 Subject: many class fixes and revive shiny class for item titles in a new way --- Zotlabs/Lib/ThreadItem.php | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/ThreadItem.php b/Zotlabs/Lib/ThreadItem.php index 6534a5345..c3464b86b 100644 --- a/Zotlabs/Lib/ThreadItem.php +++ b/Zotlabs/Lib/ThreadItem.php @@ -82,7 +82,8 @@ class ThreadItem { $dropping = false; $star = false; $isstarred = "unstarred fa-star-o"; - $indent = ''; + $is_comment = false; + $is_item = false; $osparkle = ''; $total_children = $this->count_descendants(); $unseen_comments = (($item['real_uid']) ? 0 : $this->count_unseen_descendants()); @@ -232,7 +233,7 @@ class ThreadItem { } } else { - $indent = 'comment'; + $is_comment = true; } @@ -282,7 +283,7 @@ class ThreadItem { $dreport = t('Delivery Report'); if(strcmp(datetime_convert('UTC','UTC',$item['created']),datetime_convert('UTC','UTC','now - 12 hours')) > 0) - $indent .= ' shiny'; + $is_new = true; localize_item($item); @@ -361,7 +362,8 @@ class ThreadItem { 'attend_title' => t('Attendance Options'), 'vote_label' => t('Vote'), 'vote_title' => t('Voting Options'), - 'indent' => $indent, + 'is_comment' => $is_comment, + 'is_new' => $is_new, 'owner_url' => $this->get_owner_url(), 'owner_photo' => $this->get_owner_photo(), 'owner_name' => $this->get_owner_name(), @@ -407,7 +409,7 @@ class ThreadItem { 'showlike' => $showlike, 'showdislike' => $showdislike, 'comment' => $this->get_comment_box($indent), - 'previewing' => ($conv->is_preview() ? ' preview ' : ''), + 'previewing' => ($conv->is_preview() ? true : false ), 'wait' => t('Please wait'), 'submid' => str_replace(['+','='], ['',''], base64_encode(substr($item['mid'],0,32))), 'thread_level' => $thread_level -- cgit v1.2.3 From 6ea32a8ba31a9c459cda1b6c9694621958a7bd38 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Tue, 14 Mar 2017 00:23:44 -0700 Subject: class MarkdownSoap to safely store markdown by purifying and preserving (escaped) what may be unsafe code in codeblocks. The stored item needs to be unescaped just prior to calling the markdown-to-html processor --- Zotlabs/Lib/MarkdownSoap.php | 86 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 Zotlabs/Lib/MarkdownSoap.php (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/MarkdownSoap.php b/Zotlabs/Lib/MarkdownSoap.php new file mode 100644 index 000000000..d0481eb4d --- /dev/null +++ b/Zotlabs/Lib/MarkdownSoap.php @@ -0,0 +1,86 @@ +clean(); + * + * What this does: + * 1. extracts code blocks and privately escapes them from processing + * 2. Run html purifier on the content + * 3. put back the code blocks + * 4. run htmlspecialchars on the entire content for safe storage + * + * At render time: + * $markdown = \Zotlabs\Lib\MarkdownSoap::unescape($text); + * $html = \Michelf\MarkdownExtra::DefaultTransform($markdown); + */ + + + +class MarkdownSoap { + + private $token; + + private $str; + + function __construct($s) { + $this->str = $s; + $this->token = random_string(20); + } + + + function clean() { + $x = $this->extract_code($this->str); + $x = $this->purify($x); + $x = $this->putback_code($x); + $x = $this->escape($x); + + return $x; + } + + function extract_code($s) { + + $text = preg_replace_callback('{ + (?:\n\n|\A\n?) + ( # $1 = the code block -- one or more lines, starting with a space/tab + (?> + [ ]{'.'4'.'} # Lines must start with a tab or a tab-width of spaces + .*\n+ + )+ + ) + ((?=^[ ]{0,'.'4'.'}\S)|\Z) # Lookahead for non-space at line-start, or end of doc + }xm', + [ $this , 'encode_code' ], $s); + + return $text; + } + + function encode_code($matches) { + return $this->token . ';' . base64_encode($matches[1]) . ';' ; + } + + function decode_code($matches) { + return base64_decode($matches[1]); + } + + function putback_code($s) { + $text = preg_replace_callback('{' . $this->token . '\;(.*?)\;}xm',[ $this, 'decode_code' ], $s); + return $text; + } + + function purify($s) { + return purify_html($s); + } + + function escape($s) { + return htmlspecialchars($s,ENT_QUOTES); + } + + static public function unescape($s) { + return htmlspecialchars_decode($s,ENT_QUOTES); + } +} -- cgit v1.2.3 From fa629841bd2fd150531a5494504a24b13a0c4503 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Tue, 14 Mar 2017 17:07:29 -0700 Subject: input filter updates --- Zotlabs/Lib/MarkdownSoap.php | 2 +- Zotlabs/Lib/NativeWikiPage.php | 31 ++----------------------------- 2 files changed, 3 insertions(+), 30 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/MarkdownSoap.php b/Zotlabs/Lib/MarkdownSoap.php index d0481eb4d..2dcaaec9a 100644 --- a/Zotlabs/Lib/MarkdownSoap.php +++ b/Zotlabs/Lib/MarkdownSoap.php @@ -5,7 +5,7 @@ namespace Zotlabs\Lib; /** * MarkdownSoap * Purify Markdown for storage - * $x = newMarkdownSoap($string_to_be_cleansed); + * $x = new MarkdownSoap($string_to_be_cleansed); * $text = $x->clean(); * * What this does: diff --git a/Zotlabs/Lib/NativeWikiPage.php b/Zotlabs/Lib/NativeWikiPage.php index 941ade90c..9f54081a1 100644 --- a/Zotlabs/Lib/NativeWikiPage.php +++ b/Zotlabs/Lib/NativeWikiPage.php @@ -307,34 +307,6 @@ class NativeWikiPage { return null; } - - - static public function prepare_content($s) { - - $text = preg_replace_callback('{ - (?:\n\n|\A\n?) - ( # $1 = the code block -- one or more lines, starting with a space/tab - (?> - [ ]{'.'4'.'} # Lines must start with a tab or a tab-width of spaces - .*\n+ - )+ - ) - ((?=^[ ]{0,'.'4'.'}\S)|\Z) # Lookahead for non-space at line-start, or end of doc - }xm', - 'self::nwiki_prepare_content_callback', $s); - - return $text; - } - - static public function nwiki_prepare_content_callback($matches) { - $codeblock = $matches[1]; - - $codeblock = htmlspecialchars($codeblock, ENT_NOQUOTES, UTF8, false); - return "\n\n" . $codeblock ; - } - - - static public function save_page($arr) { $pageUrlName = ((array_key_exists('pageUrlName',$arr)) ? $arr['pageUrlName'] : ''); @@ -352,7 +324,8 @@ class NativeWikiPage { $mimetype = $w['mimeType']; if($mimetype === 'text/markdown') { - $content = purify_html(Zlib\NativeWikiPage::prepare_content($content)); + $x = new Zlib\MarkdownSoap($content); + $content = $x->clean(); } else { $content = escape_tags($content); -- cgit v1.2.3 From d5525a38f185e37fe0101bc7ef6e67abf59f98f8 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Sat, 18 Mar 2017 16:41:43 -0700 Subject: various input filter fixes --- Zotlabs/Lib/MarkdownSoap.php | 14 ++++++++++++-- Zotlabs/Lib/NativeWikiPage.php | 31 ++++++++++++++++++++++++------- 2 files changed, 36 insertions(+), 9 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/MarkdownSoap.php b/Zotlabs/Lib/MarkdownSoap.php index 2dcaaec9a..8cc18d513 100644 --- a/Zotlabs/Lib/MarkdownSoap.php +++ b/Zotlabs/Lib/MarkdownSoap.php @@ -34,9 +34,13 @@ class MarkdownSoap { function clean() { + $x = $this->extract_code($this->str); + $x = $this->purify($x); + $x = $this->putback_code($x); + $x = $this->escape($x); return $x; @@ -60,7 +64,7 @@ class MarkdownSoap { } function encode_code($matches) { - return $this->token . ';' . base64_encode($matches[1]) . ';' ; + return $this->token . ';' . base64_encode($matches[0]) . ';' ; } function decode_code($matches) { @@ -73,7 +77,13 @@ class MarkdownSoap { } function purify($s) { - return purify_html($s); + $s = str_replace("\n",'
',$s); + $s = str_replace("\t",'    ',$s); + $s = str_replace(' ',' ',$s); + $s = purify_html($s); + $s = str_replace(' '," ",$s); + $s = str_replace(['
','
'],["\n","\n"],$s); + return $s; } function escape($s) { diff --git a/Zotlabs/Lib/NativeWikiPage.php b/Zotlabs/Lib/NativeWikiPage.php index 9f54081a1..3d6da7779 100644 --- a/Zotlabs/Lib/NativeWikiPage.php +++ b/Zotlabs/Lib/NativeWikiPage.php @@ -323,13 +323,6 @@ class NativeWikiPage { } $mimetype = $w['mimeType']; - if($mimetype === 'text/markdown') { - $x = new Zlib\MarkdownSoap($content); - $content = $x->clean(); - } - else { - $content = escape_tags($content); - } // fetch the most recently saved revision. @@ -348,6 +341,7 @@ class NativeWikiPage { $item['author_xchan'] = $observer_hash; $item['revision'] = (($arr['revision']) ? intval($arr['revision']) + 1 : intval($item['revision']) + 1); $item['edited'] = datetime_convert(); + $item['mimetype'] = $mimetype; if($item['iconfig'] && is_array($item['iconfig']) && count($item['iconfig'])) { for($x = 0; $x < count($item['iconfig']); $x ++) { @@ -515,6 +509,29 @@ class NativeWikiPage { } return $s; } + + static public function render_page_history($arr) { + + $pageUrlName = ((array_key_exists('pageUrlName', $arr)) ? $arr['pageUrlName'] : ''); + $resource_id = ((array_key_exists('resource_id', $arr)) ? $arr['resource_id'] : ''); + + $pageHistory = self::page_history([ + 'channel_id' => \App::$profile_uid, + 'observer_hash' => get_observer_hash(), + 'resource_id' => $resource_id, + 'pageUrlName' => $pageUrlName + ]); + + return replace_macros(get_markup_template('nwiki_page_history.tpl'), array( + '$pageHistory' => $pageHistory['history'], + '$permsWrite' => $arr['permsWrite'], + '$name_lbl' => t('Name'), + '$msg_label' => t('Message','wiki_history') + )); + + } + + /** * Replace the instances of the string [toc] with a list element that will be populated by -- cgit v1.2.3 From e97dd48b4c046bac86322d91a13fd55d0cf3a99f Mon Sep 17 00:00:00 2001 From: zotlabs Date: Mon, 20 Mar 2017 19:41:03 -0700 Subject: even more fine tuning of the markdown purifier - especially when used with the wiki --- Zotlabs/Lib/MarkdownSoap.php | 2 +- Zotlabs/Lib/NativeWikiPage.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/MarkdownSoap.php b/Zotlabs/Lib/MarkdownSoap.php index 8cc18d513..cf1446f45 100644 --- a/Zotlabs/Lib/MarkdownSoap.php +++ b/Zotlabs/Lib/MarkdownSoap.php @@ -81,7 +81,7 @@ class MarkdownSoap { $s = str_replace("\t",'    ',$s); $s = str_replace(' ',' ',$s); $s = purify_html($s); - $s = str_replace(' '," ",$s); + $s = str_replace([' ', mb_convert_encoding(' ','UTF-8','HTML-ENTITIES')], [ ' ', ' ' ],$s); $s = str_replace(['
','
'],["\n","\n"],$s); return $s; } diff --git a/Zotlabs/Lib/NativeWikiPage.php b/Zotlabs/Lib/NativeWikiPage.php index 3d6da7779..960fe014e 100644 --- a/Zotlabs/Lib/NativeWikiPage.php +++ b/Zotlabs/Lib/NativeWikiPage.php @@ -156,7 +156,7 @@ class NativeWikiPage { $content = $item['body']; return [ - 'content' => json_encode($content), + 'content' => $content, 'mimeType' => $w['mimeType'], 'message' => '', 'success' => true -- cgit v1.2.3 From d95f7efea704069a49fc2d63a88dcba5fd80381f Mon Sep 17 00:00:00 2001 From: zotlabs Date: Mon, 20 Mar 2017 19:50:09 -0700 Subject: after all of this, I would be very hesitant to use any multi-user system which uses markdown and which doesn't have a large security budget. --- Zotlabs/Lib/MarkdownSoap.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/MarkdownSoap.php b/Zotlabs/Lib/MarkdownSoap.php index cf1446f45..e5f3c81dd 100644 --- a/Zotlabs/Lib/MarkdownSoap.php +++ b/Zotlabs/Lib/MarkdownSoap.php @@ -82,7 +82,7 @@ class MarkdownSoap { $s = str_replace(' ',' ',$s); $s = purify_html($s); $s = str_replace([' ', mb_convert_encoding(' ','UTF-8','HTML-ENTITIES')], [ ' ', ' ' ],$s); - $s = str_replace(['
','
'],["\n","\n"],$s); + $s = str_replace(['
','
', '<', '>' ],["\n","\n", '<', '>'],$s); return $s; } -- cgit v1.2.3 From 542fa4a08c3f58d60c729ee166a2c4dc92f7524e Mon Sep 17 00:00:00 2001 From: zotlabs Date: Tue, 21 Mar 2017 00:40:19 -0700 Subject: more markdown purification --- Zotlabs/Lib/MarkdownSoap.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/MarkdownSoap.php b/Zotlabs/Lib/MarkdownSoap.php index e5f3c81dd..a0214bbe4 100644 --- a/Zotlabs/Lib/MarkdownSoap.php +++ b/Zotlabs/Lib/MarkdownSoap.php @@ -77,12 +77,12 @@ class MarkdownSoap { } function purify($s) { - $s = str_replace("\n",'
',$s); - $s = str_replace("\t",'    ',$s); - $s = str_replace(' ',' ',$s); +// $s = str_replace("\n",'
',$s); +// $s = str_replace("\t",'    ',$s); +// $s = str_replace(' ',' ',$s); $s = purify_html($s); - $s = str_replace([' ', mb_convert_encoding(' ','UTF-8','HTML-ENTITIES')], [ ' ', ' ' ],$s); - $s = str_replace(['
','
', '<', '>' ],["\n","\n", '<', '>'],$s); +// $s = str_replace([' ', mb_convert_encoding(' ','UTF-8','HTML-ENTITIES')], [ ' ', ' ' ],$s); +// $s = str_replace(['
','
', '<', '>' ],["\n","\n", '<', '>'],$s); return $s; } -- cgit v1.2.3 From e49c59959b328d28b05b484bd7dbe49198fc5710 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Tue, 21 Mar 2017 21:00:48 -0700 Subject: use the same host macro for sender address as for reply_to address --- Zotlabs/Lib/Enotify.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/Enotify.php b/Zotlabs/Lib/Enotify.php index 257687567..5db5fb42d 100644 --- a/Zotlabs/Lib/Enotify.php +++ b/Zotlabs/Lib/Enotify.php @@ -67,7 +67,7 @@ class Enotify { $sender_name = $product; $hostname = \App::get_hostname(); if(strpos($hostname,':')) - $hostname = substr($hostname,0,strpos($hostname,':')); + $hostname = substr($hostname,0,strpos($hostname,':')); // Do not translate 'noreply' as it must be a legal 7-bit email address @@ -77,7 +77,7 @@ class Enotify { $sender_email = get_config('system','from_email'); if(! $sender_email) - $sender_email = 'Administrator' . '@' . \App::get_hostname(); + $sender_email = 'Administrator' . '@' . $hostname; $sender_name = get_config('system','from_email_name'); if(! $sender_name) -- cgit v1.2.3 From 5f0004b416b81f546546d719d8206da52efb1ac1 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 23 Mar 2017 21:49:20 -0700 Subject: move db_upgrade to zlib --- Zotlabs/Lib/DB_Upgrade.php | 105 +++++++++++++++++++++++++++++++++++++++++++++ Zotlabs/Lib/ThreadItem.php | 1 - 2 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 Zotlabs/Lib/DB_Upgrade.php (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/DB_Upgrade.php b/Zotlabs/Lib/DB_Upgrade.php new file mode 100644 index 000000000..13adaced5 --- /dev/null +++ b/Zotlabs/Lib/DB_Upgrade.php @@ -0,0 +1,105 @@ + (time() - 86400))) + return; + @unlink($lockfile); + //send the administrator an e-mail + file_put_contents($lockfile, $x); + + $r = q("select account_language from account where account_email = '%s' limit 1", + dbesc(App::$config['system']['admin_email']) + ); + push_lang(($r) ? $r[0]['account_language'] : 'en'); + + z_mail( + [ + 'toEmail' => \App::$config['system']['admin_email'], + 'messageSubject' => sprintf( t('Update Error at %s'), z_root()), + 'textVersion' => replace_macros(get_intltext_template('update_fail_eml.tpl'), + [ + '$sitename' => \App::$config['system']['sitename'], + '$siteurl' => z_root(), + '$update' => $x, + '$error' => sprintf( t('Update %s failed. See error logs.'), $x) + ] + ) + ] + ); + + //try the logger + logger('CRITICAL: Update Failed: ' . $x); + pop_lang(); + } + else { + set_config('database','update_r' . $x, 'success'); + } + } + } + set_config('system','db_version', $db_revision); + } + } + } + } +} \ No newline at end of file diff --git a/Zotlabs/Lib/ThreadItem.php b/Zotlabs/Lib/ThreadItem.php index c3464b86b..5910ea672 100644 --- a/Zotlabs/Lib/ThreadItem.php +++ b/Zotlabs/Lib/ThreadItem.php @@ -338,7 +338,6 @@ class ThreadItem { 'profile_url' => $profile_link, 'thread_action_menu' => thread_action_menu($item,$conv->get_mode()), 'thread_author_menu' => thread_author_menu($item,$conv->get_mode()), - 'item_photo_menu' => item_photo_menu($item), 'dreport' => $dreport, 'name' => $profile_name, 'thumb' => $profile_avatar, -- cgit v1.2.3 From 6e5a06421f7c841718196ac9e80d4b0c5221ce6a Mon Sep 17 00:00:00 2001 From: zotlabs Date: Sat, 25 Mar 2017 13:07:46 -0700 Subject: get rid of 'davguest' and allow for project specific DB updates (currently db updates are common between all possible projects/subprojects/forks). --- Zotlabs/Lib/DB_Upgrade.php | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/DB_Upgrade.php b/Zotlabs/Lib/DB_Upgrade.php index 13adaced5..2ee29c314 100644 --- a/Zotlabs/Lib/DB_Upgrade.php +++ b/Zotlabs/Lib/DB_Upgrade.php @@ -8,9 +8,10 @@ class DB_Upgrade { function __construct($db_revision) { - $build = get_config('system','db_version',0); + + $build = get_config('system', PLATFORM_NAME . '_db_version', 0); if(! intval($build)) - $build = set_config('system','db_version',$db_revision); + $build = set_config('system', PLATFORM_NAME . '_db_version', $db_revision); if($build == $db_revision) { // Nothing to be done. @@ -24,14 +25,17 @@ class DB_Upgrade { } $current = intval($db_revision); - if(($stored < $current) && file_exists('install/update.php')) { + + $update_file = 'install/' . PLATFORM_NAME . '/update.php'; + + if(($stored < $current) && file_exists($update_file)) { Config::Load('database'); // We're reporting a different version than what is currently installed. // Run any existing update scripts to bring the database up to current. - require_once('install/update.php'); + require_once($update_file); // make sure that boot.php and update.php are the same release, we might be // updating from git right this very second and the correct version of the update.php @@ -39,7 +43,8 @@ class DB_Upgrade { if($db_revision == UPDATE_VERSION) { for($x = $stored; $x < $current; $x ++) { - if(function_exists('update_r' . $x)) { + $func = PLATFORM_NAME . '_update_' . $x; + if(function_exists($func)) { // There could be a lot of processes running or about to run. // We want exactly one process to run the update command. // So store the fact that we're taking responsibility @@ -48,12 +53,11 @@ class DB_Upgrade { // If the update fails or times-out completely you may need to // delete the config entry to try again. - if(get_config('database','update_r' . $x)) + if(get_config('database', $func)) break; - set_config('database','update_r' . $x, '1'); + set_config('database',$func, '1'); // call the specific update - $func = 'update_r' . $x; $retval = $func(); if($retval) { @@ -93,11 +97,11 @@ class DB_Upgrade { pop_lang(); } else { - set_config('database','update_r' . $x, 'success'); + set_config('database',$func, 'success'); } } } - set_config('system','db_version', $db_revision); + set_config('system', PLATFORM_NAME . '_db_version', $db_revision); } } } -- cgit v1.2.3 From 57a8b3f85779d91c23855f7459622bce9ce89d55 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Sat, 25 Mar 2017 13:22:14 -0700 Subject: provide compatibility with old-style update system --- Zotlabs/Lib/DB_Upgrade.php | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/DB_Upgrade.php b/Zotlabs/Lib/DB_Upgrade.php index 2ee29c314..55c69bcca 100644 --- a/Zotlabs/Lib/DB_Upgrade.php +++ b/Zotlabs/Lib/DB_Upgrade.php @@ -5,13 +5,25 @@ namespace Zotlabs\Lib; class DB_Upgrade { + public $config_name = ''; + public $func_prefix = ''; function __construct($db_revision) { + $update_file = 'install/' . PLATFORM_NAME . '/update.php'; + if(! file_exists($update_file)) { + $update_file = 'install/update.php'; + $this->config_name = 'db_version'; + $this->func_prefix = 'update_r'; + } + else { + $this->config_name = PLATFORM_NAME . '_db_version'; + $this->func_prefix = PLATFORM_NAME . '_update_'; + } - $build = get_config('system', PLATFORM_NAME . '_db_version', 0); + $build = get_config('system', $this->config_name, 0); if(! intval($build)) - $build = set_config('system', PLATFORM_NAME . '_db_version', $db_revision); + $build = set_config('system', $this->config_name, $db_revision); if($build == $db_revision) { // Nothing to be done. @@ -26,8 +38,6 @@ class DB_Upgrade { $current = intval($db_revision); - $update_file = 'install/' . PLATFORM_NAME . '/update.php'; - if(($stored < $current) && file_exists($update_file)) { Config::Load('database'); @@ -43,7 +53,7 @@ class DB_Upgrade { if($db_revision == UPDATE_VERSION) { for($x = $stored; $x < $current; $x ++) { - $func = PLATFORM_NAME . '_update_' . $x; + $func = $this->func_prefix . $x; if(function_exists($func)) { // There could be a lot of processes running or about to run. // We want exactly one process to run the update command. @@ -101,7 +111,7 @@ class DB_Upgrade { } } } - set_config('system', PLATFORM_NAME . '_db_version', $db_revision); + set_config('system', $this->config_name, $db_revision); } } } -- cgit v1.2.3 From fbba78411dacd411d4455aea526a7b56a7a7be8c Mon Sep 17 00:00:00 2001 From: zotlabs Date: Sun, 2 Apr 2017 17:34:16 -0700 Subject: app sorting issue --- Zotlabs/Lib/Apps.php | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/Apps.php b/Zotlabs/Lib/Apps.php index 0ca2f7a99..edf050b95 100644 --- a/Zotlabs/Lib/Apps.php +++ b/Zotlabs/Lib/Apps.php @@ -219,7 +219,7 @@ class Apps { 'Suggest Channels' => t('Suggest Channels'), 'Login' => t('Login'), 'Channel Manager' => t('Channel Manager'), - 'Grid' => t('Grid'), + 'Grid' => t('Activity'), 'Settings' => t('Settings'), 'Files' => t('Files'), 'Webpages' => t('Webpages'), @@ -245,9 +245,19 @@ class Apps { 'Profile Photo' => t('Profile Photo') ); - if(array_key_exists($arr['name'],$apps)) { - $arr['name'] = $apps[$arr['name']]; + if(array_key_exists('name',$arr)) { + if(array_key_exists($arr['name'],$apps)) { + $arr['name'] = $apps[$arr['name']]; + } + } + else { + for($x = 0; $x < count($arr); $x++) { + if(array_key_exists($arr[$x]['name'],$apps)) { + $arr[$x]['name'] = $apps[$arr[$x]['name']]; + } + } } + } -- cgit v1.2.3 From f174c4fccb92388a8f3ce43472da29ea02f2be35 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Tue, 11 Apr 2017 23:05:56 -0700 Subject: don't allow any null fields in notify creation --- Zotlabs/Lib/Enotify.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/Enotify.php b/Zotlabs/Lib/Enotify.php index 5db5fb42d..a10675a87 100644 --- a/Zotlabs/Lib/Enotify.php +++ b/Zotlabs/Lib/Enotify.php @@ -495,13 +495,14 @@ class Enotify { } } - $r = q("insert into notify (hash,xname,url,photo,created,aid,uid,link,parent,seen,ntype,verb,otype) - values('%s','%s','%s','%s','%s',%d,%d,'%s','%s',%d,%d,'%s','%s')", + $r = q("insert into notify (hash,xname,url,photo,created,msg,aid,uid,link,parent,seen,ntype,verb,otype) + values('%s','%s','%s','%s','%s','%s',%d,%d,'%s','%s',%d,%d,'%s','%s')", dbesc($datarray['hash']), dbesc($datarray['xname']), dbesc($datarray['url']), dbesc($datarray['photo']), dbesc($datarray['created']), + dbesc(''), // will fill this in below after the record is created intval($datarray['aid']), intval($datarray['uid']), dbesc($datarray['link']), -- cgit v1.2.3 From 09967598e15eb5d201bcc676ffb329b97e1b89b8 Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Wed, 19 Apr 2017 10:51:50 +0200 Subject: order wiki pages by creation date --- Zotlabs/Lib/NativeWikiPage.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/NativeWikiPage.php b/Zotlabs/Lib/NativeWikiPage.php index 960fe014e..bd40367c9 100644 --- a/Zotlabs/Lib/NativeWikiPage.php +++ b/Zotlabs/Lib/NativeWikiPage.php @@ -21,7 +21,7 @@ class NativeWikiPage { $sql_extra = item_permissions_sql($channel_id,$observer_hash); $r = q("select * from item where resource_type = 'nwikipage' and resource_id = '%s' and uid = %d and item_deleted = 0 - $sql_extra group by mid", + $sql_extra group by mid order by created asc", dbesc($resource_id), intval($channel_id) ); -- cgit v1.2.3 From 2778e63d6c51b5ca77d9a309ddb7390b239fa491 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Wed, 26 Apr 2017 19:47:05 -0700 Subject: issues from hubzilla:#737 --- Zotlabs/Lib/DB_Upgrade.php | 2 +- Zotlabs/Lib/NativeWiki.php | 4 ++-- Zotlabs/Lib/NativeWikiPage.php | 15 +++++++++++++-- 3 files changed, 16 insertions(+), 5 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/DB_Upgrade.php b/Zotlabs/Lib/DB_Upgrade.php index 55c69bcca..bb72e7a05 100644 --- a/Zotlabs/Lib/DB_Upgrade.php +++ b/Zotlabs/Lib/DB_Upgrade.php @@ -83,7 +83,7 @@ class DB_Upgrade { file_put_contents($lockfile, $x); $r = q("select account_language from account where account_email = '%s' limit 1", - dbesc(App::$config['system']['admin_email']) + dbesc(\App::$config['system']['admin_email']) ); push_lang(($r) ? $r[0]['account_language'] : 'en'); diff --git a/Zotlabs/Lib/NativeWiki.php b/Zotlabs/Lib/NativeWiki.php index 7786ec25a..4301feaa0 100644 --- a/Zotlabs/Lib/NativeWiki.php +++ b/Zotlabs/Lib/NativeWiki.php @@ -101,11 +101,11 @@ class NativeWiki { static public function sync_a_wiki_item($uid,$id,$resource_id) { - $r = q("SELECT * from item WHERE uid = %d AND ( id = %d OR ( resource_type = '%s' and resource_id = %d )) ", + $r = q("SELECT * from item WHERE uid = %d AND ( id = %d OR ( resource_type = '%s' and resource_id = '%s' )) ", intval($uid), intval($id), dbesc(NWIKI_ITEM_RESOURCE_TYPE), - intval($resource_id) + dbesc($resource_id) ); if($r) { xchan_query($r); diff --git a/Zotlabs/Lib/NativeWikiPage.php b/Zotlabs/Lib/NativeWikiPage.php index bd40367c9..ed3df436c 100644 --- a/Zotlabs/Lib/NativeWikiPage.php +++ b/Zotlabs/Lib/NativeWikiPage.php @@ -21,12 +21,23 @@ class NativeWikiPage { $sql_extra = item_permissions_sql($channel_id,$observer_hash); $r = q("select * from item where resource_type = 'nwikipage' and resource_id = '%s' and uid = %d and item_deleted = 0 - $sql_extra group by mid order by created asc", + $sql_extra order by created asc", dbesc($resource_id), intval($channel_id) ); if($r) { - $items = fetch_post_tags($r,true); + $x = []; + $y = []; + + foreach($r as $rv) { + if(! in_array($rv['mid'],$x)) { + $y[] = $rv; + $x[] = $rv['mid']; + } + } + + $items = fetch_post_tags($y,true); + foreach($items as $page_item) { $title = get_iconfig($page_item['id'],'nwikipage','pagetitle',t('(No Title)')); if(urldecode($title) !== 'Home') { -- cgit v1.2.3 From 4b4b06bec5fba5bfae4a941af4b45627e0b4434c Mon Sep 17 00:00:00 2001 From: zotlabs Date: Fri, 5 May 2017 02:27:24 -0700 Subject: markdown autolinks - hubzilla bug #752 --- Zotlabs/Lib/MarkdownSoap.php | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/MarkdownSoap.php b/Zotlabs/Lib/MarkdownSoap.php index a0214bbe4..534ad819f 100644 --- a/Zotlabs/Lib/MarkdownSoap.php +++ b/Zotlabs/Lib/MarkdownSoap.php @@ -77,15 +77,22 @@ class MarkdownSoap { } function purify($s) { -// $s = str_replace("\n",'
',$s); -// $s = str_replace("\t",'    ',$s); -// $s = str_replace(' ',' ',$s); + $s = $this->protect_autolinks($s); $s = purify_html($s); -// $s = str_replace([' ', mb_convert_encoding(' ','UTF-8','HTML-ENTITIES')], [ ' ', ' ' ],$s); -// $s = str_replace(['
','
', '<', '>' ],["\n","\n", '<', '>'],$s); + $s = $this->unprotect_autolinks($s); return $s; } + function protect_autolinks($s) { + $s = preg_replace('/\<(https?\:\/\/)(.*?)\>/','[$1$2]($1$2)',$s); + return $s; + } + + function unprotect_autolinks($s) { + return $s; + + } + function escape($s) { return htmlspecialchars($s,ENT_QUOTES); } -- cgit v1.2.3 From 803be11bbc6e4d149629808b4473833f73910c6f Mon Sep 17 00:00:00 2001 From: zotlabs Date: Sun, 14 May 2017 18:02:22 -0700 Subject: Do not yet understand why on postgres, app['plugin'] gets set to 3 linefeeds but this prevents it from rendering --- Zotlabs/Lib/Apps.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'Zotlabs/Lib') diff --git a/Zotlabs/Lib/Apps.php b/Zotlabs/Lib/Apps.php index edf050b95..2ace361ca 100644 --- a/Zotlabs/Lib/Apps.php +++ b/Zotlabs/Lib/Apps.php @@ -34,7 +34,7 @@ class Apps { if($files) { foreach($files as $f) { $path = explode('/',$f); - $plugin = $path[1]; + $plugin = trim($path[1]); if(plugin_is_installed($plugin)) { $x = self::parse_app_description($f,$translate); if($x) { @@ -285,7 +285,7 @@ class Apps { self::translate_system_apps($papp); - if(($papp['plugin']) && (! plugin_is_installed($papp['plugin']))) + if(trim($papp['plugin']) && (! plugin_is_installed(trim($papp['plugin'])))) return ''; $papp['papp'] = self::papp_encode($papp); @@ -575,7 +575,7 @@ class Apps { $darray['app_addr'] = ((x($arr,'addr')) ? escape_tags($arr['addr']) : ''); $darray['app_price'] = ((x($arr,'price')) ? escape_tags($arr['price']) : ''); $darray['app_page'] = ((x($arr,'page')) ? escape_tags($arr['page']) : ''); - $darray['app_plugin'] = ((x($arr,'plugin')) ? escape_tags($arr['plugin']) : ''); + $darray['app_plugin'] = ((x($arr,'plugin')) ? escape_tags(trim($arr['plugin'])) : ''); $darray['app_requires'] = ((x($arr,'requires')) ? escape_tags($arr['requires']) : ''); $darray['app_system'] = ((x($arr,'system')) ? intval($arr['system']) : 0); $darray['app_deleted'] = ((x($arr,'deleted')) ? intval($arr['deleted']) : 0); @@ -653,7 +653,7 @@ class Apps { $darray['app_addr'] = ((x($arr,'addr')) ? escape_tags($arr['addr']) : ''); $darray['app_price'] = ((x($arr,'price')) ? escape_tags($arr['price']) : ''); $darray['app_page'] = ((x($arr,'page')) ? escape_tags($arr['page']) : ''); - $darray['app_plugin'] = ((x($arr,'plugin')) ? escape_tags($arr['plugin']) : ''); + $darray['app_plugin'] = ((x($arr,'plugin')) ? escape_tags(trim($arr['plugin'])) : ''); $darray['app_requires'] = ((x($arr,'requires')) ? escape_tags($arr['requires']) : ''); $darray['app_system'] = ((x($arr,'system')) ? intval($arr['system']) : 0); $darray['app_deleted'] = ((x($arr,'deleted')) ? intval($arr['deleted']) : 0); @@ -763,7 +763,7 @@ class Apps { $ret['system'] = $app['app_system']; if($app['app_plugin']) - $ret['plugin'] = $app['app_plugin']; + $ret['plugin'] = trim($app['app_plugin']); if($app['app_deleted']) $ret['deleted'] = $app['app_deleted']; -- cgit v1.2.3