From 410f5389ae90e1c219b097b051aaa9922e73efd5 Mon Sep 17 00:00:00 2001 From: Andrew Manning Date: Sun, 12 Jun 2016 07:17:23 -0400 Subject: Apply purify_html to page content before preview and save to prevent JavaScript code injection. --- Zotlabs/Module/Wiki.php | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) (limited to 'Zotlabs') diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php index fbf751ddf..1e6446904 100644 --- a/Zotlabs/Module/Wiki.php +++ b/Zotlabs/Module/Wiki.php @@ -167,7 +167,7 @@ class Wiki extends \Zotlabs\Web\Controller { if((argc() > 2) && (argv(2) === 'preview')) { $content = $_POST['content']; require_once('library/markdown.php'); - $html = Markdown($content); + $html = purify_html(Markdown($content)); json_return_and_die(array('html' => $html, 'success' => true)); } @@ -182,19 +182,7 @@ class Wiki extends \Zotlabs\Web\Controller { // more detail permissions framework if (local_channel() !== intval($channel['channel_id'])) { goaway('/'.argv(0).'/'.$nick.'/'); - } else { - /* - $channel = get_channel_by_nick($nick); - // Figure out who the page owner is. - $perms = get_all_perms(intval($channel['channel_id']), $observer_hash); - // TODO: Create a new permission setting for wiki analogous to webpages. Until - // then, use webpage permissions - if (!$perms['write_pages']) { - notice(t('Permission denied.') . EOL); - goaway('/'.argv(0).'/'.argv(1).'/'); - } - */ - } + } $wiki = array(); // Generate new wiki info from input name $wiki['rawName'] = $_POST['wikiName']; @@ -306,7 +294,7 @@ class Wiki extends \Zotlabs\Web\Controller { $resource_id = $_POST['resource_id']; $pageUrlName = $_POST['name']; $pageHtmlName = escape_tags($_POST['name']); - $content = escape_tags($_POST['content']); //Get new content + $content = $_POST['content']; //Get new content $commitMsg = $_POST['commitMsg']; if ($commitMsg === '') { $commitMsg = 'Updated ' . $pageHtmlName; -- cgit v1.2.3 From b5933e9d442619a6782dfd8136fa9edba466a4e8 Mon Sep 17 00:00:00 2001 From: Andrew Manning Date: Sun, 12 Jun 2016 19:41:37 -0400 Subject: Photo embed button with album browser works in new post editor. --- Zotlabs/Module/Embedphotos.php | 180 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 180 insertions(+) create mode 100644 Zotlabs/Module/Embedphotos.php (limited to 'Zotlabs') diff --git a/Zotlabs/Module/Embedphotos.php b/Zotlabs/Module/Embedphotos.php new file mode 100644 index 000000000..2cd420664 --- /dev/null +++ b/Zotlabs/Module/Embedphotos.php @@ -0,0 +1,180 @@ + 1 && argv(1) === 'album') { + // API: /embedphotos/album + $name = (x($_POST,'name') ? $_POST['name'] : null ); + if (!$name) { + json_return_and_die(array('errormsg' => 'Error retrieving album', 'status' => false)); + } + $album = $this->embedphotos_widget_album(array('channel' => \App::get_channel(), 'album' => $name)); + json_return_and_die(array('status' => true, 'content' => $album)); + + } + if (argc() > 1 && argv(1) === 'albumlist') { + // API: /embedphotos/albumlist + $album_list = $this->embedphotos_album_list($a); + json_return_and_die(array('status' => true, 'albumlist' => $album_list)); + + } + if (argc() > 1 && argv(1) === 'photolink') { + // API: /embedphotos/photolink + $href = (x($_POST,'href') ? $_POST['href'] : null ); + if (!$href) { + json_return_and_die(array('errormsg' => 'Error retrieving link ' . $href, 'status' => false)); + } + $resource_id = array_pop(explode("/", $href)); + $r = q("SELECT obj from item where resource_type = 'photo' and resource_id = '%s' limit 1", + dbesc($resource_id) + ); + if(!$r) { + json_return_and_die(array('errormsg' => 'Error retrieving resource ' . $resource_id, 'status' => false)); + } + $obj = json_decode($r[0]['obj'], true); + if(x($obj,'body')) { + $photolink = $obj['body']; + } elseif (x($obj,'bbcode')) { + $photolink = $obj['bbcode']; + } else { + json_return_and_die(array('errormsg' => 'Error retrieving resource ' . $resource_id, 'status' => false)); + } + json_return_and_die(array('status' => true, 'photolink' => $photolink)); + + } + } + + +/** + * Copied from include/widgets.php::widget_album() with a modification to get the profile_uid from + * the input array as in widget_item() + * @param type $name + * @return string + */ +function embedphotos_widget_album($args) { + + $channel_id = 0; + if(array_key_exists('channel',$args)) + $channel = $args['channel']; + $channel_id = intval($channel['channel_id']); + if(! $channel_id) + $channel_id = \App::$profile_uid; + if(! $channel_id) + return ''; + $owner_uid = $channel_id; + require_once('include/security.php'); + $sql_extra = permissions_sql($channel_id); + + if(! perm_is_allowed($channel_id,get_observer_hash(),'view_storage')) + return ''; + + if($args['album']) + $album = $args['album']; + if($args['title']) + $title = $args['title']; + + /** + * This may return incorrect permissions if you have multiple directories of the same name. + * It is a limitation of the photo table using a name for a photo album instead of a folder hash + */ + + if($album) { + $x = q("select hash from attach where filename = '%s' and uid = %d limit 1", + dbesc($album), + intval($owner_uid) + ); + if($x) { + $y = attach_can_view_folder($owner_uid,get_observer_hash(),$x[0]['hash']); + if(! $y) + return ''; + } + } + + $order = 'DESC'; + + $r = q("SELECT p.resource_id, p.id, p.filename, p.mimetype, p.imgscale, p.description, p.created FROM photo p INNER JOIN + (SELECT resource_id, max(imgscale) imgscale FROM photo WHERE uid = %d AND album = '%s' AND imgscale <= 4 AND photo_usage IN ( %d, %d ) $sql_extra GROUP BY resource_id) ph + ON (p.resource_id = ph.resource_id AND p.imgscale = ph.imgscale) + ORDER BY created $order", + intval($owner_uid), + dbesc($album), + intval(PHOTO_NORMAL), + intval(PHOTO_PROFILE) + ); + + $photos = array(); + if(count($r)) { + $twist = 'rotright'; + foreach($r as $rr) { + + if($twist == 'rotright') + $twist = 'rotleft'; + else + $twist = 'rotright'; + + $ext = $phototypes[$rr['mimetype']]; + + $imgalt_e = $rr['filename']; + $desc_e = $rr['description']; + + $imagelink = (z_root() . '/photos/' . \App::$data['channel']['channel_address'] . '/image/' . $rr['resource_id'] + . (($_GET['order'] === 'posted') ? '?f=&order=posted' : '')); + + $photos[] = array( + 'id' => $rr['id'], + 'twist' => ' ' . $twist . rand(2,4), + 'link' => $imagelink, + 'title' => t('View Photo'), + 'src' => z_root() . '/photo/' . $rr['resource_id'] . '-' . $rr['imgscale'] . '.' .$ext, + 'alt' => $imgalt_e, + 'desc'=> $desc_e, + 'ext' => $ext, + 'hash'=> $rr['resource_id'], + 'unknown' => t('Unknown') + ); + } + } + + $tpl = get_markup_template('photo_album.tpl'); + $o .= replace_macros($tpl, array( + '$photos' => $photos, + '$album' => (($title) ? $title : $album), + '$album_id' => rand(), + '$album_edit' => array(t('Edit Album'), $album_edit), + '$can_post' => false, + '$upload' => array(t('Upload'), z_root() . '/photos/' . \App::$profile['channel_address'] . '/upload/' . bin2hex($album)), + '$order' => false, + '$upload_form' => $upload_form, + '$usage' => $usage_message + )); + + return $o; +} + + +function embedphotos_album_list($a) { + $o = ''; + require_once('include/photos.php'); + $p = photos_albums_list(\App::get_channel(), \App::get_observer()); + if ($p['success']) { + return $p['albums']; + } else { + return null; + } +} + +} -- cgit v1.2.3