1
0
Fork 0

Merge pull request #1948 from annando/1510-more-escaping

Handling contact names with > and <
This commit is contained in:
Tobias Diekershoff 2015-10-10 18:48:20 +02:00
commit 9e2b62b082
5 changed files with 23 additions and 18 deletions

View file

@ -392,7 +392,6 @@ function acl_lookup(&$a, $out_type = 'json') {
if(!local_user()) if(!local_user())
return ""; return "";
$start = (x($_REQUEST,'start')?$_REQUEST['start']:0); $start = (x($_REQUEST,'start')?$_REQUEST['start']:0);
$count = (x($_REQUEST,'count')?$_REQUEST['count']:100); $count = (x($_REQUEST,'count')?$_REQUEST['count']:100);
$search = (x($_REQUEST,'search')?$_REQUEST['search']:""); $search = (x($_REQUEST,'search')?$_REQUEST['search']:"");
@ -492,7 +491,7 @@ function acl_lookup(&$a, $out_type = 'json') {
$groups[] = array( $groups[] = array(
"type" => "g", "type" => "g",
"photo" => "images/twopeople.png", "photo" => "images/twopeople.png",
"name" => $g['name'], "name" => htmlentities($g['name']),
"id" => intval($g['id']), "id" => intval($g['id']),
"uids" => array_map("intval", explode(",",$g['uids'])), "uids" => array_map("intval", explode(",",$g['uids'])),
"link" => '', "link" => '',
@ -547,7 +546,7 @@ function acl_lookup(&$a, $out_type = 'json') {
foreach($r as $g) { foreach($r as $g) {
$x['photos'][] = proxy_url($g['micro'], false, PROXY_SIZE_MICRO); $x['photos'][] = proxy_url($g['micro'], false, PROXY_SIZE_MICRO);
$x['links'][] = $g['url']; $x['links'][] = $g['url'];
$x['suggestions'][] = $g['name']; $x['suggestions'][] = htmlentities($g['name']);
$x['data'][] = intval($g['id']); $x['data'][] = intval($g['id']);
} }
} }
@ -560,11 +559,11 @@ function acl_lookup(&$a, $out_type = 'json') {
$contacts[] = array( $contacts[] = array(
"type" => "c", "type" => "c",
"photo" => proxy_url($g['micro'], false, PROXY_SIZE_MICRO), "photo" => proxy_url($g['micro'], false, PROXY_SIZE_MICRO),
"name" => $g['name'], "name" => htmlentities($g['name']),
"id" => intval($g['id']), "id" => intval($g['id']),
"network" => $g['network'], "network" => $g['network'],
"link" => $g['url'], "link" => $g['url'],
"nick" => ($g['attag']) ? $g['attag'] : $g['nick'], "nick" => htmlentities(($g['attag']) ? $g['attag'] : $g['nick']),
"forum" => $g['forum'] "forum" => $g['forum']
); );
} }
@ -605,11 +604,11 @@ function acl_lookup(&$a, $out_type = 'json') {
$unknow_contacts[] = array( $unknow_contacts[] = array(
"type" => "c", "type" => "c",
"photo" => proxy_url($row['author-avatar'], false, PROXY_SIZE_MICRO), "photo" => proxy_url($row['author-avatar'], false, PROXY_SIZE_MICRO),
"name" => $row['author-name'], "name" => htmlentities($row['author-name']),
"id" => '', "id" => '',
"network" => "unknown", "network" => "unknown",
"link" => $row['author-link'], "link" => $row['author-link'],
"nick" => $nick, "nick" => htmlentities($nick),
"forum" => false "forum" => false
); );
} }

View file

@ -942,7 +942,7 @@ function like_puller($a,$item,&$arr,$mode) {
$arr[$item['thr-parent']] = 1; $arr[$item['thr-parent']] = 1;
else else
$arr[$item['thr-parent']] ++; $arr[$item['thr-parent']] ++;
$arr[$item['thr-parent'] . '-l'][] = '<a href="'. $url . '"'. $sparkle .'>' . $item['author-name'] . '</a>'; $arr[$item['thr-parent'] . '-l'][] = '<a href="'. $url . '"'. $sparkle .'>' . htmlentities($item['author-name']) . '</a>';
} }
return; return;
}} }}

View file

@ -1239,10 +1239,10 @@ function item_store($arr,$force_parent = false, $notify = false, $dontcache = fa
$arr['guid'] = ((x($arr,'guid')) ? notags(trim($arr['guid'])) : get_guid(32, $guid_prefix)); $arr['guid'] = ((x($arr,'guid')) ? notags(trim($arr['guid'])) : get_guid(32, $guid_prefix));
$arr['uri'] = ((x($arr,'uri')) ? notags(trim($arr['uri'])) : $arr['guid']); $arr['uri'] = ((x($arr,'uri')) ? notags(trim($arr['uri'])) : $arr['guid']);
$arr['extid'] = ((x($arr,'extid')) ? notags(trim($arr['extid'])) : ''); $arr['extid'] = ((x($arr,'extid')) ? notags(trim($arr['extid'])) : '');
$arr['author-name'] = ((x($arr,'author-name')) ? notags(trim($arr['author-name'])) : ''); $arr['author-name'] = ((x($arr,'author-name')) ? trim($arr['author-name']) : '');
$arr['author-link'] = ((x($arr,'author-link')) ? notags(trim($arr['author-link'])) : ''); $arr['author-link'] = ((x($arr,'author-link')) ? notags(trim($arr['author-link'])) : '');
$arr['author-avatar'] = ((x($arr,'author-avatar')) ? notags(trim($arr['author-avatar'])) : ''); $arr['author-avatar'] = ((x($arr,'author-avatar')) ? notags(trim($arr['author-avatar'])) : '');
$arr['owner-name'] = ((x($arr,'owner-name')) ? notags(trim($arr['owner-name'])) : ''); $arr['owner-name'] = ((x($arr,'owner-name')) ? trim($arr['owner-name']) : '');
$arr['owner-link'] = ((x($arr,'owner-link')) ? notags(trim($arr['owner-link'])) : ''); $arr['owner-link'] = ((x($arr,'owner-link')) ? notags(trim($arr['owner-link'])) : '');
$arr['owner-avatar'] = ((x($arr,'owner-avatar')) ? notags(trim($arr['owner-avatar'])) : ''); $arr['owner-avatar'] = ((x($arr,'owner-avatar')) ? notags(trim($arr['owner-avatar'])) : '');
$arr['created'] = ((x($arr,'created') !== false) ? datetime_convert('UTC','UTC',$arr['created']) : datetime_convert()); $arr['created'] = ((x($arr,'created') !== false) ? datetime_convert('UTC','UTC',$arr['created']) : datetime_convert());
@ -1250,8 +1250,8 @@ function item_store($arr,$force_parent = false, $notify = false, $dontcache = fa
$arr['commented'] = ((x($arr,'commented') !== false) ? datetime_convert('UTC','UTC',$arr['commented']) : datetime_convert()); $arr['commented'] = ((x($arr,'commented') !== false) ? datetime_convert('UTC','UTC',$arr['commented']) : datetime_convert());
$arr['received'] = ((x($arr,'received') !== false) ? datetime_convert('UTC','UTC',$arr['received']) : datetime_convert()); $arr['received'] = ((x($arr,'received') !== false) ? datetime_convert('UTC','UTC',$arr['received']) : datetime_convert());
$arr['changed'] = ((x($arr,'changed') !== false) ? datetime_convert('UTC','UTC',$arr['changed']) : datetime_convert()); $arr['changed'] = ((x($arr,'changed') !== false) ? datetime_convert('UTC','UTC',$arr['changed']) : datetime_convert());
$arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : ''); $arr['title'] = ((x($arr,'title')) ? trim($arr['title']) : '');
$arr['location'] = ((x($arr,'location')) ? notags(trim($arr['location'])) : ''); $arr['location'] = ((x($arr,'location')) ? trim($arr['location']) : '');
$arr['coord'] = ((x($arr,'coord')) ? notags(trim($arr['coord'])) : ''); $arr['coord'] = ((x($arr,'coord')) ? notags(trim($arr['coord'])) : '');
$arr['last-child'] = ((x($arr,'last-child')) ? intval($arr['last-child']) : 0 ); $arr['last-child'] = ((x($arr,'last-child')) ? intval($arr['last-child']) : 0 );
$arr['visible'] = ((x($arr,'visible') !== false) ? intval($arr['visible']) : 1 ); $arr['visible'] = ((x($arr,'visible') !== false) ? intval($arr['visible']) : 1 );

View file

@ -139,7 +139,7 @@ function dirfind_content(&$a, $prefix = "") {
$o .= replace_macros($tpl,array( $o .= replace_macros($tpl,array(
'$url' => zrl($jj->url), '$url' => zrl($jj->url),
'$name' => $jj->name, '$name' => htmlentities($jj->name),
'$photo' => proxy_url($jj->photo, false, PROXY_SIZE_THUMB), '$photo' => proxy_url($jj->photo, false, PROXY_SIZE_THUMB),
'$tags' => $jj->tags, '$tags' => $jj->tags,
'$conntxt' => $conntxt, '$conntxt' => $conntxt,

View file

@ -235,6 +235,8 @@ class Item extends BaseObject {
if ($shareable) $buttons['share'] = array( t('Share this'), t('share')); if ($shareable) $buttons['share'] = array( t('Share this'), t('share'));
} }
$comment = $this->get_comment_box($indent);
if(strcmp(datetime_convert('UTC','UTC',$item['created']),datetime_convert('UTC','UTC','now - 12 hours')) > 0){ if(strcmp(datetime_convert('UTC','UTC',$item['created']),datetime_convert('UTC','UTC','now - 12 hours')) > 0){
$shiny = 'shiny'; $shiny = 'shiny';
} }
@ -304,6 +306,10 @@ class Item extends BaseObject {
!diaspora_is_redmatrix($item["owner-link"]) AND isset($buttons["like"])) !diaspora_is_redmatrix($item["owner-link"]) AND isset($buttons["like"]))
unset($buttons["like"]); unset($buttons["like"]);
// Diaspora doesn't has multithreaded comments
if (($item["item_network"] == NETWORK_DIASPORA) AND ($indent == 'comment'))
unset($comment);
// Facebook can like comments - but it isn't programmed in the connector yet. // Facebook can like comments - but it isn't programmed in the connector yet.
if (($item["item_network"] == NETWORK_FACEBOOK) AND ($indent == 'comment') AND isset($buttons["like"])) if (($item["item_network"] == NETWORK_FACEBOOK) AND ($indent == 'comment') AND isset($buttons["like"]))
unset($buttons["like"]); unset($buttons["like"]);
@ -326,7 +332,7 @@ class Item extends BaseObject {
'id' => $this->get_id(), 'id' => $this->get_id(),
'guid' => urlencode($item['guid']), 'guid' => urlencode($item['guid']),
'linktitle' => sprintf( t('View %s\'s profile @ %s'), $profile_name, ((strlen($item['author-link'])) ? $item['author-link'] : $item['url'])), 'linktitle' => sprintf( t('View %s\'s profile @ %s'), $profile_name, ((strlen($item['author-link'])) ? $item['author-link'] : $item['url'])),
'olinktitle' => sprintf( t('View %s\'s profile @ %s'), $this->get_owner_name(), ((strlen($item['owner-link'])) ? $item['owner-link'] : $item['url'])), 'olinktitle' => sprintf( t('View %s\'s profile @ %s'), htmlentities($this->get_owner_name()), ((strlen($item['owner-link'])) ? $item['owner-link'] : $item['url'])),
'to' => t('to'), 'to' => t('to'),
'via' => t('via'), 'via' => t('via'),
'wall' => t('Wall-to-Wall'), 'wall' => t('Wall-to-Wall'),
@ -348,7 +354,7 @@ class Item extends BaseObject {
'shiny' => $shiny, 'shiny' => $shiny,
'owner_url' => $this->get_owner_url(), 'owner_url' => $this->get_owner_url(),
'owner_photo' => proxy_url($this->get_owner_photo(), false, PROXY_SIZE_THUMB), 'owner_photo' => proxy_url($this->get_owner_photo(), false, PROXY_SIZE_THUMB),
'owner_name' => $owner_name_e, 'owner_name' => htmlentities($owner_name_e),
'plink' => get_plink($item), 'plink' => get_plink($item),
'edpost' => ((feature_enabled($conv->get_profile_owner(),'edit_posts')) ? $edpost : ''), 'edpost' => ((feature_enabled($conv->get_profile_owner(),'edit_posts')) ? $edpost : ''),
'isstarred' => $isstarred, 'isstarred' => $isstarred,
@ -361,7 +367,7 @@ class Item extends BaseObject {
'like' => $like, 'like' => $like,
'dislike' => $dislike, 'dislike' => $dislike,
'switchcomment' => t('Comment'), 'switchcomment' => t('Comment'),
'comment' => $this->get_comment_box($indent), 'comment' => $comment,
'previewing' => ($conv->is_preview() ? ' preview ' : ''), 'previewing' => ($conv->is_preview() ? ' preview ' : ''),
'wait' => t('Please wait'), 'wait' => t('Please wait'),
'thread_level' => $thread_level, 'thread_level' => $thread_level,