From d9013f43110a6474a8e52b72492bc490d50b7972 Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Mon, 11 Nov 2013 16:47:49 -0800
Subject: provide real barebones XSS protection on e2ee contents and implement
 a  few bbcode tags we're likely to see a lot of. Still need to write a js
 zid() function to properly implement zrl and zmg but at least they will be
 linked now.

---
 view/tpl/jot-header.tpl | 67 +++++++++++++++++++++++++++++++------------------
 1 file changed, 42 insertions(+), 25 deletions(-)

(limited to 'view')

diff --git a/view/tpl/jot-header.tpl b/view/tpl/jot-header.tpl
index 4457a6d52..eb7c5abdb 100755
--- a/view/tpl/jot-header.tpl
+++ b/view/tpl/jot-header.tpl
@@ -367,31 +367,48 @@ function enableOnUser(){
 			y = y.replace(re,str);
 		};
 
-			rep(/\n/gi,"<br />");
-			rep(/\[b\]/gi,"<strong>");
-			rep(/\[\/b\]/gi,"</strong>");
-			rep(/\[i\]/gi,"<em>");
-			rep(/\[\/i\]/gi,"</em>");
-			rep(/\[u\]/gi,"<u>");
-			rep(/\[\/u\]/gi,"</u>");
-			rep(/\[hr\]/gi,"<hr />");
-			rep(/\[url=([^\]]+)\](.*?)\[\/url\]/gi,"<a href=\"$1\">$2</a>");
-			rep(/\[url\](.*?)\[\/url\]/gi,"<a href=\"$1\">$1</a>");
-			rep(/\[img=(.*?)x(.*?)\](.*?)\[\/img\]/gi,"<img width=\"$1\" height=\"$2\" src=\"$3\" />");
-			rep(/\[img\](.*?)\[\/img\]/gi,"<img src=\"$1\" />");
-
-			rep(/\[list\](.*?)\[\/list\]/gi, '<ul class="listbullet" style="list-style-type: circle;">$1</ul>');
-			rep(/\[list=\](.*?)\[\/list\]/gi, '<ul class="listnone" style="list-style-type: none;">$1</ul>');
-			rep(/\[list=1\](.*?)\[\/list\]/gi, '<ul class="listdecimal" style="list-style-type: decimal;">$1</ul>');
-			rep(/\[list=i\](.*?)\[\/list\]/gi,'<ul class="listlowerroman" style="list-style-type: lower-roman;">$1</ul>');
-			rep(/\[list=I\](.*?)\[\/list\]/gi, '<ul class="listupperroman" style="list-style-type: upper-roman;">$1</ul>');
-			rep(/\[list=a\](.*?)\[\/list\]/gi, '<ul class="listloweralpha" style="list-style-type: lower-alpha;">$1</ul>');
-			rep(/\[list=A\](.*?)\[\/list\]/gi, '<ul class="listupperalpha" style="list-style-type: upper-alpha;">$1</ul>');
-			rep(/\[li\](.*?)\[\/li\]/gi, '<li>$1</li>');
-			rep(/\[color=(.*?)\](.*?)\[\/color\]/gi,"<span style=\"color: $1;\">$2</span>");
-			rep(/\[size=(.*?)\](.*?)\[\/size\]/gi,"<span style=\"font-size: $1;\">$2</span>");
-			rep(/\[code\](.*?)\[\/code\]/gi,"<code>$1</code>");
-			rep(/\[quote.*?\](.*?)\[\/quote\]/gi,"<blockquote>$1</blockquote>");
+		rep(/\&/gi,"&amp;");
+		rep(/\</gi,"&lt;");
+		rep(/\>/gi,"&gt;");
+		rep(/\"/gi,"&quot;");
+
+		rep(/\n/gi,"<br />");
+		rep(/\[b\]/gi,"<strong>");
+		rep(/\[\/b\]/gi,"</strong>");
+		rep(/\[i\]/gi,"<em>");
+		rep(/\[\/i\]/gi,"</em>");
+		rep(/\[u\]/gi,"<u>");
+		rep(/\[\/u\]/gi,"</u>");
+		rep(/\[hr\]/gi,"<hr />");
+		rep(/\[url=([^\]]+)\](.*?)\[\/url\]/gi,"<a href=\"$1\">$2</a>");
+		rep(/\[url\](.*?)\[\/url\]/gi,"<a href=\"$1\">$1</a>");
+		rep(/\[img=(.*?)x(.*?)\](.*?)\[\/img\]/gi,"<img width=\"$1\" height=\"$2\" src=\"$3\" />");
+		rep(/\[img\](.*?)\[\/img\]/gi,"<img src=\"$1\" />");
+
+		// FIXME - add zid
+		rep(/\[zrl=([^\]]+)\](.*?)\[\/zrl\]/gi,"<a href=\"$1\">$2</a>");
+		rep(/\[zrl\](.*?)\[\/zrl\]/gi,"<a href=\"$1\">$1</a>");
+		rep(/\[zmg=(.*?)x(.*?)\](.*?)\[\/zmg\]/gi,"<img width=\"$1\" height=\"$2\" src=\"$3\" />");
+		rep(/\[zmg\](.*?)\[\/zmg\]/gi,"<img src=\"$1\" />");
+
+		rep(/\[list\](.*?)\[\/list\]/gi, '<ul class="listbullet" style="list-style-type: circle;">$1</ul>');
+		rep(/\[list=\](.*?)\[\/list\]/gi, '<ul class="listnone" style="list-style-type: none;">$1</ul>');
+		rep(/\[list=1\](.*?)\[\/list\]/gi, '<ul class="listdecimal" style="list-style-type: decimal;">$1</ul>');
+		rep(/\[list=i\](.*?)\[\/list\]/gi,'<ul class="listlowerroman" style="list-style-type: lower-roman;">$1</ul>');
+		rep(/\[list=I\](.*?)\[\/list\]/gi, '<ul class="listupperroman" style="list-style-type: upper-roman;">$1</ul>');
+		rep(/\[list=a\](.*?)\[\/list\]/gi, '<ul class="listloweralpha" style="list-style-type: lower-alpha;">$1</ul>');
+		rep(/\[list=A\](.*?)\[\/list\]/gi, '<ul class="listupperalpha" style="list-style-type: upper-alpha;">$1</ul>');
+		rep(/\[li\](.*?)\[\/li\]/gi, '<li>$1</li>');
+		rep(/\[color=(.*?)\](.*?)\[\/color\]/gi,"<span style=\"color: $1;\">$2</span>");
+		rep(/\[size=(.*?)\](.*?)\[\/size\]/gi,"<span style=\"font-size: $1;\">$2</span>");
+		rep(/\[code\](.*?)\[\/code\]/gi,"<code>$1</code>");
+		rep(/\[quote.*?\](.*?)\[\/quote\]/gi,"<blockquote>$1</blockquote>");
+
+
+
+		rep(/\[\&amp\;([#a-z0-9]+)\;\]/gi,'&$1;');
+
+		rep(/\<(.*?)(src|href)=\"[^hfm](.*?)\>/gi,'<$1$2="">');
 
 		return y; 
 	};
-- 
cgit v1.2.3