1
1
Fork 0

Merge pull request #13328 from MrPetovan/bug/escape-username

Escape HTML in system messages and in display names for inclusion in syndication link tags
This commit is contained in:
Tobias Diekershoff 2023-08-02 20:13:20 +02:00 committed by GitHub
commit bf2c19b2e0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 9 deletions

View file

@ -799,7 +799,7 @@ class Contact
return false; return false;
} }
$fields = ['uid', 'nickname', 'page-flags', 'account-type', 'prvkey', 'pubkey']; $fields = ['uid', 'username', 'nickname', 'page-flags', 'account-type', 'prvkey', 'pubkey'];
$user = DBA::selectFirst('user', $fields, ['uid' => $uid, 'account_expired' => false]); $user = DBA::selectFirst('user', $fields, ['uid' => $uid, 'account_expired' => false]);
if (!DBA::isResult($user)) { if (!DBA::isResult($user)) {
return false; return false;
@ -818,7 +818,7 @@ class Contact
$url = DI::baseUrl() . '/profile/' . $user['nickname']; $url = DI::baseUrl() . '/profile/' . $user['nickname'];
$fields = [ $fields = [
'name' => $profile['name'], 'name' => $user['username'],
'nick' => $user['nickname'], 'nick' => $user['nickname'],
'avatar-date' => $self['avatar-date'], 'avatar-date' => $self['avatar-date'],
'location' => Profile::formatLocation($profile), 'location' => Profile::formatLocation($profile),
@ -841,7 +841,6 @@ class Contact
'confirm' => DI::baseUrl() . '/dfrn_confirm/' . $user['nickname'], 'confirm' => DI::baseUrl() . '/dfrn_confirm/' . $user['nickname'],
]; ];
$avatar = Photo::selectFirst(['resource-id', 'type'], ['uid' => $uid, 'profile' => true]); $avatar = Photo::selectFirst(['resource-id', 'type'], ['uid' => $uid, 'profile' => true]);
if (DBA::isResult($avatar)) { if (DBA::isResult($avatar)) {
if ($update_avatar) { if ($update_avatar) {

View file

@ -52,6 +52,7 @@ use Friendica\Network\HTTPException;
use Friendica\Protocol\Activity; use Friendica\Protocol\Activity;
use Friendica\Util\DateTimeFormat; use Friendica\Util\DateTimeFormat;
use Friendica\Util\Profiler; use Friendica\Util\Profiler;
use Friendica\Util\Strings;
use GuzzleHttp\Psr7\Uri; use GuzzleHttp\Psr7\Uri;
use Psr\Log\LoggerInterface; use Psr\Log\LoggerInterface;
@ -296,8 +297,8 @@ class Ping extends BaseModule
$data['notifications'] = $navNotifications; $data['notifications'] = $navNotifications;
$data['sysmsgs'] = [ $data['sysmsgs'] = [
'notice' => $this->systemMessages->flushNotices(), 'notice' => array_map([Strings::class, 'escapeHtml'], $this->systemMessages->flushNotices()),
'info' => $this->systemMessages->flushInfos(), 'info' => array_map([Strings::class, 'escapeHtml'], $this->systemMessages->flushInfos()),
]; ];
if (isset($_GET['callback'])) { if (isset($_GET['callback'])) {

View file

@ -103,10 +103,10 @@ class Conversations extends BaseProfile
$this->page['htmlhead'] .= '<meta content="noindex, noarchive" name="robots" />' . "\n"; $this->page['htmlhead'] .= '<meta content="noindex, noarchive" name="robots" />' . "\n";
} }
$this->page['htmlhead'] .= '<link rel="alternate" type="application/atom+xml" href="' . $this->baseUrl . '/dfrn_poll/' . $this->parameters['nickname'] . '" title="DFRN: ' . $this->t('%s\'s timeline', $profile['name']) . '"/>' . "\n"; $this->page['htmlhead'] .= '<link rel="alternate" type="application/atom+xml" href="' . $this->baseUrl . '/dfrn_poll/' . $this->parameters['nickname'] . '" title="DFRN: ' . $this->t('%s\'s timeline', Strings::escapeHtml($profile['name'])) . '"/>' . "\n";
$this->page['htmlhead'] .= '<link rel="alternate" type="application/atom+xml" href="' . $this->baseUrl . '/feed/' . $this->parameters['nickname'] . '/" title="' . $this->t('%s\'s posts', $profile['name']) . '"/>' . "\n"; $this->page['htmlhead'] .= '<link rel="alternate" type="application/atom+xml" href="' . $this->baseUrl . '/feed/' . $this->parameters['nickname'] . '/" title="' . $this->t('%s\'s posts', Strings::escapeHtml($profile['name'])) . '"/>' . "\n";
$this->page['htmlhead'] .= '<link rel="alternate" type="application/atom+xml" href="' . $this->baseUrl . '/feed/' . $this->parameters['nickname'] . '/comments" title="' . $this->t('%s\'s comments', $profile['name']) . '"/>' . "\n"; $this->page['htmlhead'] .= '<link rel="alternate" type="application/atom+xml" href="' . $this->baseUrl . '/feed/' . $this->parameters['nickname'] . '/comments" title="' . $this->t('%s\'s comments', Strings::escapeHtml($profile['name'])) . '"/>' . "\n";
$this->page['htmlhead'] .= '<link rel="alternate" type="application/atom+xml" href="' . $this->baseUrl . '/feed/' . $this->parameters['nickname'] . '/activity" title="' . $this->t('%s\'s timeline', $profile['name']) . '"/>' . "\n"; $this->page['htmlhead'] .= '<link rel="alternate" type="application/atom+xml" href="' . $this->baseUrl . '/feed/' . $this->parameters['nickname'] . '/activity" title="' . $this->t('%s\'s timeline', Strings::escapeHtml($profile['name'])) . '"/>' . "\n";
$category = $datequery = $datequery2 = ''; $category = $datequery = $datequery2 = '';