From cfac13790bc1948697b76b9a6134b61c7bb3173b Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 7 Nov 2021 09:18:25 +0000 Subject: [PATCH 1/2] "escapeTags" is finally removed --- mod/photos.php | 2 +- mod/tagger.php | 7 +++---- src/Module/BaseSearch.php | 1 - src/Module/Invite.php | 2 +- src/Module/Search/Directory.php | 3 +-- src/Module/Search/Index.php | 5 ++--- src/Module/Search/Saved.php | 3 +-- src/Util/Strings.php | 16 ---------------- tests/src/Util/StringsTest.php | 2 -- view/templates/directory_header.tpl | 2 +- view/theme/frio/templates/directory_header.tpl | 2 +- 11 files changed, 11 insertions(+), 34 deletions(-) diff --git a/mod/photos.php b/mod/photos.php index 1b8d5069f..6cfdd6a99 100644 --- a/mod/photos.php +++ b/mod/photos.php @@ -204,7 +204,7 @@ function photos_post(App $a) } // RENAME photo album - $newalbum = Strings::escapeTags(trim($_POST['albumname'])); + $newalbum = trim($_POST['albumname']); if ($newalbum != $album) { Photo::update(['album' => $newalbum], ['album' => $album, 'uid' => $page_owner_uid]); // Update the photo albums cache diff --git a/mod/tagger.php b/mod/tagger.php index af555790a..4afe6efb6 100644 --- a/mod/tagger.php +++ b/mod/tagger.php @@ -32,7 +32,6 @@ use Friendica\Model\Item; use Friendica\Model\Post; use Friendica\Model\Tag; use Friendica\Protocol\Activity; -use Friendica\Util\Strings; use Friendica\Util\XML; use Friendica\Worker\Delivery; @@ -42,15 +41,15 @@ function tagger_content(App $a) { return; } - $term = Strings::escapeTags(trim($_GET['term'])); + $term = trim($_GET['term']); // no commas allowed - $term = str_replace([',',' '],['','_'],$term); + $term = str_replace([',',' ', '<', '>'],['','_', '', ''], $term); if (!$term) { return; } - $item_id = ((DI::args()->getArgc() > 1) ? Strings::escapeTags(trim(DI::args()->getArgv()[1])) : 0); + $item_id = ((DI::args()->getArgc() > 1) ? trim(DI::args()->getArgv()[1]) : 0); Logger::notice('tagger: tag ' . $term . ' item ' . $item_id); diff --git a/src/Module/BaseSearch.php b/src/Module/BaseSearch.php index bccfc94de..a3e7a8a8c 100644 --- a/src/Module/BaseSearch.php +++ b/src/Module/BaseSearch.php @@ -48,7 +48,6 @@ class BaseSearch extends BaseModule */ public static function performContactSearch($search, $prefix = '') { - $a = DI::app(); $config = DI::config(); $type = Search::TYPE_ALL; diff --git a/src/Module/Invite.php b/src/Module/Invite.php index 566e54b12..65438c151 100644 --- a/src/Module/Invite.php +++ b/src/Module/Invite.php @@ -58,7 +58,7 @@ class Invite extends BaseModule $recipients = !empty($_POST['recipients']) ? explode("\n", $_POST['recipients']) : []; - $message = !empty($_POST['message']) ? Strings::escapeTags(trim($_POST['message'])) : ''; + $message = !empty($_POST['message']) ? Strings::escapeHtml(trim($_POST['message'])) : ''; $total = 0; $invitation_only = false; diff --git a/src/Module/Search/Directory.php b/src/Module/Search/Directory.php index 6c898ecd0..692122155 100644 --- a/src/Module/Search/Directory.php +++ b/src/Module/Search/Directory.php @@ -25,7 +25,6 @@ use Friendica\Content\Widget; use Friendica\DI; use Friendica\Module\BaseSearch; use Friendica\Module\Security\Login; -use Friendica\Util\Strings; /** * Directory search module @@ -39,7 +38,7 @@ class Directory extends BaseSearch return Login::form(); } - $search = Strings::escapeTags(trim(rawurldecode($_REQUEST['search'] ?? ''))); + $search = trim(rawurldecode($_REQUEST['search'] ?? '')); if (empty(DI::page()['aside'])) { DI::page()['aside'] = ''; diff --git a/src/Module/Search/Index.php b/src/Module/Search/Index.php index e9086cf58..769d5f90d 100644 --- a/src/Module/Search/Index.php +++ b/src/Module/Search/Index.php @@ -38,13 +38,12 @@ use Friendica\Model\Post; use Friendica\Model\Tag; use Friendica\Module\BaseSearch; use Friendica\Network\HTTPException; -use Friendica\Util\Strings; class Index extends BaseSearch { public static function content(array $parameters = []) { - $search = (!empty($_GET['q']) ? Strings::escapeTags(trim(rawurldecode($_GET['q']))) : ''); + $search = (!empty($_GET['q']) ? trim(rawurldecode($_GET['q'])) : ''); if (DI::config()->get('system', 'block_public') && !Session::isAuthenticated()) { throw new HTTPException\ForbiddenException(DI::l10n()->t('Public access denied.')); @@ -88,7 +87,7 @@ class Index extends BaseSearch $tag = false; if (!empty($_GET['tag'])) { $tag = true; - $search = '#' . Strings::escapeTags(trim(rawurldecode($_GET['tag']))); + $search = '#' . trim(rawurldecode($_GET['tag'])); } // contruct a wrapper for the search header diff --git a/src/Module/Search/Saved.php b/src/Module/Search/Saved.php index 723860bd8..d5cc15cee 100644 --- a/src/Module/Search/Saved.php +++ b/src/Module/Search/Saved.php @@ -25,14 +25,13 @@ use Friendica\BaseModule; use Friendica\Core\Search; use Friendica\Database\DBA; use Friendica\DI; -use Friendica\Util\Strings; class Saved extends BaseModule { public static function init(array $parameters = []) { $action = DI::args()->get(2, 'none'); - $search = Strings::escapeTags(trim(rawurldecode($_GET['term'] ?? ''))); + $search = trim(rawurldecode($_GET['term'] ?? '')); $return_url = $_GET['return_url'] ?? Search::getSearchPath($search); diff --git a/src/Util/Strings.php b/src/Util/Strings.php index 2f27e4a5f..1be56d0e7 100644 --- a/src/Util/Strings.php +++ b/src/Util/Strings.php @@ -59,22 +59,6 @@ class Strings return !empty($hexCode) ? @preg_match("/^[a-f0-9]{2,}$/i", $hexCode) && !(strlen($hexCode) & 1) : false; } - /** - * This is our primary input filter. - * - * Use this on any text input where angle chars are not valid or permitted - * They will be replaced with safer brackets. This may be filtered further - * if these are not allowed either. - * - * @param string $string Input string - * @return string Filtered string - * @deprecated since 2020.09 Please use Smarty default HTML escaping for templates or htmlspecialchars() otherwise - */ - public static function escapeTags($string) - { - return str_replace(["<", ">"], ['[', ']'], $string); - } - /** * Use this on "body" or "content" input where angle chars shouldn't be removed, * and allow them to be safely displayed. diff --git a/tests/src/Util/StringsTest.php b/tests/src/Util/StringsTest.php index 5adaa9157..7bfe9906b 100644 --- a/tests/src/Util/StringsTest.php +++ b/tests/src/Util/StringsTest.php @@ -90,10 +90,8 @@ class StringsTest extends TestCase { $invalidstring=''; - $validstring = Strings::escapeTags($invalidstring); $escapedString = Strings::escapeHtml($invalidstring); - self::assertEquals('[submit type="button" onclick="alert(\'failed!\');" /]', $validstring); self::assertEquals( "<submit type="button" onclick="alert('failed!');" />", $escapedString diff --git a/view/templates/directory_header.tpl b/view/templates/directory_header.tpl index e277c29da..7ee38a64a 100644 --- a/view/templates/directory_header.tpl +++ b/view/templates/directory_header.tpl @@ -9,7 +9,7 @@
- {{$desc nofilter}} + {{$desc}}
diff --git a/view/theme/frio/templates/directory_header.tpl b/view/theme/frio/templates/directory_header.tpl index f4c9f0f4b..cef6208ad 100644 --- a/view/theme/frio/templates/directory_header.tpl +++ b/view/theme/frio/templates/directory_header.tpl @@ -15,7 +15,7 @@
From a12144bf61d93d8ddc4b49308a25eaafc7481039 Mon Sep 17 00:00:00 2001 From: Michael Vogel Date: Sun, 7 Nov 2021 13:57:24 +0100 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Philipp --- mod/photos.php | 2 +- mod/tagger.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mod/photos.php b/mod/photos.php index 6cfdd6a99..b4ffb756c 100644 --- a/mod/photos.php +++ b/mod/photos.php @@ -204,7 +204,7 @@ function photos_post(App $a) } // RENAME photo album - $newalbum = trim($_POST['albumname']); + $newalbum = trim($_POST['albumname'] ?? ''); if ($newalbum != $album) { Photo::update(['album' => $newalbum], ['album' => $album, 'uid' => $page_owner_uid]); // Update the photo albums cache diff --git a/mod/tagger.php b/mod/tagger.php index 4afe6efb6..d55e34f78 100644 --- a/mod/tagger.php +++ b/mod/tagger.php @@ -41,7 +41,7 @@ function tagger_content(App $a) { return; } - $term = trim($_GET['term']); + $term = trim($_GET['term'] ?? ''); // no commas allowed $term = str_replace([',',' ', '<', '>'],['','_', '', ''], $term);