From 2c73b457ef0943d46804480a0aa016f64c11edbf Mon Sep 17 00:00:00 2001
From: zotlabs <mike@macgirvin.com>
Date: Tue, 14 Mar 2017 17:07:29 -0700
Subject: input filter updates

---
 include/items.php | 87 +++++++++++++++++++++++--------------------------------
 include/text.php  | 18 +++++++-----
 2 files changed, 48 insertions(+), 57 deletions(-)

(limited to 'include')

diff --git a/include/items.php b/include/items.php
index 1037f9814..c978805cd 100755
--- a/include/items.php
+++ b/include/items.php
@@ -334,18 +334,6 @@ function post_activity_item($arr,$allow_code = false,$deliver = true) {
 	if(! array_key_exists('mimetype',$arr))
 		$arr['mimetype'] = 'text/bbcode';
 
-	if(array_key_exists('item_private',$arr) && $arr['item_private']) {
-
-		$arr['body'] = trim(z_input_filter($arr['uid'],$arr['body'],$arr['mimetype']));
-
-		if($channel) {
-			if($channel['channel_hash'] === $arr['author_xchan']) {
-				$arr['sig'] = base64url_encode(rsa_sign($arr['body'],$channel['channel_prvkey']));
-				$arr['item_verified'] = 1;
-			}
-		}
-	}
-
 	$arr['mid']          = ((x($arr,'mid')) ? $arr['mid'] : item_message_id());
 	$arr['parent_mid']   = ((x($arr,'parent_mid')) ? $arr['parent_mid'] : $arr['mid']);
 	$arr['thr_parent']   = ((x($arr,'thr_parent')) ? $arr['thr_parent'] : $arr['mid']);
@@ -1483,35 +1471,36 @@ function item_store($arr, $allow_exec = false, $deliver = true) {
 	// obsolete, but needed so as not to throw not-null constraints on some database driveres
 	$arr['item_flags']    = ((x($arr,'item_flags'))    ? intval($arr['item_flags'])          : 0 );
 
-	// only detect language if we have text content, and if the post is private but not yet
-	// obscured, make it so.
 
-	if((! array_key_exists('item_obscured',$arr)) || $arr['item_obscured'] == 0) {
 
-		$arr['lang'] = detect_language($arr['body']);
-		// apply the input filter here - if it is obscured it has been filtered already
-		$arr['body'] = trim(z_input_filter($arr['uid'],$arr['body'],$arr['mimetype']));
+	$arr['lang'] = detect_language($arr['body']);
+	// apply the input filter here
+	$arr['body'] = trim(z_input_filter($arr['body'],$arr['mimetype'],$allow_exec));
 
-		if(local_channel() && (local_channel() == $arr['uid']) && (! $arr['sig'])) {
+	if(local_channel() && (local_channel() == $arr['uid'])) {
+		if(! $arr['sig']) {
 			$channel = App::get_channel();
 			if($channel['channel_hash'] === $arr['author_xchan']) {
 				$arr['sig'] = base64url_encode(rsa_sign($arr['body'],$channel['channel_prvkey']));
 				$arr['item_verified'] = 1;
 			}
 		}
+	}
 
-		$allowed_languages = get_pconfig($arr['uid'],'system','allowed_languages');
+	if(! array_key_exists('sig',$arr))
+		$arr['sig'] = '';
 
-		if((is_array($allowed_languages)) && ($arr['lang']) && (! array_key_exists($arr['lang'],$allowed_languages))) {
-			$translate = array('item' => $arr, 'from' => $arr['lang'], 'to' => $allowed_languages, 'translated' => false);
-			call_hooks('item_translate', $translate);
-			if((! $translate['translated']) && (intval(get_pconfig($arr['uid'],'system','reject_disallowed_languages')))) {
-				logger('item_store: language ' . $arr['lang'] . ' not accepted for uid ' . $arr['uid']);
-				$ret['message'] = 'language not accepted';
-				return $ret;
-			}
-			$arr = $translate['item'];
+	$allowed_languages = get_pconfig($arr['uid'],'system','allowed_languages');
+
+	if((is_array($allowed_languages)) && ($arr['lang']) && (! array_key_exists($arr['lang'],$allowed_languages))) {
+		$translate = array('item' => $arr, 'from' => $arr['lang'], 'to' => $allowed_languages, 'translated' => false);
+		call_hooks('item_translate', $translate);
+		if((! $translate['translated']) && (intval(get_pconfig($arr['uid'],'system','reject_disallowed_languages')))) {
+			logger('item_store: language ' . $arr['lang'] . ' not accepted for uid ' . $arr['uid']);
+			$ret['message'] = 'language not accepted';
+			return $ret;
 		}
+		$arr = $translate['item'];
 	}
 
 	if((x($arr,'obj')) && is_array($arr['obj'])) {
@@ -1907,33 +1896,31 @@ function item_store_update($arr,$allow_exec = false, $deliver = true) {
 		return $ret;
 	}
 
-    if((! array_key_exists('item_obscured', $arr)) || $arr['item_obscured'] == 0) {
 
-		$arr['lang'] = detect_language($arr['body']);
+	$arr['lang'] = detect_language($arr['body']);
 
-        // apply the input filter here - if it is obscured it has been filtered already
-        $arr['body'] = trim(z_input_filter($arr['uid'],$arr['body'],$arr['mimetype']));
+	// apply the input filter here
+	$arr['body'] = trim($arr['body'],$arr['mimetype'],$allow_exec);
 
-		if(local_channel() && (local_channel() == $arr['uid']) && (! $arr['sig'])) {
-            $channel = App::get_channel();
-            if($channel['channel_hash'] === $arr['author_xchan']) {
-                $arr['sig'] = base64url_encode(rsa_sign($arr['body'],$channel['channel_prvkey']));
-                $arr['item_verified'] = 1;
-            }
-        }
+	if(local_channel() && (local_channel() == $arr['uid']) && (! $arr['sig'])) {
+		$channel = App::get_channel();
+		if($channel['channel_hash'] === $arr['author_xchan']) {
+			$arr['sig'] = base64url_encode(rsa_sign($arr['body'],$channel['channel_prvkey']));
+			$arr['item_verified'] = 1;
+		}
+	}
 
-		$allowed_languages = get_pconfig($arr['uid'],'system','allowed_languages');
+	$allowed_languages = get_pconfig($arr['uid'],'system','allowed_languages');
 
-		if((is_array($allowed_languages)) && ($arr['lang']) && (! array_key_exists($arr['lang'],$allowed_languages))) {
-			$translate = array('item' => $arr, 'from' => $arr['lang'], 'to' => $allowed_languages, 'translated' => false);
-			call_hooks('item_translate', $translate);
-			if((! $translate['translated']) && (intval(get_pconfig($arr['uid'],'system','reject_disallowed_languages')))) {
-				logger('item_store: language ' . $arr['lang'] . ' not accepted for uid ' . $arr['uid']);
-				$ret['message'] = 'language not accepted';
-				return $ret;
-			}
-			$arr = $translate['item'];
+	if((is_array($allowed_languages)) && ($arr['lang']) && (! array_key_exists($arr['lang'],$allowed_languages))) {
+		$translate = array('item' => $arr, 'from' => $arr['lang'], 'to' => $allowed_languages, 'translated' => false);
+		call_hooks('item_translate', $translate);
+		if((! $translate['translated']) && (intval(get_pconfig($arr['uid'],'system','reject_disallowed_languages')))) {
+			logger('item_store: language ' . $arr['lang'] . ' not accepted for uid ' . $arr['uid']);
+			$ret['message'] = 'language not accepted';
+			return $ret;
 		}
+		$arr = $translate['item'];
 	}
 
 	if((x($arr,'obj')) && is_array($arr['obj'])) {
diff --git a/include/text.php b/include/text.php
index 6715eca22..500c87ad5 100644
--- a/include/text.php
+++ b/include/text.php
@@ -3,6 +3,7 @@
  * @file include/text.php
  */
 
+use \Zotlabs\Lib as Zlib;
 use \Michelf\MarkdownExtra;
 
 require_once("include/bbcode.php");
@@ -89,12 +90,10 @@ function escape_tags($string) {
 }
 
 
-function z_input_filter($channel_id,$s,$type = 'text/bbcode') {
+function z_input_filter($s,$type = 'text/bbcode',$allow_code = false) {
 
 	if($type === 'text/bbcode')
 		return escape_tags($s);
-	if($type === 'text/markdown')
-		return escape_tags($s);
 	if($type == 'text/plain')
 		return escape_tags($s);
 	if($type == 'application/x-pdl')
@@ -104,13 +103,17 @@ function z_input_filter($channel_id,$s,$type = 'text/bbcode') {
 		return $s;
 	}
 
-	$r = q("select channel_pageflags from channel where channel_id = %d limit 1",
-		intval($channel_id)
-	);
-	if(($r) && (local_channel() == $channel_id) && ($r[0]['channel_pageflags'] & PAGE_ALLOWCODE)) {
+	if($allow_code) {
+		if($type === 'text/markdown')
+			return htmlspecialchars($s,ENT_QUOTES);
 		return $s;
 	}
 
+	if($type === 'text/markdown') {
+		$x = new Zlib\MarkdownSoap($s);
+		return $x->clean();
+	}
+
 	if($type === 'text/html')
 		return purify_html($s);
 
@@ -1636,6 +1639,7 @@ function prepare_text($text, $content_type = 'text/bbcode', $cache = false) {
 			break;
 
 		case 'text/markdown':
+			$text = Zlib\MarkdownSoap::unescape($text);
 			$s = MarkdownExtra::defaultTransform($text);
 			break;
 
-- 
cgit v1.2.3