Bugfix: The contact names had to be escaped

include/diaspora.php

@@ -110,6 +110,9 @@ function diaspora_dispatch($importer,$msg,$attempt=1) {
 	elseif($xmlbase->message) {
 		$ret = diaspora_message($importer,$xmlbase->message,$msg);
 	}
+	elseif($xmlbase->participation) {
+		$ret = diaspora_participation($importer,$xmlbase->participation);
+	}
 	else {
 		logger('diaspora_dispatch: unknown message type: ' . print_r($xmlbase,true));
 	}
@@ -1881,6 +1884,9 @@ function diaspora_message($importer,$xml,$msg) {
 	return;
 }
 
+function diaspora_participation($importer,$xml) {
+	logger("Unsupported message type 'participation' ".print_r($xml, true));
+}
 
 function diaspora_photo($importer,$xml,$msg,$attempt=1) {
 

include/items.php

@@ -1287,6 +1287,19 @@ function item_store($arr,$force_parent = false, $notify = false, $dontcache = fa
 	}
 
 	if ($arr['network'] == "") {
+		$r = q("SELECT `network` FROM `contact` WHERE `network` IN ('%s', '%s', '%s') AND `nurl` = '%s' AND `uid` = %d LIMIT 1",
+			dbesc(NETWORK_DFRN), dbesc(NETWORK_DIASPORA), dbesc(NETWORK_OSTATUS),
+			dbesc(normalise_link($arr['author-link'])),
+			intval($arr['uid'])
+		);
+
+		if(!count($r))
+			$r = q("SELECT `network` FROM `gcontact` WHERE `network` IN ('%s', '%s', '%s') AND `nurl` = '%s' LIMIT 1",
+				dbesc(NETWORK_DFRN), dbesc(NETWORK_DIASPORA), dbesc(NETWORK_OSTATUS),
+				dbesc(normalise_link($arr['author-link']))
+			);
+
+		if(!count($r))
 			$r = q("SELECT `network` FROM `contact` WHERE `id` = %d AND `uid` = %d LIMIT 1",
 				intval($arr['contact-id']),
 				intval($arr['uid'])

mod/allfriends.php

@@ -21,7 +21,7 @@ function allfriends_content(&$a) {
 	);
 
 	$vcard_widget .= replace_macros(get_markup_template("vcard-widget.tpl"),array(
-		'$name'  => $c[0]['name'],
+		'$name'  => htmlentities($c[0]['name']),
 		'$photo' => $c[0]['photo'],
 		'url'    => z_root() . '/contacts/' . $cid
 	));
@@ -34,7 +34,7 @@ function allfriends_content(&$a) {
 		return;
 
 	$o .= replace_macros(get_markup_template("section_title.tpl"),array(
-		'$title' => sprintf( t('Friends of %s'), $c[0]['name'])
+		'$title' => sprintf( t('Friends of %s'), htmlentities($c[0]['name']))
 	));
 
 
@@ -51,7 +51,7 @@ function allfriends_content(&$a) {
 
 		$o .= replace_macros($tpl,array(
 			'$url' => $rr['url'],
-			'$name' => $rr['name'],
+			'$name' => htmlentities($rr['name']),
 			'$photo' => $rr['photo'],
 			'$tags' => ''
 		));

mod/common.php

@@ -29,7 +29,7 @@ function common_content(&$a) {
 	}
 
 	$vcard_widget .= replace_macros(get_markup_template("vcard-widget.tpl"),array(
-		'$name' => $c[0]['name'],
+		'$name' => htmlentities($c[0]['name']),
 		'$photo' => $c[0]['photo'],
 		'url' => z_root() . '/contacts/' . $cid
 	));
@@ -100,7 +100,7 @@ function common_content(&$a) {
 
 		$o .= replace_macros($tpl,array(
 			'$url' => $rr['url'],
-			'$name' => $rr['name'],
+			'$name' => htmlentities($rr['name']),
 			'$photo' => $rr['photo'],
 			'$tags' => ''
 		));

mod/contacts.php

@@ -33,7 +33,7 @@ function contacts_init(&$a) {
 	if($contact_id) {
 			$a->data['contact'] = $r[0];
 			$vcard_widget = replace_macros(get_markup_template("vcard-widget.tpl"),array(
-				'$name' => $a->data['contact']['name'],
+				'$name' => htmlentities($a->data['contact']['name']),
 				'$photo' => $a->data['contact']['photo'],
 			        '$url' => ($a->data['contact']['network'] == NETWORK_DFRN) ? $a->get_baseurl()."/redir/".$a->data['contact']['id'] : $a->data['contact']['url']
 			));
@@ -509,7 +509,7 @@ function contacts_content(&$a) {
 		if(!in_array($contact['network'], array(NETWORK_DFRN, NETWORK_OSTATUS, NETWORK_DIASPORA)))
 				$relation_text = "";
 
-		$relation_text = sprintf($relation_text,$contact['name']);
+		$relation_text = sprintf($relation_text,htmlentities($contact['name']));
 
 		if(($contact['network'] === NETWORK_DFRN) && ($contact['rel'])) {
 			$url = "redir/{$contact['id']}";
@@ -632,7 +632,7 @@ function contacts_content(&$a) {
 			'$ffi_keyword_blacklist' => $contact['ffi_keyword_blacklist'],
 			'$ffi_keyword_blacklist' => array('ffi_keyword_blacklist', t('Blacklisted keywords'), $contact['ffi_keyword_blacklist'], t('Comma separated list of keywords that should not be converted to hashtags, when "Fetch information and keywords" is selected')),
 			'$photo' => $contact['photo'],
-			'$name' => $contact['name'],
+			'$name' => htmlentities($contact['name']),
 			'$dir_icon' => $dir_icon,
 			'$alt_text' => $alt_text,
 			'$sparkle' => $sparkle,
@@ -842,8 +842,8 @@ function _contact_detail_for_template($rr){
 		'alt_text' => $alt_text,
 		'dir_icon' => $dir_icon,
 		'thumb' => proxy_url($rr['thumb'], false, PROXY_SIZE_THUMB),
-		'name' => $rr['name'],
+		'name' => htmlentities($rr['name']),
-		'username' => $rr['name'],
+		'username' => htmlentities($rr['name']),
 		'sparkle' => $sparkle,
 		'itemurl' => $rr['url'],
 		'url' => $url,

mod/crepair.php

@@ -24,7 +24,7 @@ function crepair_init(&$a) {
 			$a->data['contact'] = $r[0];
                         $tpl = get_markup_template("vcard-widget.tpl");
                         $vcard_widget .= replace_macros($tpl, array(
-                                '$name' => $a->data['contact']['name'],
+                                '$name' => htmlentities($a->data['contact']['name']),
                                 '$photo' => $a->data['contact']['photo']
                         ));
 			$a->page['aside'] .= $vcard_widget;
@@ -179,8 +179,8 @@ function crepair_content(&$a) {
 		'$label_remote_self' => t('Remote Self'),
 		'$allow_remote_self' => $allow_remote_self,
 		'$remote_self' => array('remote_self', t('Mirror postings from this contact'), $contact['remote_self'], t('Mark this contact as remote_self, this will cause friendica to repost new entries from this contact.'), $remote_self_options),
-		'$contact_name' => $contact['name'],
+		'$contact_name' => htmlentities($contact['name']),
-		'$contact_nick' => $contact['nick'],
+		'$contact_nick' => htmlentities($contact['nick']),
 		'$contact_id'   => $contact['id'],
 		'$contact_url'  => $contact['url'],
 		'$request'      => $contact['request'],

mod/network.php

@@ -575,7 +575,7 @@ function network_content(&$a, $update = 0) {
 			$sql_extra = "";
 
 			$o = replace_macros(get_markup_template("section_title.tpl"),array(
-				'$title' => sprintf( t('Contact: %s'), $r[0]['name'])
+				'$title' => sprintf( t('Contact: %s'), htmlentities($r[0]['name']))
 			)) . $o;
 
 			if($r[0]['network'] === NETWORK_OSTATUS && $r[0]['writable'] && (! get_pconfig(local_user(),'system','nowarn_insecure'))) {

mod/viewcontacts.php

@@ -63,8 +63,8 @@ function viewcontacts_content(&$a) {
 			'id' => $rr['id'],
 			'img_hover' => sprintf( t('Visit %s\'s profile [%s]'), $rr['name'], $rr['url']),
 			'thumb' => proxy_url($rr['thumb'], false, PROXY_SIZE_THUMB),
-			'name' => substr($rr['name'],0,20),
+			'name' => htmlentities(substr($rr['name'],0,20)),
-			'username' => $rr['name'],
+			'username' => htmlentities($rr['name']),
 			'url' => $url,
 			'sparkle' => '',
 			'itemurl' => $rr['url'],

object/Item.php

@@ -134,7 +134,7 @@ class Item extends BaseObject {
 		$filer = (($conv->get_profile_owner() == local_user()) ? t("save to folder") : false);
 
 		$diff_author    = ((link_compare($item['url'],$item['author-link'])) ? false : true);
-		$profile_name   = (((strlen($item['author-name']))   && $diff_author) ? $item['author-name']   : $item['name']);
+		$profile_name   = htmlentities(((strlen($item['author-name']))   && $diff_author) ? $item['author-name']   : $item['name']);
 		if($item['author-link'] && (! $item['author-name']))
 			$profile_name = $item['author-link'];
 

view/theme/vier/theme.php

@@ -84,7 +84,8 @@ function cmtBbClose(id) {
 EOT;
 
 	// Hide the left menu bar
-	if (($a->page['aside'] == "") AND in_array($a->argv[0], array("community", "events", "help", "manage", "notifications", "probe", "webfinger", "login")))
+	if (($a->page['aside'] == "") AND in_array($a->argv[0], array("community", "events", "help", "manage", "notifications",
+									"probe", "webfinger", "login", "invite")))
 		$a->page['htmlhead'] .= "<link rel='stylesheet' href='view/theme/vier/hide.css' />";
 }