From e109abbef7fed77898da7adb9d43e686dc96c29a Mon Sep 17 00:00:00 2001 From: Andrew Manning Date: Sun, 12 Jun 2016 07:17:23 -0400 Subject: Apply purify_html to page content before preview and save to prevent JavaScript code injection. --- Zotlabs/Module/Wiki.php | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) (limited to 'Zotlabs') diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php index fbf751ddf..1e6446904 100644 --- a/Zotlabs/Module/Wiki.php +++ b/Zotlabs/Module/Wiki.php @@ -167,7 +167,7 @@ class Wiki extends \Zotlabs\Web\Controller { if((argc() > 2) && (argv(2) === 'preview')) { $content = $_POST['content']; require_once('library/markdown.php'); - $html = Markdown($content); + $html = purify_html(Markdown($content)); json_return_and_die(array('html' => $html, 'success' => true)); } @@ -182,19 +182,7 @@ class Wiki extends \Zotlabs\Web\Controller { // more detail permissions framework if (local_channel() !== intval($channel['channel_id'])) { goaway('/'.argv(0).'/'.$nick.'/'); - } else { - /* - $channel = get_channel_by_nick($nick); - // Figure out who the page owner is. - $perms = get_all_perms(intval($channel['channel_id']), $observer_hash); - // TODO: Create a new permission setting for wiki analogous to webpages. Until - // then, use webpage permissions - if (!$perms['write_pages']) { - notice(t('Permission denied.') . EOL); - goaway('/'.argv(0).'/'.argv(1).'/'); - } - */ - } + } $wiki = array(); // Generate new wiki info from input name $wiki['rawName'] = $_POST['wikiName']; @@ -306,7 +294,7 @@ class Wiki extends \Zotlabs\Web\Controller { $resource_id = $_POST['resource_id']; $pageUrlName = $_POST['name']; $pageHtmlName = escape_tags($_POST['name']); - $content = escape_tags($_POST['content']); //Get new content + $content = $_POST['content']; //Get new content $commitMsg = $_POST['commitMsg']; if ($commitMsg === '') { $commitMsg = 'Updated ' . $pageHtmlName; -- cgit v1.2.3 From 976e32d3ae8b95edbe6c0fba912cf0ba1adddb22 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Wed, 15 Jun 2016 16:24:45 -0700 Subject: translate already imported system apps --- Zotlabs/Lib/Apps.php | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Zotlabs') diff --git a/Zotlabs/Lib/Apps.php b/Zotlabs/Lib/Apps.php index ed06943a1..20556212a 100644 --- a/Zotlabs/Lib/Apps.php +++ b/Zotlabs/Lib/Apps.php @@ -264,6 +264,8 @@ class Apps { if(! $papp['photo']) $papp['photo'] = z_root() . '/' . get_default_profile_photo(80); + self::translate_system_apps($papp); + $papp['papp'] = self::papp_encode($papp); if(! strstr($papp['url'],'://')) -- cgit v1.2.3 From 22edd00211b9733cc05bbd15104da6c977d58c10 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Fri, 17 Jun 2016 16:28:36 -0700 Subject: "thing" always showing default url, not that supplied by the thing. --- Zotlabs/Module/Thing.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Zotlabs') diff --git a/Zotlabs/Module/Thing.php b/Zotlabs/Module/Thing.php index e23cce565..65fc0588e 100644 --- a/Zotlabs/Module/Thing.php +++ b/Zotlabs/Module/Thing.php @@ -26,7 +26,7 @@ class Thing extends \Zotlabs\Web\Controller { $verb = escape_tags($_REQUEST['verb']); $activity = intval($_REQUEST['activity']); $profile_guid = escape_tags($_REQUEST['profile_assign']); - $url = $_REQUEST['link']; + $url = $_REQUEST['url']; $photo = $_REQUEST['img']; $hash = random_string(); @@ -235,7 +235,7 @@ class Thing extends \Zotlabs\Web\Controller { } - function get() { + function get() { // @FIXME one problem with things is we can't share them unless we provide the channel in the url // so we can definitively lookup the owner. -- cgit v1.2.3 From 17c5502330136bf429556935fef956781edb865f Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Mon, 20 Jun 2016 21:45:15 +0200 Subject: missing backslash leading to wsod on xconfig changes --- Zotlabs/Lib/XConfig.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Zotlabs') diff --git a/Zotlabs/Lib/XConfig.php b/Zotlabs/Lib/XConfig.php index e28dcf559..7f3d0f2cd 100644 --- a/Zotlabs/Lib/XConfig.php +++ b/Zotlabs/Lib/XConfig.php @@ -122,7 +122,7 @@ class XConfig { ); } - App::$config[$xchan][$family][$key] = $value; + \App::$config[$xchan][$family][$key] = $value; if($ret) return $value; @@ -157,4 +157,4 @@ class XConfig { return $ret; } -} \ No newline at end of file +} -- cgit v1.2.3