sanitise all incoming url's - also stop them from getting mangled by simplepie
This commit is contained in:
parent
9f1f9da89b
commit
527e050ecc
5 changed files with 32 additions and 18 deletions
7
boot.php
7
boot.php
|
@ -2453,7 +2453,12 @@ if(! function_exists('get_plink')) {
|
||||||
function get_plink($item) {
|
function get_plink($item) {
|
||||||
$a = get_app();
|
$a = get_app();
|
||||||
$plink = (((x($item,'plink')) && (! $item['private'])) ? '<div class="wall-item-links-wrapper"><a href="'
|
$plink = (((x($item,'plink')) && (! $item['private'])) ? '<div class="wall-item-links-wrapper"><a href="'
|
||||||
. $item['plink'] . '" title="' . t('link to source') . '"><img src="' . $a->get_baseurl() . '/images/link-icon.gif" alt="' . t('link to source') . '" /></a></div>' : '');
|
. $item['plink'] . '" title="' . t('link to source') . '"><img src="' . $a->get_baseurl() . '/images/remote-link.gif" alt="' . t('link to source') . '" /></a></div>' : '');
|
||||||
return $plink;
|
return $plink;
|
||||||
}}
|
}}
|
||||||
|
|
||||||
|
if(! function_exists('unamp')) {
|
||||||
|
function unamp($s) {
|
||||||
|
return str_replace('&', '&', $s);
|
||||||
|
}}
|
||||||
|
|
||||||
|
|
BIN
images/remote-link.gif
Normal file
BIN
images/remote-link.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 357 B |
|
@ -19,15 +19,15 @@ function follow_post(&$a) {
|
||||||
if(count($links)) {
|
if(count($links)) {
|
||||||
foreach($links as $link) {
|
foreach($links as $link) {
|
||||||
if($link['@attributes']['rel'] === NAMESPACE_DFRN)
|
if($link['@attributes']['rel'] === NAMESPACE_DFRN)
|
||||||
$dfrn = $link['@attributes']['href'];
|
$dfrn = unamp($link['@attributes']['href']);
|
||||||
if($link['@attributes']['rel'] === 'salmon')
|
if($link['@attributes']['rel'] === 'salmon')
|
||||||
$notify = $link['@attributes']['href'];
|
$notify = unamp($link['@attributes']['href']);
|
||||||
if($link['@attributes']['rel'] === NAMESPACE_FEED)
|
if($link['@attributes']['rel'] === NAMESPACE_FEED)
|
||||||
$poll = $link['@attributes']['href'];
|
$poll = unamp($link['@attributes']['href']);
|
||||||
if($link['@attributes']['rel'] === 'http://microformats.org/profile/hcard')
|
if($link['@attributes']['rel'] === 'http://microformats.org/profile/hcard')
|
||||||
$hcard = $link['@attributes']['href'];
|
$hcard = unamp($link['@attributes']['href']);
|
||||||
if($link['@attributes']['rel'] === 'http://webfinger.net/rel/profile-page')
|
if($link['@attributes']['rel'] === 'http://webfinger.net/rel/profile-page')
|
||||||
$profile = $link['@attributes']['href'];
|
$profile = unamp($link['@attributes']['href']);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -43,10 +43,10 @@ function follow_post(&$a) {
|
||||||
if(strpos($link['@attributes']['href'],'@') === false) {
|
if(strpos($link['@attributes']['href'],'@') === false) {
|
||||||
if(isset($profile)) {
|
if(isset($profile)) {
|
||||||
if($link['@attributes']['href'] !== $profile)
|
if($link['@attributes']['href'] !== $profile)
|
||||||
$alias = $link['@attributes']['href'];
|
$alias = unamp($link['@attributes']['href']);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
$profile = $link['@attributes']['href'];
|
$profile = unamp($link['@attributes']['href']);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -103,7 +103,7 @@ function follow_post(&$a) {
|
||||||
$ret = scrape_feed($url);
|
$ret = scrape_feed($url);
|
||||||
|
|
||||||
if(count($ret) && ($ret['feed_atom'] || $ret['feed_rss'])) {
|
if(count($ret) && ($ret['feed_atom'] || $ret['feed_rss'])) {
|
||||||
$poll = ((x($ret,'feed_atom')) ? $ret['feed_atom'] : $ret['feed_rss']);
|
$poll = ((x($ret,'feed_atom')) ? unamp($ret['feed_atom']) : unamp($ret['feed_rss']));
|
||||||
$vcard = array();
|
$vcard = array();
|
||||||
require_once('simplepie/simplepie.inc');
|
require_once('simplepie/simplepie.inc');
|
||||||
$feed = new SimplePie();
|
$feed = new SimplePie();
|
||||||
|
@ -116,27 +116,31 @@ function follow_post(&$a) {
|
||||||
$vcard['photo'] = $feed->get_image_url();
|
$vcard['photo'] = $feed->get_image_url();
|
||||||
$author = $feed->get_author();
|
$author = $feed->get_author();
|
||||||
if($author) {
|
if($author) {
|
||||||
$vcard['fn'] = trim($author->get_name());
|
$vcard['fn'] = unxmlify(trim($author->get_name()));
|
||||||
$vcard['nick'] = strtolower($vcard['fn']);
|
$vcard['nick'] = strtolower(notags(unxmlify($vcard['fn'])));
|
||||||
if(strpos($vcard['nick'],' '))
|
if(strpos($vcard['nick'],' '))
|
||||||
$vcard['nick'] = trim(substr($vcard['nick'],0,strpos($vcard['nick'],' ')));
|
$vcard['nick'] = trim(substr($vcard['nick'],0,strpos($vcard['nick'],' ')));
|
||||||
$email = $author->get_email();
|
$email = unxmlify($author->get_email());
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$item = $feed->get_item(0);
|
$item = $feed->get_item(0);
|
||||||
if($item) {
|
if($item) {
|
||||||
$author = $item->get_author();
|
$author = $item->get_author();
|
||||||
if($author) {
|
if($author) {
|
||||||
$vcard['fn'] = trim($author->get_name());
|
$vcard['fn'] = trim(unxmlify($author->get_name()));
|
||||||
$vcard['nick'] = strtolower($vcard['fn']);
|
if(! $vcard['fn'])
|
||||||
|
$vcard['fn'] = trim(unxmlify($author->get_email()));
|
||||||
|
if(strpos($vcard['fn'],'@') !== false)
|
||||||
|
$vcard['fn'] = substr($vcard['fn'],0,strpos($vcard['fn'],'@'));
|
||||||
|
$vcard['nick'] = strtolower(unxmlify($vcard['fn']));
|
||||||
if(strpos($vcard['nick'],' '))
|
if(strpos($vcard['nick'],' '))
|
||||||
$vcard['nick'] = trim(substr($vcard['nick'],0,strpos($vcard['nick'],' ')));
|
$vcard['nick'] = trim(substr($vcard['nick'],0,strpos($vcard['nick'],' ')));
|
||||||
$email = $author->get_email();
|
$email = unxmlify($author->get_email());
|
||||||
}
|
}
|
||||||
if(! $vcard['photo']) {
|
if(! $vcard['photo']) {
|
||||||
$rawmedia = $item->get_item_tags('http://search.yahoo.com/mrss/','thumbnail');
|
$rawmedia = $item->get_item_tags('http://search.yahoo.com/mrss/','thumbnail');
|
||||||
if($rawmedia && $rawmedia[0]['attribs']['']['url'])
|
if($rawmedia && $rawmedia[0]['attribs']['']['url'])
|
||||||
$vcard['photo'] = $rawmedia[0]['attribs']['']['url'];
|
$vcard['photo'] = unxmlify($rawmedia[0]['attribs']['']['url']);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -150,6 +154,9 @@ function follow_post(&$a) {
|
||||||
|
|
||||||
logger('follow: poll=' . $poll . ' notify=' . $notify . ' profile=' . $profile . ' vcard=' . print_r($vcard,true));
|
logger('follow: poll=' . $poll . ' notify=' . $notify . ' profile=' . $profile . ' vcard=' . print_r($vcard,true));
|
||||||
|
|
||||||
|
$vcard['fn'] = notags($vcard['fn']);
|
||||||
|
$vcard['nick'] = notags($vcard['nick']);
|
||||||
|
|
||||||
// do we have enough information?
|
// do we have enough information?
|
||||||
|
|
||||||
if(! ((x($vcard['fn'])) && ($poll) && ($profile))) {
|
if(! ((x($vcard['fn'])) && ($poll) && ($profile))) {
|
||||||
|
@ -157,6 +164,7 @@ function follow_post(&$a) {
|
||||||
goaway($_SESSION['return_url']);
|
goaway($_SESSION['return_url']);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
if(! $notify) {
|
if(! $notify) {
|
||||||
notice( t('Limited profile. This person will be unable to receive direct/personal notifications from you.') . EOL);
|
notice( t('Limited profile. This person will be unable to receive direct/personal notifications from you.') . EOL);
|
||||||
}
|
}
|
||||||
|
|
|
@ -9226,6 +9226,7 @@ class SimplePie_Misc
|
||||||
|
|
||||||
function absolutize_url($relative, $base)
|
function absolutize_url($relative, $base)
|
||||||
{
|
{
|
||||||
|
return $relative;
|
||||||
$iri = SimplePie_IRI::absolutize(new SimplePie_IRI($base), $relative);
|
$iri = SimplePie_IRI::absolutize(new SimplePie_IRI($base), $relative);
|
||||||
return $iri->get_iri();
|
return $iri->get_iri();
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue