From d7a9db10881b8d9de1b5f7e2a2dfae3df396fb45 Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Sun, 11 Aug 2013 16:56:06 -0700
Subject: important bits we need to allow php executable content. These must be
 explicitly allowed - but only if the account has ACCOUNT_ROLE_ALLOWCODE and
 *only* for web pages and profile fields. This content cannot be transmitted
 to other sites.

---
 include/text.php | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'include/text.php')

diff --git a/include/text.php b/include/text.php
index 61b39cb59..99d5c9d78 100755
--- a/include/text.php
+++ b/include/text.php
@@ -1142,6 +1142,22 @@ function prepare_text($text,$content_type = 'text/bbcode') {
 			$s = Markdown($text);
 			break;
 
+		// No security checking is done here at display time - so we need to verify 
+		// that the author is allowed to use PHP before storing. We also cannot allow 
+		// importation of PHP text bodies from other sites. Therefore this content 
+		// type is only valid for web pages (and profile details).
+
+		// It may be possible to provide a PHP message body which is evaluated on the 
+		// sender's site before sending it elsewhere. In that case we will have a 
+		// different content-type here.  
+
+		case 'application/x-php':
+			ob_start();
+			eval($text);
+			$s = ob_get_contents();
+			ob_end_clean();
+			break;
+
 		case 'text/bbcode':
 		case '':
 		default:
-- 
cgit v1.2.3