From e109abbef7fed77898da7adb9d43e686dc96c29a Mon Sep 17 00:00:00 2001
From: Andrew Manning <tamanning@zoho.com>
Date: Sun, 12 Jun 2016 07:17:23 -0400
Subject: Apply purify_html to page content before preview and save to prevent
 JavaScript code injection.

---
 Zotlabs/Module/Wiki.php | 18 +++---------------
 1 file changed, 3 insertions(+), 15 deletions(-)

(limited to 'Zotlabs')

diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php
index fbf751ddf..1e6446904 100644
--- a/Zotlabs/Module/Wiki.php
+++ b/Zotlabs/Module/Wiki.php
@@ -167,7 +167,7 @@ class Wiki extends \Zotlabs\Web\Controller {
 		if((argc() > 2) && (argv(2) === 'preview')) {
 			$content = $_POST['content'];
 			require_once('library/markdown.php');
-			$html = Markdown($content);
+			$html = purify_html(Markdown($content));
 			json_return_and_die(array('html' => $html, 'success' => true));
 		}
 		
@@ -182,19 +182,7 @@ class Wiki extends \Zotlabs\Web\Controller {
 			// more detail permissions framework
 			if (local_channel() !== intval($channel['channel_id'])) {
 				goaway('/'.argv(0).'/'.$nick.'/');
-			} else {				
-				/*
-				$channel = get_channel_by_nick($nick);
-				// Figure out who the page owner is.
-				$perms = get_all_perms(intval($channel['channel_id']), $observer_hash);
-				// TODO: Create a new permission setting for wiki analogous to webpages. Until
-				// then, use webpage permissions
-				if (!$perms['write_pages']) {
-					notice(t('Permission denied.') . EOL);
-					goaway('/'.argv(0).'/'.argv(1).'/');
-				}
-				*/
-			}
+			} 
 			$wiki = array(); 
 			// Generate new wiki info from input name
 			$wiki['rawName'] = $_POST['wikiName'];
@@ -306,7 +294,7 @@ class Wiki extends \Zotlabs\Web\Controller {
 			$resource_id = $_POST['resource_id']; 
 			$pageUrlName = $_POST['name'];
 			$pageHtmlName = escape_tags($_POST['name']);
-			$content = escape_tags($_POST['content']); //Get new content
+			$content = $_POST['content']; //Get new content
 			$commitMsg = $_POST['commitMsg']; 
 			if ($commitMsg === '') {
 				$commitMsg = 'Updated ' . $pageHtmlName;
-- 
cgit v1.2.3


From 976e32d3ae8b95edbe6c0fba912cf0ba1adddb22 Mon Sep 17 00:00:00 2001
From: redmatrix <git@macgirvin.com>
Date: Wed, 15 Jun 2016 16:24:45 -0700
Subject: translate already imported system apps

---
 Zotlabs/Lib/Apps.php | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'Zotlabs')

diff --git a/Zotlabs/Lib/Apps.php b/Zotlabs/Lib/Apps.php
index ed06943a1..20556212a 100644
--- a/Zotlabs/Lib/Apps.php
+++ b/Zotlabs/Lib/Apps.php
@@ -264,6 +264,8 @@ class Apps {
 		if(! $papp['photo'])
 			$papp['photo'] = z_root() . '/' . get_default_profile_photo(80);
 
+		self::translate_system_apps($papp);
+
 		$papp['papp'] = self::papp_encode($papp);
 
 		if(! strstr($papp['url'],'://'))
-- 
cgit v1.2.3


From 961539258be90f5b7c989299db0e8c551d0d6c72 Mon Sep 17 00:00:00 2001
From: Andrew Manning <tamanning@zoho.com>
Date: Fri, 17 Jun 2016 06:33:39 -0400
Subject: Wiki page revision comparison tool with diff displayed in modal
 dialog. Leverages Diff class from
 http://code.stephenmorley.org/php/diff-implementation with license CC0 1.0
 universal http://creativecommons.org/publicdomain/zero/1.0/legalcode

---
 Zotlabs/Module/Wiki.php | 42 ++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 40 insertions(+), 2 deletions(-)

(limited to 'Zotlabs')

diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php
index 9e7d151b5..83fa0e337 100644
--- a/Zotlabs/Module/Wiki.php
+++ b/Zotlabs/Module/Wiki.php
@@ -136,6 +136,16 @@ class Wiki extends \Zotlabs\Web\Controller {
 		// Render the Markdown-formatted page content in HTML
 		require_once('library/markdown.php');	
 		
+		$wikiModalID = random_string(3);
+		$wikiModal = replace_macros(
+			get_markup_template('generic_modal.tpl'), array(
+				'$id' => $wikiModalID,
+				'$title' => t('Revision Comparison'),
+				'$ok' => t('Revert'),
+				'$cancel' => t('Cancel')
+			)
+		);
+		
 		$o .= replace_macros(get_markup_template('wiki.tpl'),array(
 			'$wikiheaderName' => $wikiheaderName,
 			'$wikiheaderPage' => $wikiheaderPage,
@@ -157,7 +167,10 @@ class Wiki extends \Zotlabs\Web\Controller {
 			'$pageName' => array('pageName', t('Enter the name of the new page:'), '', ''),
 			'$pageRename' => array('pageRename', t('Enter the new name:'), '', ''),
 			'$commitMsg' => array('commitMsg', '', '', '', '', 'placeholder="(optional) Enter a custom message when saving the page..."'),
-			'$pageHistory' => $pageHistory['history']
+			'$pageHistory' => $pageHistory['history'],
+			'$wikiModal' => $wikiModal,
+			'$wikiModalID' => $wikiModalID,
+			'$commit' => 'HEAD'
 		));
 		head_add_js('library/ace/ace.js');	// Ace Code Editor
 		return $o;
@@ -412,7 +425,7 @@ class Wiki extends \Zotlabs\Web\Controller {
 					json_return_and_die(array('success' => false));					
 				}
 			}
-			$reverted = wiki_revert_page(array('commitHash' => $commitHash, 'observer' => \App::get_observer(), 'resource_id' => $resource_id, 'pageUrlName' => $pageUrlName));
+			$reverted = wiki_revert_page(array('commitHash' => $commitHash, 'resource_id' => $resource_id, 'pageUrlName' => $pageUrlName));
 			if($reverted['success']) {
 				json_return_and_die(array('content' => $reverted['content'], 'message' => '', 'success' => true));					
 			} else {
@@ -420,6 +433,31 @@ class Wiki extends \Zotlabs\Web\Controller {
 			}
 		}
 		
+		// Compare page revisions
+		if ((argc() === 4) && (argv(2) === 'compare') && (argv(3) === 'page')) {
+			$resource_id = $_POST['resource_id']; 
+			$pageUrlName = $_POST['name'];
+			$compareCommit = $_POST['compareCommit'];
+			$currentCommit = $_POST['currentCommit'];
+			// Determine if observer has permission to revert pages
+			$nick = argv(1);
+			$channel = get_channel_by_nick($nick);			
+			if (local_channel() !== intval($channel['channel_id'])) {
+				$observer_hash = get_observer_hash();
+				$perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash);
+				if(!$perms['read']) {
+					logger('Wiki read permission denied.' . EOL);
+					json_return_and_die(array('success' => false));					
+				}
+			}
+			$compare = wiki_compare_page(array('currentCommit' => $currentCommit, 'compareCommit' => $compareCommit, 'resource_id' => $resource_id, 'pageUrlName' => $pageUrlName));
+			if($compare['success']) {
+				json_return_and_die(array('diff' => $compare['diff'], 'message' => '', 'success' => true));					
+			} else {
+				json_return_and_die(array('diff' => '', 'message' => 'Error comparing page', 'success' => false));					
+			}
+		}
+		
 		// Rename a page
 		if ((argc() === 4) && (argv(2) === 'rename') && (argv(3) === 'page')) {
 			$resource_id = $_POST['resource_id']; 
-- 
cgit v1.2.3


From 22edd00211b9733cc05bbd15104da6c977d58c10 Mon Sep 17 00:00:00 2001
From: redmatrix <git@macgirvin.com>
Date: Fri, 17 Jun 2016 16:28:36 -0700
Subject: "thing" always showing default url, not that supplied by the thing.

---
 Zotlabs/Module/Thing.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'Zotlabs')

diff --git a/Zotlabs/Module/Thing.php b/Zotlabs/Module/Thing.php
index e23cce565..65fc0588e 100644
--- a/Zotlabs/Module/Thing.php
+++ b/Zotlabs/Module/Thing.php
@@ -26,7 +26,7 @@ class Thing extends \Zotlabs\Web\Controller {
 		$verb = escape_tags($_REQUEST['verb']);
 		$activity = intval($_REQUEST['activity']);
 		$profile_guid = escape_tags($_REQUEST['profile_assign']);
-		$url = $_REQUEST['link'];
+		$url = $_REQUEST['url'];
 		$photo = $_REQUEST['img'];
 	
 		$hash = random_string();
@@ -235,7 +235,7 @@ class Thing extends \Zotlabs\Web\Controller {
 	}
 	
 	
-		function get() {
+	function get() {
 	
 		// @FIXME one problem with things is we can't share them unless we provide the channel in the url
 		// so we can definitively lookup the owner. 
-- 
cgit v1.2.3


From a3ec9f394068d7dccef44c8f27c085cb380e54d5 Mon Sep 17 00:00:00 2001
From: Andrew Manning <tamanning@zoho.com>
Date: Mon, 20 Jun 2016 13:27:05 -0400
Subject: Add formatted heading for revision comparison viewer

---
 Zotlabs/Module/Wiki.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'Zotlabs')

diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php
index 83fa0e337..bef831de8 100644
--- a/Zotlabs/Module/Wiki.php
+++ b/Zotlabs/Module/Wiki.php
@@ -452,7 +452,8 @@ class Wiki extends \Zotlabs\Web\Controller {
 			}
 			$compare = wiki_compare_page(array('currentCommit' => $currentCommit, 'compareCommit' => $compareCommit, 'resource_id' => $resource_id, 'pageUrlName' => $pageUrlName));
 			if($compare['success']) {
-				json_return_and_die(array('diff' => $compare['diff'], 'message' => '', 'success' => true));					
+				$diffHTML = '<table class="text-center" width="100%"><tr><td class="lead" width="50%">Current Revision</td><td class="lead" width="50%">Selected Revision</td></tr></table>' . $compare['diff'];
+				json_return_and_die(array('diff' => $diffHTML, 'message' => '', 'success' => true));					
 			} else {
 				json_return_and_die(array('diff' => '', 'message' => 'Error comparing page', 'success' => false));					
 			}
-- 
cgit v1.2.3


From 17c5502330136bf429556935fef956781edb865f Mon Sep 17 00:00:00 2001
From: Mario Vavti <mario@mariovavti.com>
Date: Mon, 20 Jun 2016 21:45:15 +0200
Subject: missing backslash leading to wsod on xconfig changes

---
 Zotlabs/Lib/XConfig.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'Zotlabs')

diff --git a/Zotlabs/Lib/XConfig.php b/Zotlabs/Lib/XConfig.php
index e28dcf559..7f3d0f2cd 100644
--- a/Zotlabs/Lib/XConfig.php
+++ b/Zotlabs/Lib/XConfig.php
@@ -122,7 +122,7 @@ class XConfig {
 			);
 		}
 
-		App::$config[$xchan][$family][$key] = $value;
+		\App::$config[$xchan][$family][$key] = $value;
 
 		if($ret)
 			return $value;
@@ -157,4 +157,4 @@ class XConfig {
 		return $ret;
 	}
 
-}
\ No newline at end of file
+}
-- 
cgit v1.2.3