From ebd52368bb134e57a54d853732b5b4970a8ce02b Mon Sep 17 00:00:00 2001 From: friendica Date: Sun, 16 Feb 2014 14:13:26 -0800 Subject: strip hard-wired zids from posted links as they will have the wrong identity when somebody tries to view the link --- include/items.php | 11 ++++++++++- include/text.php | 5 +++++ 2 files changed, 15 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/items.php b/include/items.php index 3c10b8f5c..9bcdd7d0b 100755 --- a/include/items.php +++ b/include/items.php @@ -145,7 +145,9 @@ function can_comment_on_post($observer_xchan,$item) { * @function red_zrl_callback * preg_match function when fixing 'naked' links in mod item.php * Check if we've got a hubloc for the site and use a zrl if we do, a url if we don't. - * + * Remove any existing zid= param which may have been pasted by mistake - and will have + * the author's credentials. zid's are dynamic and can't really be passed around like + * that. */ @@ -159,6 +161,13 @@ function red_zrl_callback($matches) { if($r) $zrl = true; } + + $t = strip_zids($matches[2]); + if($t !== $matches[2]) { + $zrl = true; + $matches[2] = $t; + } + if($matches[1] === '#^') $matches[1] = ''; if($zrl) diff --git a/include/text.php b/include/text.php index 2b334068f..2f5accf6e 100755 --- a/include/text.php +++ b/include/text.php @@ -621,6 +621,11 @@ function get_tags($s) { } +function strip_zids($s) { + return preg_replace('/[\?&]zid=(.*?)(&|$)/ism','$2',$s); +} + + // quick and dirty quoted_printable encoding -- cgit v1.2.3