From e109abbef7fed77898da7adb9d43e686dc96c29a Mon Sep 17 00:00:00 2001 From: Andrew Manning Date: Sun, 12 Jun 2016 07:17:23 -0400 Subject: Apply purify_html to page content before preview and save to prevent JavaScript code injection. --- Zotlabs/Module/Wiki.php | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) (limited to 'Zotlabs') diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php index fbf751ddf..1e6446904 100644 --- a/Zotlabs/Module/Wiki.php +++ b/Zotlabs/Module/Wiki.php @@ -167,7 +167,7 @@ class Wiki extends \Zotlabs\Web\Controller { if((argc() > 2) && (argv(2) === 'preview')) { $content = $_POST['content']; require_once('library/markdown.php'); - $html = Markdown($content); + $html = purify_html(Markdown($content)); json_return_and_die(array('html' => $html, 'success' => true)); } @@ -182,19 +182,7 @@ class Wiki extends \Zotlabs\Web\Controller { // more detail permissions framework if (local_channel() !== intval($channel['channel_id'])) { goaway('/'.argv(0).'/'.$nick.'/'); - } else { - /* - $channel = get_channel_by_nick($nick); - // Figure out who the page owner is. - $perms = get_all_perms(intval($channel['channel_id']), $observer_hash); - // TODO: Create a new permission setting for wiki analogous to webpages. Until - // then, use webpage permissions - if (!$perms['write_pages']) { - notice(t('Permission denied.') . EOL); - goaway('/'.argv(0).'/'.argv(1).'/'); - } - */ - } + } $wiki = array(); // Generate new wiki info from input name $wiki['rawName'] = $_POST['wikiName']; @@ -306,7 +294,7 @@ class Wiki extends \Zotlabs\Web\Controller { $resource_id = $_POST['resource_id']; $pageUrlName = $_POST['name']; $pageHtmlName = escape_tags($_POST['name']); - $content = escape_tags($_POST['content']); //Get new content + $content = $_POST['content']; //Get new content $commitMsg = $_POST['commitMsg']; if ($commitMsg === '') { $commitMsg = 'Updated ' . $pageHtmlName; -- cgit v1.2.3 From 976e32d3ae8b95edbe6c0fba912cf0ba1adddb22 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Wed, 15 Jun 2016 16:24:45 -0700 Subject: translate already imported system apps --- Zotlabs/Lib/Apps.php | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Zotlabs') diff --git a/Zotlabs/Lib/Apps.php b/Zotlabs/Lib/Apps.php index ed06943a1..20556212a 100644 --- a/Zotlabs/Lib/Apps.php +++ b/Zotlabs/Lib/Apps.php @@ -264,6 +264,8 @@ class Apps { if(! $papp['photo']) $papp['photo'] = z_root() . '/' . get_default_profile_photo(80); + self::translate_system_apps($papp); + $papp['papp'] = self::papp_encode($papp); if(! strstr($papp['url'],'://')) -- cgit v1.2.3 From 961539258be90f5b7c989299db0e8c551d0d6c72 Mon Sep 17 00:00:00 2001 From: Andrew Manning Date: Fri, 17 Jun 2016 06:33:39 -0400 Subject: Wiki page revision comparison tool with diff displayed in modal dialog. Leverages Diff class from http://code.stephenmorley.org/php/diff-implementation with license CC0 1.0 universal http://creativecommons.org/publicdomain/zero/1.0/legalcode --- Zotlabs/Module/Wiki.php | 42 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) (limited to 'Zotlabs') diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php index 9e7d151b5..83fa0e337 100644 --- a/Zotlabs/Module/Wiki.php +++ b/Zotlabs/Module/Wiki.php @@ -136,6 +136,16 @@ class Wiki extends \Zotlabs\Web\Controller { // Render the Markdown-formatted page content in HTML require_once('library/markdown.php'); + $wikiModalID = random_string(3); + $wikiModal = replace_macros( + get_markup_template('generic_modal.tpl'), array( + '$id' => $wikiModalID, + '$title' => t('Revision Comparison'), + '$ok' => t('Revert'), + '$cancel' => t('Cancel') + ) + ); + $o .= replace_macros(get_markup_template('wiki.tpl'),array( '$wikiheaderName' => $wikiheaderName, '$wikiheaderPage' => $wikiheaderPage, @@ -157,7 +167,10 @@ class Wiki extends \Zotlabs\Web\Controller { '$pageName' => array('pageName', t('Enter the name of the new page:'), '', ''), '$pageRename' => array('pageRename', t('Enter the new name:'), '', ''), '$commitMsg' => array('commitMsg', '', '', '', '', 'placeholder="(optional) Enter a custom message when saving the page..."'), - '$pageHistory' => $pageHistory['history'] + '$pageHistory' => $pageHistory['history'], + '$wikiModal' => $wikiModal, + '$wikiModalID' => $wikiModalID, + '$commit' => 'HEAD' )); head_add_js('library/ace/ace.js'); // Ace Code Editor return $o; @@ -412,7 +425,7 @@ class Wiki extends \Zotlabs\Web\Controller { json_return_and_die(array('success' => false)); } } - $reverted = wiki_revert_page(array('commitHash' => $commitHash, 'observer' => \App::get_observer(), 'resource_id' => $resource_id, 'pageUrlName' => $pageUrlName)); + $reverted = wiki_revert_page(array('commitHash' => $commitHash, 'resource_id' => $resource_id, 'pageUrlName' => $pageUrlName)); if($reverted['success']) { json_return_and_die(array('content' => $reverted['content'], 'message' => '', 'success' => true)); } else { @@ -420,6 +433,31 @@ class Wiki extends \Zotlabs\Web\Controller { } } + // Compare page revisions + if ((argc() === 4) && (argv(2) === 'compare') && (argv(3) === 'page')) { + $resource_id = $_POST['resource_id']; + $pageUrlName = $_POST['name']; + $compareCommit = $_POST['compareCommit']; + $currentCommit = $_POST['currentCommit']; + // Determine if observer has permission to revert pages + $nick = argv(1); + $channel = get_channel_by_nick($nick); + if (local_channel() !== intval($channel['channel_id'])) { + $observer_hash = get_observer_hash(); + $perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash); + if(!$perms['read']) { + logger('Wiki read permission denied.' . EOL); + json_return_and_die(array('success' => false)); + } + } + $compare = wiki_compare_page(array('currentCommit' => $currentCommit, 'compareCommit' => $compareCommit, 'resource_id' => $resource_id, 'pageUrlName' => $pageUrlName)); + if($compare['success']) { + json_return_and_die(array('diff' => $compare['diff'], 'message' => '', 'success' => true)); + } else { + json_return_and_die(array('diff' => '', 'message' => 'Error comparing page', 'success' => false)); + } + } + // Rename a page if ((argc() === 4) && (argv(2) === 'rename') && (argv(3) === 'page')) { $resource_id = $_POST['resource_id']; -- cgit v1.2.3 From 22edd00211b9733cc05bbd15104da6c977d58c10 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Fri, 17 Jun 2016 16:28:36 -0700 Subject: "thing" always showing default url, not that supplied by the thing. --- Zotlabs/Module/Thing.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Zotlabs') diff --git a/Zotlabs/Module/Thing.php b/Zotlabs/Module/Thing.php index e23cce565..65fc0588e 100644 --- a/Zotlabs/Module/Thing.php +++ b/Zotlabs/Module/Thing.php @@ -26,7 +26,7 @@ class Thing extends \Zotlabs\Web\Controller { $verb = escape_tags($_REQUEST['verb']); $activity = intval($_REQUEST['activity']); $profile_guid = escape_tags($_REQUEST['profile_assign']); - $url = $_REQUEST['link']; + $url = $_REQUEST['url']; $photo = $_REQUEST['img']; $hash = random_string(); @@ -235,7 +235,7 @@ class Thing extends \Zotlabs\Web\Controller { } - function get() { + function get() { // @FIXME one problem with things is we can't share them unless we provide the channel in the url // so we can definitively lookup the owner. -- cgit v1.2.3 From a3ec9f394068d7dccef44c8f27c085cb380e54d5 Mon Sep 17 00:00:00 2001 From: Andrew Manning Date: Mon, 20 Jun 2016 13:27:05 -0400 Subject: Add formatted heading for revision comparison viewer --- Zotlabs/Module/Wiki.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'Zotlabs') diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php index 83fa0e337..bef831de8 100644 --- a/Zotlabs/Module/Wiki.php +++ b/Zotlabs/Module/Wiki.php @@ -452,7 +452,8 @@ class Wiki extends \Zotlabs\Web\Controller { } $compare = wiki_compare_page(array('currentCommit' => $currentCommit, 'compareCommit' => $compareCommit, 'resource_id' => $resource_id, 'pageUrlName' => $pageUrlName)); if($compare['success']) { - json_return_and_die(array('diff' => $compare['diff'], 'message' => '', 'success' => true)); + $diffHTML = '
Current RevisionSelected Revision
' . $compare['diff']; + json_return_and_die(array('diff' => $diffHTML, 'message' => '', 'success' => true)); } else { json_return_and_die(array('diff' => '', 'message' => 'Error comparing page', 'success' => false)); } -- cgit v1.2.3 From 17c5502330136bf429556935fef956781edb865f Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Mon, 20 Jun 2016 21:45:15 +0200 Subject: missing backslash leading to wsod on xconfig changes --- Zotlabs/Lib/XConfig.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Zotlabs') diff --git a/Zotlabs/Lib/XConfig.php b/Zotlabs/Lib/XConfig.php index e28dcf559..7f3d0f2cd 100644 --- a/Zotlabs/Lib/XConfig.php +++ b/Zotlabs/Lib/XConfig.php @@ -122,7 +122,7 @@ class XConfig { ); } - App::$config[$xchan][$family][$key] = $value; + \App::$config[$xchan][$family][$key] = $value; if($ret) return $value; @@ -157,4 +157,4 @@ class XConfig { return $ret; } -} \ No newline at end of file +} -- cgit v1.2.3