From 232862ae08661ecca4d0688001904648b7894a8a Mon Sep 17 00:00:00 2001 From: zotlabs Date: Sat, 25 Feb 2017 13:54:39 -0800 Subject: escape tags on viewsrc output in case it is not text/bbcode. --- Zotlabs/Module/Viewsrc.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'Zotlabs/Module/Viewsrc.php') diff --git a/Zotlabs/Module/Viewsrc.php b/Zotlabs/Module/Viewsrc.php index fa755a3ec..cb305efc6 100644 --- a/Zotlabs/Module/Viewsrc.php +++ b/Zotlabs/Module/Viewsrc.php @@ -36,7 +36,9 @@ class Viewsrc extends \Zotlabs\Web\Controller { if($r) { if(intval($r[0]['item_obscured'])) $r[0]['body'] = crypto_unencapsulate(json_decode($r[0]['body'],true),get_config('system','prvkey')); - $o = (($json) ? json_encode($r[0]['body']) : str_replace("\n",'
',$r[0]['body'])); + + $content = escape_tags($r[0]['body']); + $o = (($json) ? json_encode($content) : str_replace("\n",'
',$content)); } } -- cgit v1.2.3 From bff2ed3837219137abdd320d0e12da89ab7ec6b0 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Mon, 17 Apr 2017 20:45:53 -0700 Subject: allow downloading via viewsrc to support client side e2ee --- Zotlabs/Module/Viewsrc.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'Zotlabs/Module/Viewsrc.php') diff --git a/Zotlabs/Module/Viewsrc.php b/Zotlabs/Module/Viewsrc.php index cb305efc6..f84eddc69 100644 --- a/Zotlabs/Module/Viewsrc.php +++ b/Zotlabs/Module/Viewsrc.php @@ -13,6 +13,7 @@ class Viewsrc extends \Zotlabs\Web\Controller { $item_id = ((argc() > 1) ? intval(argv(1)) : 0); $json = ((argc() > 2 && argv(2) === 'json') ? true : false); + $dload = ((argc() > 2 && argv(2) === 'download') ? true : false); if(! local_channel()) { notice( t('Permission denied.') . EOL); @@ -27,7 +28,7 @@ class Viewsrc extends \Zotlabs\Web\Controller { $item_normal = item_normal(); if(local_channel() && $item_id) { - $r = q("select id, item_flags, item_obscured, body from item where uid in (%d , %d) and id = %d $item_normal limit 1", + $r = q("select id, item_flags, mimetype, item_obscured, body from item where uid in (%d , %d) and id = %d $item_normal limit 1", intval(local_channel()), intval($sys['channel_id']), intval($item_id) @@ -37,6 +38,14 @@ class Viewsrc extends \Zotlabs\Web\Controller { if(intval($r[0]['item_obscured'])) $r[0]['body'] = crypto_unencapsulate(json_decode($r[0]['body'],true),get_config('system','prvkey')); + if($dload) { + header('Content-type: ' . $r[0]['mimetype']); + header('Content-disposition: attachment; filename="' . t('item') . '-' . $item_id . '"' ); + echo $r[0]['body']; + killme(); + } + + $content = escape_tags($r[0]['body']); $o = (($json) ? json_encode($content) : str_replace("\n",'
',$content)); } -- cgit v1.2.3 From c904bd3a628e4bf3c2420ee314277da69828c3b2 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 20 Apr 2017 20:19:15 -0700 Subject: The rest of the library and backend changes to support client-side e2ee and deprecate previous uses of item_obscured. --- Zotlabs/Module/Viewsrc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Zotlabs/Module/Viewsrc.php') diff --git a/Zotlabs/Module/Viewsrc.php b/Zotlabs/Module/Viewsrc.php index f84eddc69..54ab89e81 100644 --- a/Zotlabs/Module/Viewsrc.php +++ b/Zotlabs/Module/Viewsrc.php @@ -36,7 +36,7 @@ class Viewsrc extends \Zotlabs\Web\Controller { if($r) { if(intval($r[0]['item_obscured'])) - $r[0]['body'] = crypto_unencapsulate(json_decode($r[0]['body'],true),get_config('system','prvkey')); + $dload = true; if($dload) { header('Content-type: ' . $r[0]['mimetype']); -- cgit v1.2.3