mirror of
https://github.com/friendica/friendica
synced 2024-06-14 16:56:25 +02:00
Add form security token check to /babel module
- This prevents basic XSS attacks against /babel
This commit is contained in:
parent
15b757e36c
commit
aeffcc0ae3
|
@ -43,10 +43,11 @@ class Babel extends BaseModule
|
|||
}
|
||||
|
||||
$results = [];
|
||||
if (!empty($_REQUEST['text'])) {
|
||||
switch (($_REQUEST['type'] ?? '') ?: 'bbcode') {
|
||||
if (!empty($request['text'])) {
|
||||
self::checkFormSecurityTokenForbiddenOnError('babel');
|
||||
switch (($request['type'] ?? '') ?: 'bbcode') {
|
||||
case 'bbcode':
|
||||
$bbcode = $_REQUEST['text'];
|
||||
$bbcode = $request['text'];
|
||||
$results[] = [
|
||||
'title' => DI::l10n()->t('Source input'),
|
||||
'content' => visible_whitespace($bbcode)
|
||||
|
@ -136,7 +137,7 @@ class Babel extends BaseModule
|
|||
];
|
||||
break;
|
||||
case 'diaspora':
|
||||
$diaspora = trim($_REQUEST['text']);
|
||||
$diaspora = trim($request['text']);
|
||||
$results[] = [
|
||||
'title' => DI::l10n()->t('Source input (Diaspora format)'),
|
||||
'content' => visible_whitespace($diaspora),
|
||||
|
@ -144,7 +145,7 @@ class Babel extends BaseModule
|
|||
|
||||
$markdown = XML::unescape($diaspora);
|
||||
case 'markdown':
|
||||
$markdown = $markdown ?? trim($_REQUEST['text']);
|
||||
$markdown = $markdown ?? trim($request['text']);
|
||||
|
||||
$results[] = [
|
||||
'title' => DI::l10n()->t('Source input (Markdown)'),
|
||||
|
@ -169,7 +170,7 @@ class Babel extends BaseModule
|
|||
];
|
||||
break;
|
||||
case 'html' :
|
||||
$html = trim($_REQUEST['text']);
|
||||
$html = trim($request['text']);
|
||||
$results[] = [
|
||||
'title' => DI::l10n()->t('Raw HTML input'),
|
||||
'content' => visible_whitespace($html),
|
||||
|
@ -239,7 +240,7 @@ class Babel extends BaseModule
|
|||
];
|
||||
break;
|
||||
case 'twitter':
|
||||
$json = trim($_REQUEST['text']);
|
||||
$json = trim($request['text']);
|
||||
|
||||
if (file_exists('addon/twitter/twitter.php')) {
|
||||
require_once 'addon/twitter/twitter.php';
|
||||
|
@ -302,13 +303,14 @@ class Babel extends BaseModule
|
|||
$tpl = Renderer::getMarkupTemplate('babel.tpl');
|
||||
$o = Renderer::replaceMacros($tpl, [
|
||||
'$title' => DI::l10n()->t('Babel Diagnostic'),
|
||||
'$text' => ['text', DI::l10n()->t('Source text'), $_REQUEST['text'] ?? '', ''],
|
||||
'$type_bbcode' => ['type', DI::l10n()->t('BBCode'), 'bbcode', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'bbcode'],
|
||||
'$type_diaspora' => ['type', DI::l10n()->t('Diaspora'), 'diaspora', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'diaspora'],
|
||||
'$type_markdown' => ['type', DI::l10n()->t('Markdown'), 'markdown', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'markdown'],
|
||||
'$type_html' => ['type', DI::l10n()->t('HTML'), 'html', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'html'],
|
||||
'$form_security_token' => self::getFormSecurityToken('babel'),
|
||||
'$text' => ['text', DI::l10n()->t('Source text'), $request['text'] ?? '', ''],
|
||||
'$type_bbcode' => ['type', DI::l10n()->t('BBCode'), 'bbcode', '', (($request['type'] ?? '') ?: 'bbcode') == 'bbcode'],
|
||||
'$type_diaspora' => ['type', DI::l10n()->t('Diaspora'), 'diaspora', '', (($request['type'] ?? '') ?: 'bbcode') == 'diaspora'],
|
||||
'$type_markdown' => ['type', DI::l10n()->t('Markdown'), 'markdown', '', (($request['type'] ?? '') ?: 'bbcode') == 'markdown'],
|
||||
'$type_html' => ['type', DI::l10n()->t('HTML'), 'html', '', (($request['type'] ?? '') ?: 'bbcode') == 'html'],
|
||||
'$flag_twitter' => file_exists('addon/twitter/twitter.php'),
|
||||
'$type_twitter' => ['type', DI::l10n()->t('Twitter Source / Tweet URL (requires API key)'), 'twitter', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'twitter'],
|
||||
'$type_twitter' => ['type', DI::l10n()->t('Twitter Source / Tweet URL (requires API key)'), 'twitter', '', (($request['type'] ?? '') ?: 'bbcode') == 'twitter'],
|
||||
'$results' => $results,
|
||||
'$submit' => DI::l10n()->t('Submit'),
|
||||
]);
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
<div id="babel" class="generic-page-wrapper">
|
||||
<h2>{{$title}}</h2>
|
||||
<form action="babel" method="post" class="panel panel-default">
|
||||
<input type="hidden" name="form_security_token" value="{{$form_security_token}}">
|
||||
<div class="panel-body">
|
||||
<div class="form-group">
|
||||
{{include file="field_textarea.tpl" field=$text}}
|
||||
|
@ -30,4 +31,4 @@
|
|||
{{/foreach}}
|
||||
</div>
|
||||
</div>
|
||||
{{/if}}
|
||||
{{/if}}
|
||||
|
|
Loading…
Reference in a new issue