diff --git a/include/conversation.php b/include/conversation.php index e570336054..ee286ca983 100644 --- a/include/conversation.php +++ b/include/conversation.php @@ -483,7 +483,7 @@ function conversation(App $a, array $items, Pager $pager, $mode, $update, $previ if (!$update) { $tab = 'posts'; if (x($_GET, 'tab')) { - $tab = Strings::removeTags(trim($_GET['tab'])); + $tab = Strings::escapeTags(trim($_GET['tab'])); } if ($tab === 'posts') { /* diff --git a/include/text.php b/include/text.php index b4e8dbf112..ee83345c09 100644 --- a/include/text.php +++ b/include/text.php @@ -62,7 +62,7 @@ function expand_acl($s) { */ function sanitise_acl(&$item) { if (intval($item)) { - $item = '<' . intval(Strings::removeTags(trim($item))) . '>'; + $item = '<' . intval(Strings::escapeTags(trim($item))) . '>'; } else { unset($item); } diff --git a/mod/acl.php b/mod/acl.php index 266c294178..cb378dc27c 100644 --- a/mod/acl.php +++ b/mod/acl.php @@ -189,7 +189,7 @@ function acl_content(App $a) ); } elseif ($type == 'x') { // autocomplete for global contact search (e.g. navbar search) - $search = Strings::removeTags(trim($_REQUEST['search'])); + $search = Strings::escapeTags(trim($_REQUEST['search'])); $mode = $_REQUEST['smode']; $r = ACL::contactAutocomplete($search, $mode); diff --git a/mod/admin.php b/mod/admin.php index d1b761c980..5adc8e9c47 100644 --- a/mod/admin.php +++ b/mod/admin.php @@ -417,8 +417,8 @@ function admin_page_blocklist_post(App $a) // Add new item to blocklist $blocklist = Config::get('system', 'blocklist'); $blocklist[] = [ - 'domain' => Strings::removeTags(trim($_POST['newentry_domain'])), - 'reason' => Strings::removeTags(trim($_POST['newentry_reason'])) + 'domain' => Strings::escapeTags(trim($_POST['newentry_domain'])), + 'reason' => Strings::escapeTags(trim($_POST['newentry_reason'])) ]; Config::set('system', 'blocklist', $blocklist); info(L10n::t('Server added to blocklist.') . EOL); @@ -427,8 +427,8 @@ function admin_page_blocklist_post(App $a) $blocklist = []; foreach ($_POST['domain'] as $id => $domain) { // Trimming whitespaces as well as any lingering slashes - $domain = Strings::removeTags(trim($domain, "\x00..\x1F/")); - $reason = Strings::removeTags(trim($_POST['reason'][$id])); + $domain = Strings::escapeTags(trim($domain, "\x00..\x1F/")); + $reason = Strings::escapeTags(trim($_POST['reason'][$id])); if (!x($_POST['delete'][$id])) { $blocklist[] = [ 'domain' => $domain, @@ -566,7 +566,7 @@ function admin_page_deleteitem_post(App $a) BaseModule::checkFormSecurityTokenRedirectOnError('/admin/deleteitem/', 'admin_deleteitem'); if (x($_POST['page_deleteitem_submit'])) { - $guid = trim(Strings::removeTags($_POST['deleteitemguid'])); + $guid = trim(Strings::escapeTags($_POST['deleteitemguid'])); // The GUID should not include a "/", so if there is one, we got an URL // and the last part of it is most likely the GUID. if (strpos($guid, '/')) { @@ -1049,16 +1049,16 @@ function admin_page_site_post(App $a) } // end relocate - $sitename = ((x($_POST,'sitename')) ? Strings::removeTags(trim($_POST['sitename'])) : ''); - $hostname = ((x($_POST,'hostname')) ? Strings::removeTags(trim($_POST['hostname'])) : ''); - $sender_email = ((x($_POST,'sender_email')) ? Strings::removeTags(trim($_POST['sender_email'])) : ''); + $sitename = ((x($_POST,'sitename')) ? Strings::escapeTags(trim($_POST['sitename'])) : ''); + $hostname = ((x($_POST,'hostname')) ? Strings::escapeTags(trim($_POST['hostname'])) : ''); + $sender_email = ((x($_POST,'sender_email')) ? Strings::escapeTags(trim($_POST['sender_email'])) : ''); $banner = ((x($_POST,'banner')) ? trim($_POST['banner']) : false); - $shortcut_icon = ((x($_POST,'shortcut_icon')) ? Strings::removeTags(trim($_POST['shortcut_icon'])) : ''); - $touch_icon = ((x($_POST,'touch_icon')) ? Strings::removeTags(trim($_POST['touch_icon'])) : ''); + $shortcut_icon = ((x($_POST,'shortcut_icon')) ? Strings::escapeTags(trim($_POST['shortcut_icon'])) : ''); + $touch_icon = ((x($_POST,'touch_icon')) ? Strings::escapeTags(trim($_POST['touch_icon'])) : ''); $info = ((x($_POST,'info')) ? trim($_POST['info']) : false); - $language = ((x($_POST,'language')) ? Strings::removeTags(trim($_POST['language'])) : ''); - $theme = ((x($_POST,'theme')) ? Strings::removeTags(trim($_POST['theme'])) : ''); - $theme_mobile = ((x($_POST,'theme_mobile')) ? Strings::removeTags(trim($_POST['theme_mobile'])) : ''); + $language = ((x($_POST,'language')) ? Strings::escapeTags(trim($_POST['language'])) : ''); + $theme = ((x($_POST,'theme')) ? Strings::escapeTags(trim($_POST['theme'])) : ''); + $theme_mobile = ((x($_POST,'theme_mobile')) ? Strings::escapeTags(trim($_POST['theme_mobile'])) : ''); $maximagesize = ((x($_POST,'maximagesize')) ? intval(trim($_POST['maximagesize'])) : 0); $maximagelength = ((x($_POST,'maximagelength')) ? intval(trim($_POST['maximagelength'])) : MAX_IMAGE_LENGTH); $jpegimagequality = ((x($_POST,'jpegimagequality')) ? intval(trim($_POST['jpegimagequality'])) : JPEG_QUALITY); @@ -1070,14 +1070,14 @@ function admin_page_site_post(App $a) $register_text = ((x($_POST,'register_text')) ? strip_tags(trim($_POST['register_text'])) : ''); - $allowed_sites = ((x($_POST,'allowed_sites')) ? Strings::removeTags(trim($_POST['allowed_sites'])) : ''); - $allowed_email = ((x($_POST,'allowed_email')) ? Strings::removeTags(trim($_POST['allowed_email'])) : ''); - $forbidden_nicknames = ((x($_POST,'forbidden_nicknames')) ? strtolower(Strings::removeTags(trim($_POST['forbidden_nicknames']))) : ''); + $allowed_sites = ((x($_POST,'allowed_sites')) ? Strings::escapeTags(trim($_POST['allowed_sites'])) : ''); + $allowed_email = ((x($_POST,'allowed_email')) ? Strings::escapeTags(trim($_POST['allowed_email'])) : ''); + $forbidden_nicknames = ((x($_POST,'forbidden_nicknames')) ? strtolower(Strings::escapeTags(trim($_POST['forbidden_nicknames']))) : ''); $no_oembed_rich_content = x($_POST,'no_oembed_rich_content'); - $allowed_oembed = ((x($_POST,'allowed_oembed')) ? Strings::removeTags(trim($_POST['allowed_oembed'])) : ''); + $allowed_oembed = ((x($_POST,'allowed_oembed')) ? Strings::escapeTags(trim($_POST['allowed_oembed'])) : ''); $block_public = ((x($_POST,'block_public')) ? True : False); $force_publish = ((x($_POST,'publish_all')) ? True : False); - $global_directory = ((x($_POST,'directory')) ? Strings::removeTags(trim($_POST['directory'])) : ''); + $global_directory = ((x($_POST,'directory')) ? Strings::escapeTags(trim($_POST['directory'])) : ''); $newuser_private = ((x($_POST,'newuser_private')) ? True : False); $enotify_no_content = ((x($_POST,'enotify_no_content')) ? True : False); $private_addons = ((x($_POST,'private_addons')) ? True : False); @@ -1092,8 +1092,8 @@ function admin_page_site_post(App $a) $max_author_posts_community_page = ((x($_POST,'max_author_posts_community_page')) ? intval(trim($_POST['max_author_posts_community_page'])) : 0); $verifyssl = ((x($_POST,'verifyssl')) ? True : False); - $proxyuser = ((x($_POST,'proxyuser')) ? Strings::removeTags(trim($_POST['proxyuser'])) : ''); - $proxy = ((x($_POST,'proxy')) ? Strings::removeTags(trim($_POST['proxy'])) : ''); + $proxyuser = ((x($_POST,'proxyuser')) ? Strings::escapeTags(trim($_POST['proxyuser'])) : ''); + $proxy = ((x($_POST,'proxy')) ? Strings::escapeTags(trim($_POST['proxy'])) : ''); $timeout = ((x($_POST,'timeout')) ? intval(trim($_POST['timeout'])) : 60); $maxloadavg = ((x($_POST,'maxloadavg')) ? intval(trim($_POST['maxloadavg'])) : 50); $maxloadavg_frontend = ((x($_POST,'maxloadavg_frontend')) ? intval(trim($_POST['maxloadavg_frontend'])) : 50); @@ -1117,16 +1117,16 @@ function admin_page_site_post(App $a) $dbclean_expire_days = ((x($_POST,'dbclean_expire_days')) ? intval($_POST['dbclean_expire_days']) : 0); $dbclean_unclaimed = ((x($_POST,'dbclean_unclaimed')) ? intval($_POST['dbclean_unclaimed']) : 0); $suppress_tags = ((x($_POST,'suppress_tags')) ? True : False); - $itemcache = ((x($_POST,'itemcache')) ? Strings::removeTags(trim($_POST['itemcache'])) : ''); + $itemcache = ((x($_POST,'itemcache')) ? Strings::escapeTags(trim($_POST['itemcache'])) : ''); $itemcache_duration = ((x($_POST,'itemcache_duration')) ? intval($_POST['itemcache_duration']) : 0); $max_comments = ((x($_POST,'max_comments')) ? intval($_POST['max_comments']) : 0); - $temppath = ((x($_POST,'temppath')) ? Strings::removeTags(trim($_POST['temppath'])) : ''); - $basepath = ((x($_POST,'basepath')) ? Strings::removeTags(trim($_POST['basepath'])) : ''); - $singleuser = ((x($_POST,'singleuser')) ? Strings::removeTags(trim($_POST['singleuser'])) : ''); + $temppath = ((x($_POST,'temppath')) ? Strings::escapeTags(trim($_POST['temppath'])) : ''); + $basepath = ((x($_POST,'basepath')) ? Strings::escapeTags(trim($_POST['basepath'])) : ''); + $singleuser = ((x($_POST,'singleuser')) ? Strings::escapeTags(trim($_POST['singleuser'])) : ''); $proxy_disabled = ((x($_POST,'proxy_disabled')) ? True : False); $only_tag_search = ((x($_POST,'only_tag_search')) ? True : False); $rino = ((x($_POST,'rino')) ? intval($_POST['rino']) : 0); - $check_new_version_url = ((x($_POST, 'check_new_version_url')) ? Strings::removeTags(trim($_POST['check_new_version_url'])) : 'none'); + $check_new_version_url = ((x($_POST, 'check_new_version_url')) ? Strings::escapeTags(trim($_POST['check_new_version_url'])) : 'none'); $worker_queues = ((x($_POST,'worker_queues')) ? intval($_POST['worker_queues']) : 10); $worker_dont_fork = ((x($_POST,'worker_dont_fork')) ? True : False); @@ -1134,10 +1134,10 @@ function admin_page_site_post(App $a) $worker_frontend = ((x($_POST,'worker_frontend')) ? True : False); $relay_directly = ((x($_POST,'relay_directly')) ? True : False); - $relay_server = ((x($_POST,'relay_server')) ? Strings::removeTags(trim($_POST['relay_server'])) : ''); + $relay_server = ((x($_POST,'relay_server')) ? Strings::escapeTags(trim($_POST['relay_server'])) : ''); $relay_subscribe = ((x($_POST,'relay_subscribe')) ? True : False); - $relay_scope = ((x($_POST,'relay_scope')) ? Strings::removeTags(trim($_POST['relay_scope'])) : ''); - $relay_server_tags = ((x($_POST,'relay_server_tags')) ? Strings::removeTags(trim($_POST['relay_server_tags'])) : ''); + $relay_scope = ((x($_POST,'relay_scope')) ? Strings::escapeTags(trim($_POST['relay_scope'])) : ''); + $relay_server_tags = ((x($_POST,'relay_server_tags')) ? Strings::escapeTags(trim($_POST['relay_server_tags'])) : ''); $relay_user_tags = ((x($_POST,'relay_user_tags')) ? True : False); // Has the directory url changed? If yes, then resubmit the existing profiles there @@ -2371,7 +2371,7 @@ function admin_page_logs_post(App $a) if (x($_POST, "page_logs")) { BaseModule::checkFormSecurityTokenRedirectOnError('/admin/logs', 'admin_logs'); - $logfile = ((x($_POST,'logfile')) ? Strings::removeTags(trim($_POST['logfile'])) : ''); + $logfile = ((x($_POST,'logfile')) ? Strings::escapeTags(trim($_POST['logfile'])) : ''); $debugging = ((x($_POST,'debugging')) ? true : false); $loglevel = ((x($_POST,'loglevel')) ? intval(trim($_POST['loglevel'])) : 0); diff --git a/mod/dfrn_confirm.php b/mod/dfrn_confirm.php index 8871e3e8a0..48c8e32e5a 100644 --- a/mod/dfrn_confirm.php +++ b/mod/dfrn_confirm.php @@ -85,7 +85,7 @@ function dfrn_confirm_post(App $a, $handsfree = null) $cid = 0; $hidden = intval(defaults($handsfree, 'hidden' , 0)); } else { - $dfrn_id = Strings::removeTags(trim(defaults($_POST, 'dfrn_id' , ''))); + $dfrn_id = Strings::escapeTags(trim(defaults($_POST, 'dfrn_id' , ''))); $intro_id = intval(defaults($_POST, 'intro_id' , 0)); $duplex = intval(defaults($_POST, 'duplex' , 0)); $cid = intval(defaults($_POST, 'contact_id', 0)); diff --git a/mod/dfrn_notify.php b/mod/dfrn_notify.php index 90d3fb2b5d..63f53e0606 100644 --- a/mod/dfrn_notify.php +++ b/mod/dfrn_notify.php @@ -39,15 +39,15 @@ function dfrn_notify_post(App $a) { } } - $dfrn_id = ((x($_POST,'dfrn_id')) ? Strings::removeTags(trim($_POST['dfrn_id'])) : ''); + $dfrn_id = ((x($_POST,'dfrn_id')) ? Strings::escapeTags(trim($_POST['dfrn_id'])) : ''); $dfrn_version = ((x($_POST,'dfrn_version')) ? (float) $_POST['dfrn_version'] : 2.0); - $challenge = ((x($_POST,'challenge')) ? Strings::removeTags(trim($_POST['challenge'])) : ''); + $challenge = ((x($_POST,'challenge')) ? Strings::escapeTags(trim($_POST['challenge'])) : ''); $data = ((x($_POST,'data')) ? $_POST['data'] : ''); $key = ((x($_POST,'key')) ? $_POST['key'] : ''); $rino_remote = ((x($_POST,'rino')) ? intval($_POST['rino']) : 0); $dissolve = ((x($_POST,'dissolve')) ? intval($_POST['dissolve']) : 0); - $perm = ((x($_POST,'perm')) ? Strings::removeTags(trim($_POST['perm'])) : 'r'); - $ssl_policy = ((x($_POST,'ssl_policy')) ? Strings::removeTags(trim($_POST['ssl_policy'])): 'none'); + $perm = ((x($_POST,'perm')) ? Strings::escapeTags(trim($_POST['perm'])) : 'r'); + $ssl_policy = ((x($_POST,'ssl_policy')) ? Strings::escapeTags(trim($_POST['ssl_policy'])): 'none'); $page = ((x($_POST,'page')) ? intval($_POST['page']) : 0); $forum = (($page == 1) ? 1 : 0); @@ -254,7 +254,7 @@ function dfrn_notify_content(App $a) { * If this is a duplex communication, ours will be the opposite. */ - $dfrn_id = Strings::removeTags(trim($_GET['dfrn_id'])); + $dfrn_id = Strings::escapeTags(trim($_GET['dfrn_id'])); $dfrn_version = (float) $_GET['dfrn_version']; $rino_remote = ((x($_GET,'rino')) ? intval($_GET['rino']) : 0); $type = ""; diff --git a/mod/dfrn_request.php b/mod/dfrn_request.php index 8548c67f19..26d7efda52 100644 --- a/mod/dfrn_request.php +++ b/mod/dfrn_request.php @@ -76,7 +76,7 @@ function dfrn_request_post(App $a) if ((x($_POST, 'localconfirm')) && ($_POST['localconfirm'] == 1)) { // Ensure this is a valid request if (local_user() && ($a->user['nickname'] == $a->argv[1]) && (x($_POST, 'dfrn_url'))) { - $dfrn_url = Strings::removeTags(trim($_POST['dfrn_url'])); + $dfrn_url = Strings::escapeTags(trim($_POST['dfrn_url'])); $aes_allow = (((x($_POST, 'aes_allow')) && ($_POST['aes_allow'] == 1)) ? 1 : 0); $confirm_key = ((x($_POST, 'confirm_key')) ? $_POST['confirm_key'] : ""); $hidden = ((x($_POST, 'hidden-contact')) ? intval($_POST['hidden-contact']) : 0); @@ -270,7 +270,7 @@ function dfrn_request_post(App $a) } } - $real_name = x($_POST, 'realname') ? Strings::removeTags(trim($_POST['realname'])) : ''; + $real_name = x($_POST, 'realname') ? Strings::escapeTags(trim($_POST['realname'])) : ''; $url = trim($_POST['dfrn_url']); if (!strlen($url)) { @@ -424,7 +424,7 @@ function dfrn_request_post(App $a) intval($uid), intval($contact_record['id']), ((x($_POST,'knowyou') && ($_POST['knowyou'] == 1)) ? 1 : 0), - DBA::escape(Strings::removeTags(trim(defaults($_POST, 'dfrn-request-message', '')))), + DBA::escape(Strings::escapeTags(trim(defaults($_POST, 'dfrn-request-message', '')))), DBA::escape($hash), DBA::escape(DateTimeFormat::utcNow()) ); @@ -498,7 +498,7 @@ function dfrn_request_content(App $a) return Login::form(); } - $dfrn_url = Strings::removeTags(trim(hex2bin($_GET['dfrn_url']))); + $dfrn_url = Strings::escapeTags(trim(hex2bin($_GET['dfrn_url']))); $aes_allow = x($_GET, 'aes_allow') && $_GET['aes_allow'] == 1 ? 1 : 0; $confirm_key = x($_GET, 'confirm_key') ? $_GET['confirm_key'] : ""; diff --git a/mod/directory.php b/mod/directory.php index 122fd1aa55..e59cf7b820 100644 --- a/mod/directory.php +++ b/mod/directory.php @@ -48,9 +48,9 @@ function directory_content(App $a) Nav::setSelected('directory'); if (x($a->data, 'search')) { - $search = Strings::removeTags(trim($a->data['search'])); + $search = Strings::escapeTags(trim($a->data['search'])); } else { - $search = ((x($_GET, 'search')) ? Strings::removeTags(trim(rawurldecode($_GET['search']))) : ''); + $search = ((x($_GET, 'search')) ? Strings::escapeTags(trim(rawurldecode($_GET['search']))) : ''); } $gdirpath = ''; diff --git a/mod/dirfind.php b/mod/dirfind.php index 7b603a7427..d3298b64db 100644 --- a/mod/dirfind.php +++ b/mod/dirfind.php @@ -46,7 +46,7 @@ function dirfind_content(App $a, $prefix = "") { $local = Config::get('system','poco_local_search'); - $search = $prefix.Strings::removeTags(trim(defaults($_REQUEST, 'search', ''))); + $search = $prefix.Strings::escapeTags(trim(defaults($_REQUEST, 'search', ''))); $header = ''; diff --git a/mod/follow.php b/mod/follow.php index 47b66430a4..08f664d393 100644 --- a/mod/follow.php +++ b/mod/follow.php @@ -26,7 +26,7 @@ function follow_post(App $a) } $uid = local_user(); - $url = Strings::removeTags(trim($_REQUEST['url'])); + $url = Strings::escapeTags(trim($_REQUEST['url'])); $return_path = 'contacts'; // Makes the connection request for friendica contacts easier @@ -61,7 +61,7 @@ function follow_content(App $a) } $uid = local_user(); - $url = Strings::removeTags(trim($_REQUEST['url'])); + $url = Strings::escapeTags(trim($_REQUEST['url'])); $submit = L10n::t('Submit Request'); diff --git a/mod/group.php b/mod/group.php index 970fbba299..51fa2493e4 100644 --- a/mod/group.php +++ b/mod/group.php @@ -34,7 +34,7 @@ function group_post(App $a) { if (($a->argc == 2) && ($a->argv[1] === 'new')) { BaseModule::checkFormSecurityTokenRedirectOnError('/group/new', 'group_edit'); - $name = Strings::removeTags(trim($_POST['groupname'])); + $name = Strings::escapeTags(trim($_POST['groupname'])); $r = Model\Group::create(local_user(), $name); if ($r) { info(L10n::t('Group created.') . EOL); @@ -62,7 +62,7 @@ function group_post(App $a) { return; // NOTREACHED } $group = $r[0]; - $groupname = Strings::removeTags(trim($_POST['groupname'])); + $groupname = Strings::escapeTags(trim($_POST['groupname'])); if (strlen($groupname) && ($groupname != $group['name'])) { $r = q("UPDATE `group` SET `name` = '%s' WHERE `uid` = %d AND `id` = %d", DBA::escape($groupname), diff --git a/mod/help.php b/mod/help.php index 83c2aa5ff3..3a21695b09 100644 --- a/mod/help.php +++ b/mod/help.php @@ -48,7 +48,7 @@ function help_content(App $a) $title = basename($path); $filename = $path; $text = load_doc_file('doc/' . $path . '.md'); - $a->page['title'] = L10n::t('Help:') . ' ' . str_replace('-', ' ', Strings::removeTags($title)); + $a->page['title'] = L10n::t('Help:') . ' ' . str_replace('-', ' ', Strings::escapeTags($title)); } $home = load_doc_file('doc/Home.md'); diff --git a/mod/invite.php b/mod/invite.php index e0c73aa344..460a3461d3 100644 --- a/mod/invite.php +++ b/mod/invite.php @@ -41,7 +41,7 @@ function invite_post(App $a) $recipients = !empty($_POST['recipients']) ? explode("\n", $_POST['recipients']) : []; - $message = !empty($_POST['message']) ? Strings::removeTags(trim($_POST['message'])) : ''; + $message = !empty($_POST['message']) ? Strings::escapeTags(trim($_POST['message'])) : ''; $total = 0; diff --git a/mod/item.php b/mod/item.php index 0473c74c52..507185e7c2 100644 --- a/mod/item.php +++ b/mod/item.php @@ -204,7 +204,7 @@ function item_post(App $a) { $objecttype = $orig_post['object-type']; $app = $orig_post['app']; $categories = $orig_post['file']; - $title = Strings::removeTags(trim($_REQUEST['title'])); + $title = Strings::escapeTags(trim($_REQUEST['title'])); $body = Strings::escapeHtml(trim($_REQUEST['body'])); $private = $orig_post['private']; $pubmail_enabled = $orig_post['pubmail']; @@ -236,13 +236,13 @@ function item_post(App $a) { $str_contact_deny = perms2str(defaults($_REQUEST, 'contact_deny', '')); } - $title = Strings::removeTags(trim(defaults($_REQUEST, 'title' , ''))); - $location = Strings::removeTags(trim(defaults($_REQUEST, 'location', ''))); - $coord = Strings::removeTags(trim(defaults($_REQUEST, 'coord' , ''))); - $verb = Strings::removeTags(trim(defaults($_REQUEST, 'verb' , ''))); - $emailcc = Strings::removeTags(trim(defaults($_REQUEST, 'emailcc' , ''))); + $title = Strings::escapeTags(trim(defaults($_REQUEST, 'title' , ''))); + $location = Strings::escapeTags(trim(defaults($_REQUEST, 'location', ''))); + $coord = Strings::escapeTags(trim(defaults($_REQUEST, 'coord' , ''))); + $verb = Strings::escapeTags(trim(defaults($_REQUEST, 'verb' , ''))); + $emailcc = Strings::escapeTags(trim(defaults($_REQUEST, 'emailcc' , ''))); $body = Strings::escapeHtml(trim(defaults($_REQUEST, 'body' , ''))); - $network = Strings::removeTags(trim(defaults($_REQUEST, 'network' , Protocol::DFRN))); + $network = Strings::escapeTags(trim(defaults($_REQUEST, 'network' , Protocol::DFRN))); $guid = System::createUUID(); $postopts = defaults($_REQUEST, 'postopts', ''); diff --git a/mod/like.php b/mod/like.php index b8de3ff6a1..97eaca163b 100644 --- a/mod/like.php +++ b/mod/like.php @@ -13,13 +13,13 @@ function like_content(App $a) { } - $verb = Strings::removeTags(trim($_GET['verb'])); + $verb = Strings::escapeTags(trim($_GET['verb'])); if (!$verb) { $verb = 'like'; } - $item_id = (($a->argc > 1) ? Strings::removeTags(trim($a->argv[1])) : 0); + $item_id = (($a->argc > 1) ? Strings::escapeTags(trim($a->argv[1])) : 0); $r = Item::performLike($item_id, $verb); if (!$r) { diff --git a/mod/lostpass.php b/mod/lostpass.php index 57f3d89b42..42a1764bf9 100644 --- a/mod/lostpass.php +++ b/mod/lostpass.php @@ -19,7 +19,7 @@ require_once 'include/text.php'; function lostpass_post(App $a) { - $loginame = Strings::removeTags(trim($_POST['login-name'])); + $loginame = Strings::escapeTags(trim($_POST['login-name'])); if (!$loginame) { $a->internalRedirect(); } diff --git a/mod/message.php b/mod/message.php index 3a9480f2f2..7491cd1bcc 100644 --- a/mod/message.php +++ b/mod/message.php @@ -59,8 +59,8 @@ function message_post(App $a) return; } - $replyto = x($_REQUEST, 'replyto') ? Strings::removeTags(trim($_REQUEST['replyto'])) : ''; - $subject = x($_REQUEST, 'subject') ? Strings::removeTags(trim($_REQUEST['subject'])) : ''; + $replyto = x($_REQUEST, 'replyto') ? Strings::escapeTags(trim($_REQUEST['replyto'])) : ''; + $subject = x($_REQUEST, 'subject') ? Strings::escapeTags(trim($_REQUEST['subject'])) : ''; $body = x($_REQUEST, 'body') ? Strings::escapeHtml(trim($_REQUEST['body'])) : ''; $recipient = x($_REQUEST, 'messageto') ? intval($_REQUEST['messageto']) : 0; diff --git a/mod/network.php b/mod/network.php index ff20f04d4e..81a2f2b2ba 100644 --- a/mod/network.php +++ b/mod/network.php @@ -537,7 +537,7 @@ function networkThreadedView(App $a, $update, $parent) $star = intval(defaults($_GET, 'star' , 0)); $bmark = intval(defaults($_GET, 'bmark', 0)); $conv = intval(defaults($_GET, 'conv' , 0)); - $order = Strings::removeTags(defaults($_GET, 'order', 'comment')); + $order = Strings::escapeTags(defaults($_GET, 'order', 'comment')); $nets = defaults($_GET, 'nets' , ''); if ($cid) { diff --git a/mod/oexchange.php b/mod/oexchange.php index f66dee8f00..62d0bba078 100644 --- a/mod/oexchange.php +++ b/mod/oexchange.php @@ -34,13 +34,13 @@ function oexchange_content(App $a) { } $url = ((x($_REQUEST,'url') && strlen($_REQUEST['url'])) - ? urlencode(Strings::removeTags(trim($_REQUEST['url']))) : ''); + ? urlencode(Strings::escapeTags(trim($_REQUEST['url']))) : ''); $title = ((x($_REQUEST,'title') && strlen($_REQUEST['title'])) - ? '&title=' . urlencode(Strings::removeTags(trim($_REQUEST['title']))) : ''); + ? '&title=' . urlencode(Strings::escapeTags(trim($_REQUEST['title']))) : ''); $description = ((x($_REQUEST,'description') && strlen($_REQUEST['description'])) - ? '&description=' . urlencode(Strings::removeTags(trim($_REQUEST['description']))) : ''); + ? '&description=' . urlencode(Strings::escapeTags(trim($_REQUEST['description']))) : ''); $tags = ((x($_REQUEST,'tags') && strlen($_REQUEST['tags'])) - ? '&tags=' . urlencode(Strings::removeTags(trim($_REQUEST['tags']))) : ''); + ? '&tags=' . urlencode(Strings::escapeTags(trim($_REQUEST['tags']))) : ''); $s = Network::fetchUrl(System::baseUrl() . '/parse_url?f=&url=' . $url . $title . $description . $tags); diff --git a/mod/openid.php b/mod/openid.php index 287b12781f..209960ee58 100644 --- a/mod/openid.php +++ b/mod/openid.php @@ -75,16 +75,16 @@ function openid_content(App $a) { if (is_array($attr) && count($attr)) { foreach ($attr as $k => $v) { if ($k === 'namePerson/friendly') { - $nick = Strings::removeTags(trim($v)); + $nick = Strings::escapeTags(trim($v)); } if($k === 'namePerson/first') { - $first = Strings::removeTags(trim($v)); + $first = Strings::escapeTags(trim($v)); } if($k === 'namePerson') { - $args .= '&username=' . urlencode(Strings::removeTags(trim($v))); + $args .= '&username=' . urlencode(Strings::escapeTags(trim($v))); } if ($k === 'contact/email') { - $args .= '&email=' . urlencode(Strings::removeTags(trim($v))); + $args .= '&email=' . urlencode(Strings::escapeTags(trim($v))); } if ($k === 'media/image/aspect11') { $photosq = bin2hex(trim($v)); @@ -108,7 +108,7 @@ function openid_content(App $a) { $args .= '&photo=' . urlencode($photo); } - $args .= '&openid_url=' . urlencode(Strings::removeTags(trim($authid))); + $args .= '&openid_url=' . urlencode(Strings::escapeTags(trim($authid))); $a->internalRedirect('register?' . $args); diff --git a/mod/photos.php b/mod/photos.php index 8b11e72421..f07815c258 100644 --- a/mod/photos.php +++ b/mod/photos.php @@ -223,7 +223,7 @@ function photos_post(App $a) } // RENAME photo album - $newalbum = Strings::removeTags(trim($_POST['albumname'])); + $newalbum = Strings::escapeTags(trim($_POST['albumname'])); if ($newalbum != $album) { q("UPDATE `photo` SET `album` = '%s' WHERE `album` = '%s' AND `uid` = %d", DBA::escape($newalbum), @@ -366,11 +366,11 @@ function photos_post(App $a) } if ($a->argc > 2 && (!empty($_POST['desc']) || !empty($_POST['newtag']) || !empty($_POST['albname']) !== false)) { - $desc = !empty($_POST['desc']) ? Strings::removeTags(trim($_POST['desc'])) : ''; - $rawtags = !empty($_POST['newtag']) ? Strings::removeTags(trim($_POST['newtag'])) : ''; + $desc = !empty($_POST['desc']) ? Strings::escapeTags(trim($_POST['desc'])) : ''; + $rawtags = !empty($_POST['newtag']) ? Strings::escapeTags(trim($_POST['newtag'])) : ''; $item_id = !empty($_POST['item_id']) ? intval($_POST['item_id']) : 0; - $albname = !empty($_POST['albname']) ? Strings::removeTags(trim($_POST['albname'])) : ''; - $origaname = !empty($_POST['origaname']) ? Strings::removeTags(trim($_POST['origaname'])) : ''; + $albname = !empty($_POST['albname']) ? Strings::escapeTags(trim($_POST['albname'])) : ''; + $origaname = !empty($_POST['origaname']) ? Strings::escapeTags(trim($_POST['origaname'])) : ''; $str_group_allow = !empty($_POST['group_allow']) ? perms2str($_POST['group_allow']) : ''; $str_contact_allow = !empty($_POST['contact_allow']) ? perms2str($_POST['contact_allow']) : ''; @@ -708,8 +708,8 @@ function photos_post(App $a) Addon::callHooks('photo_post_init', $_POST); // Determine the album to use - $album = !empty($_REQUEST['album']) ? Strings::removeTags(trim($_REQUEST['album'])) : ''; - $newalbum = !empty($_REQUEST['newalbum']) ? Strings::removeTags(trim($_REQUEST['newalbum'])) : ''; + $album = !empty($_REQUEST['album']) ? Strings::escapeTags(trim($_REQUEST['album'])) : ''; + $newalbum = !empty($_REQUEST['newalbum']) ? Strings::escapeTags(trim($_REQUEST['newalbum'])) : ''; Logger::log('mod/photos.php: photos_post(): album= ' . $album . ' newalbum= ' . $newalbum , Logger::DEBUG); diff --git a/mod/poco.php b/mod/poco.php index 0a369502d3..cc2493c086 100644 --- a/mod/poco.php +++ b/mod/poco.php @@ -26,7 +26,7 @@ function poco_init(App $a) { } if ($a->argc > 1) { - $user = Strings::removeTags(trim($a->argv[1])); + $user = Strings::escapeTags(trim($a->argv[1])); } if (empty($user)) { $c = q("SELECT * FROM `pconfig` WHERE `cat` = 'system' AND `k` = 'suggestme' AND `v` = 1"); diff --git a/mod/poke.php b/mod/poke.php index 615e244e54..6f09b348cc 100644 --- a/mod/poke.php +++ b/mod/poke.php @@ -39,7 +39,7 @@ function poke_init(App $a) return; } - $verb = Strings::removeTags(trim($_GET['verb'])); + $verb = Strings::escapeTags(trim($_GET['verb'])); $verbs = L10n::getPokeVerbs(); diff --git a/mod/profile.php b/mod/profile.php index f17888368a..59f3bb5ae4 100644 --- a/mod/profile.php +++ b/mod/profile.php @@ -194,7 +194,7 @@ function profile_content(App $a, $update = 0) if (!$update) { $tab = false; if (!empty($_GET['tab'])) { - $tab = Strings::removeTags(trim($_GET['tab'])); + $tab = Strings::escapeTags(trim($_GET['tab'])); } $o .= Profile::getTabs($a, $is_owner, $a->profile['nickname']); diff --git a/mod/profiles.php b/mod/profiles.php index 83febcc717..459a1c5e75 100644 --- a/mod/profiles.php +++ b/mod/profiles.php @@ -202,7 +202,7 @@ function profiles_post(App $a) { $is_default = (($orig[0]['is-default']) ? 1 : 0); - $profile_name = Strings::removeTags(trim($_POST['profile_name'])); + $profile_name = Strings::escapeTags(trim($_POST['profile_name'])); if (! strlen($profile_name)) { notice(L10n::t('Profile Name is required.') . EOL); return; @@ -229,7 +229,7 @@ function profiles_post(App $a) { } } - $name = Strings::removeTags(trim($_POST['name'])); + $name = Strings::escapeTags(trim($_POST['name'])); if (! strlen($name)) { $name = '[No Name]'; @@ -239,19 +239,19 @@ function profiles_post(App $a) { $namechanged = true; } - $pdesc = Strings::removeTags(trim($_POST['pdesc'])); - $gender = Strings::removeTags(trim($_POST['gender'])); - $address = Strings::removeTags(trim($_POST['address'])); - $locality = Strings::removeTags(trim($_POST['locality'])); - $region = Strings::removeTags(trim($_POST['region'])); - $postal_code = Strings::removeTags(trim($_POST['postal_code'])); - $country_name = Strings::removeTags(trim($_POST['country_name'])); - $pub_keywords = profile_clean_keywords(Strings::removeTags(trim($_POST['pub_keywords']))); - $prv_keywords = profile_clean_keywords(Strings::removeTags(trim($_POST['prv_keywords']))); - $marital = Strings::removeTags(trim($_POST['marital'])); - $howlong = Strings::removeTags(trim($_POST['howlong'])); + $pdesc = Strings::escapeTags(trim($_POST['pdesc'])); + $gender = Strings::escapeTags(trim($_POST['gender'])); + $address = Strings::escapeTags(trim($_POST['address'])); + $locality = Strings::escapeTags(trim($_POST['locality'])); + $region = Strings::escapeTags(trim($_POST['region'])); + $postal_code = Strings::escapeTags(trim($_POST['postal_code'])); + $country_name = Strings::escapeTags(trim($_POST['country_name'])); + $pub_keywords = profile_clean_keywords(Strings::escapeTags(trim($_POST['pub_keywords']))); + $prv_keywords = profile_clean_keywords(Strings::escapeTags(trim($_POST['prv_keywords']))); + $marital = Strings::escapeTags(trim($_POST['marital'])); + $howlong = Strings::escapeTags(trim($_POST['howlong'])); - $with = ((x($_POST,'with')) ? Strings::removeTags(trim($_POST['with'])) : ''); + $with = ((x($_POST,'with')) ? Strings::escapeTags(trim($_POST['with'])) : ''); if (! strlen($howlong)) { $howlong = DBA::NULL_DATETIME; @@ -312,16 +312,16 @@ function profiles_post(App $a) { } /// @TODO Not flexible enough for later expansion, let's have more OOP here - $sexual = Strings::removeTags(trim($_POST['sexual'])); - $xmpp = Strings::removeTags(trim($_POST['xmpp'])); - $homepage = Strings::removeTags(trim($_POST['homepage'])); + $sexual = Strings::escapeTags(trim($_POST['sexual'])); + $xmpp = Strings::escapeTags(trim($_POST['xmpp'])); + $homepage = Strings::escapeTags(trim($_POST['homepage'])); if ((strpos($homepage, 'http') !== 0) && (strlen($homepage))) { // neither http nor https in URL, add them $homepage = 'http://'.$homepage; } - $hometown = Strings::removeTags(trim($_POST['hometown'])); - $politic = Strings::removeTags(trim($_POST['politic'])); - $religion = Strings::removeTags(trim($_POST['religion'])); + $hometown = Strings::escapeTags(trim($_POST['hometown'])); + $politic = Strings::escapeTags(trim($_POST['politic'])); + $religion = Strings::escapeTags(trim($_POST['religion'])); $likes = Strings::escapeHtml(trim($_POST['likes'])); $dislikes = Strings::escapeHtml(trim($_POST['dislikes'])); diff --git a/mod/pubsub.php b/mod/pubsub.php index 06ebacbe32..f0a8d463c4 100644 --- a/mod/pubsub.php +++ b/mod/pubsub.php @@ -31,15 +31,15 @@ function hub_post_return() function pubsub_init(App $a) { - $nick = (($a->argc > 1) ? Strings::removeTags(trim($a->argv[1])) : ''); + $nick = (($a->argc > 1) ? Strings::escapeTags(trim($a->argv[1])) : ''); $contact_id = (($a->argc > 2) ? intval($a->argv[2]) : 0 ); if ($_SERVER['REQUEST_METHOD'] === 'GET') { - $hub_mode = Strings::removeTags(trim(defaults($_GET, 'hub_mode', ''))); - $hub_topic = Strings::removeTags(trim(defaults($_GET, 'hub_topic', ''))); - $hub_challenge = Strings::removeTags(trim(defaults($_GET, 'hub_challenge', ''))); - $hub_lease = Strings::removeTags(trim(defaults($_GET, 'hub_lease_seconds', ''))); - $hub_verify = Strings::removeTags(trim(defaults($_GET, 'hub_verify_token', ''))); + $hub_mode = Strings::escapeTags(trim(defaults($_GET, 'hub_mode', ''))); + $hub_topic = Strings::escapeTags(trim(defaults($_GET, 'hub_topic', ''))); + $hub_challenge = Strings::escapeTags(trim(defaults($_GET, 'hub_challenge', ''))); + $hub_lease = Strings::escapeTags(trim(defaults($_GET, 'hub_lease_seconds', ''))); + $hub_verify = Strings::escapeTags(trim(defaults($_GET, 'hub_verify_token', ''))); Logger::log('Subscription from ' . $_SERVER['REMOTE_ADDR'] . ' Mode: ' . $hub_mode . ' Nick: ' . $nick); Logger::log('Data: ' . print_r($_GET,true), Logger::DATA); @@ -92,7 +92,7 @@ function pubsub_post(App $a) Logger::log('Feed arrived from ' . $_SERVER['REMOTE_ADDR'] . ' for ' . $a->cmd . ' with user-agent: ' . $_SERVER['HTTP_USER_AGENT']); Logger::log('Data: ' . $xml, Logger::DATA); - $nick = (($a->argc > 1) ? Strings::removeTags(trim($a->argv[1])) : ''); + $nick = (($a->argc > 1) ? Strings::escapeTags(trim($a->argv[1])) : ''); $contact_id = (($a->argc > 2) ? intval($a->argv[2]) : 0 ); $importer = DBA::selectFirst('user', [], ['nickname' => $nick, 'account_expired' => false, 'account_removed' => false]); diff --git a/mod/pubsubhubbub.php b/mod/pubsubhubbub.php index b055778270..d38cbe227d 100644 --- a/mod/pubsubhubbub.php +++ b/mod/pubsubhubbub.php @@ -10,7 +10,7 @@ use Friendica\Util\Network; use Friendica\Util\Strings; function post_var($name) { - return (x($_POST, $name)) ? Strings::removeTags(trim($_POST[$name])) : ''; + return (x($_POST, $name)) ? Strings::escapeTags(trim($_POST[$name])) : ''; } function pubsubhubbub_init(App $a) { diff --git a/mod/register.php b/mod/register.php index 74e6bcf699..2b0d87ca99 100644 --- a/mod/register.php +++ b/mod/register.php @@ -84,7 +84,7 @@ function register_post(App $a) $using_invites = Config::get('system', 'invitation_only'); $num_invites = Config::get('system', 'number_invites'); - $invite_id = ((x($_POST, 'invite_id')) ? Strings::removeTags(trim($_POST['invite_id'])) : ''); + $invite_id = ((x($_POST, 'invite_id')) ? Strings::escapeTags(trim($_POST['invite_id'])) : ''); if (intval(Config::get('config', 'register_policy')) === REGISTER_OPEN) { if ($using_invites && $invite_id) { diff --git a/mod/salmon.php b/mod/salmon.php index 5c8fc9fda7..02339c7779 100644 --- a/mod/salmon.php +++ b/mod/salmon.php @@ -24,7 +24,7 @@ function salmon_post(App $a, $xml = '') { Logger::log('new salmon ' . $xml, Logger::DATA); - $nick = (($a->argc > 1) ? Strings::removeTags(trim($a->argv[1])) : ''); + $nick = (($a->argc > 1) ? Strings::escapeTags(trim($a->argv[1])) : ''); $mentions = (($a->argc > 2 && $a->argv[2] === 'mention') ? true : false); $r = q("SELECT * FROM `user` WHERE `nickname` = '%s' AND `account_expired` = 0 AND `account_removed` = 0 LIMIT 1", diff --git a/mod/search.php b/mod/search.php index 9824c489a6..f552ad43c7 100644 --- a/mod/search.php +++ b/mod/search.php @@ -24,7 +24,7 @@ require_once 'mod/dirfind.php'; function search_saved_searches() { $o = ''; - $search = ((x($_GET,'search')) ? Strings::removeTags(trim(rawurldecode($_GET['search']))) : ''); + $search = ((x($_GET,'search')) ? Strings::escapeTags(trim(rawurldecode($_GET['search']))) : ''); if (!Feature::isEnabled(local_user(),'savedsearch')) return $o; @@ -63,7 +63,7 @@ function search_saved_searches() { function search_init(App $a) { - $search = ((x($_GET,'search')) ? Strings::removeTags(trim(rawurldecode($_GET['search']))) : ''); + $search = ((x($_GET,'search')) ? Strings::escapeTags(trim(rawurldecode($_GET['search']))) : ''); if (local_user()) { if (x($_GET,'save') && $search) { @@ -150,14 +150,14 @@ function search_content(App $a) { $search = ''; if (x($a->data,'search')) - $search = Strings::removeTags(trim($a->data['search'])); + $search = Strings::escapeTags(trim($a->data['search'])); else - $search = ((x($_GET,'search')) ? Strings::removeTags(trim(rawurldecode($_GET['search']))) : ''); + $search = ((x($_GET,'search')) ? Strings::escapeTags(trim(rawurldecode($_GET['search']))) : ''); $tag = false; if (x($_GET,'tag')) { $tag = true; - $search = (x($_GET,'tag') ? '#' . Strings::removeTags(trim(rawurldecode($_GET['tag']))) : ''); + $search = (x($_GET,'tag') ? '#' . Strings::escapeTags(trim(rawurldecode($_GET['tag']))) : ''); } // contruct a wrapper for the search header diff --git a/mod/settings.php b/mod/settings.php index e9dd023f9d..8570120480 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -315,8 +315,8 @@ function settings_post(App $a) if (($a->argc > 1) && ($a->argv[1] === 'display')) { BaseModule::checkFormSecurityTokenRedirectOnError('/settings/display', 'settings_display'); - $theme = x($_POST, 'theme') ? Strings::removeTags(trim($_POST['theme'])) : $a->user['theme']; - $mobile_theme = x($_POST, 'mobile_theme') ? Strings::removeTags(trim($_POST['mobile_theme'])) : ''; + $theme = x($_POST, 'theme') ? Strings::escapeTags(trim($_POST['theme'])) : $a->user['theme']; + $mobile_theme = x($_POST, 'mobile_theme') ? Strings::escapeTags(trim($_POST['mobile_theme'])) : ''; $nosmile = x($_POST, 'nosmile') ? intval($_POST['nosmile']) : 0; $first_day_of_week = x($_POST, 'first_day_of_week') ? intval($_POST['first_day_of_week']) : 0; $noinfo = x($_POST, 'noinfo') ? intval($_POST['noinfo']) : 0; @@ -423,13 +423,13 @@ function settings_post(App $a) } } - $username = ((x($_POST, 'username')) ? Strings::removeTags(trim($_POST['username'])) : ''); - $email = ((x($_POST, 'email')) ? Strings::removeTags(trim($_POST['email'])) : ''); - $timezone = ((x($_POST, 'timezone')) ? Strings::removeTags(trim($_POST['timezone'])) : ''); - $language = ((x($_POST, 'language')) ? Strings::removeTags(trim($_POST['language'])) : ''); + $username = ((x($_POST, 'username')) ? Strings::escapeTags(trim($_POST['username'])) : ''); + $email = ((x($_POST, 'email')) ? Strings::escapeTags(trim($_POST['email'])) : ''); + $timezone = ((x($_POST, 'timezone')) ? Strings::escapeTags(trim($_POST['timezone'])) : ''); + $language = ((x($_POST, 'language')) ? Strings::escapeTags(trim($_POST['language'])) : ''); - $defloc = ((x($_POST, 'defloc')) ? Strings::removeTags(trim($_POST['defloc'])) : ''); - $openid = ((x($_POST, 'openid_url')) ? Strings::removeTags(trim($_POST['openid_url'])) : ''); + $defloc = ((x($_POST, 'defloc')) ? Strings::escapeTags(trim($_POST['defloc'])) : ''); + $openid = ((x($_POST, 'openid_url')) ? Strings::escapeTags(trim($_POST['openid_url'])) : ''); $maxreq = ((x($_POST, 'maxreq')) ? intval($_POST['maxreq']) : 0); $expire = ((x($_POST, 'expire')) ? intval($_POST['expire']) : 0); $def_gid = ((x($_POST, 'group-selection')) ? intval($_POST['group-selection']) : 0); diff --git a/mod/subthread.php b/mod/subthread.php index 68fa0e7ea3..b287957b23 100644 --- a/mod/subthread.php +++ b/mod/subthread.php @@ -23,7 +23,7 @@ function subthread_content(App $a) { $activity = ACTIVITY_FOLLOW; - $item_id = (($a->argc > 1) ? Strings::removeTags(trim($a->argv[1])) : 0); + $item_id = (($a->argc > 1) ? Strings::escapeTags(trim($a->argv[1])) : 0); $condition = ["`parent` = ? OR `parent-uri` = ? AND `parent` = `id`", $item_id, $item_id]; $item = Item::selectFirst([], $condition); diff --git a/mod/tagger.php b/mod/tagger.php index c0eeb684ce..6c3c6157a5 100644 --- a/mod/tagger.php +++ b/mod/tagger.php @@ -21,7 +21,7 @@ function tagger_content(App $a) { return; } - $term = Strings::removeTags(trim($_GET['term'])); + $term = Strings::escapeTags(trim($_GET['term'])); // no commas allowed $term = str_replace([',',' '],['','_'],$term); @@ -29,7 +29,7 @@ function tagger_content(App $a) { return; } - $item_id = (($a->argc > 1) ? Strings::removeTags(trim($a->argv[1])) : 0); + $item_id = (($a->argc > 1) ? Strings::escapeTags(trim($a->argv[1])) : 0); Logger::log('tagger: tag ' . $term . ' item ' . $item_id); diff --git a/mod/tagrm.php b/mod/tagrm.php index 266dbfa3c8..3785d8750a 100644 --- a/mod/tagrm.php +++ b/mod/tagrm.php @@ -23,7 +23,7 @@ function tagrm_post(App $a) $tags = []; foreach (defaults($_POST, 'tag', []) as $tag) { - $tags[] = hex2bin(Strings::removeTags(trim($tag))); + $tags[] = hex2bin(Strings::escapeTags(trim($tag))); } $item_id = defaults($_POST,'item', 0); @@ -74,7 +74,7 @@ function tagrm_content(App $a) } if ($a->argc == 3) { - update_tags($a->argv[1], [Strings::removeTags(trim(hex2bin($a->argv[2])))]); + update_tags($a->argv[1], [Strings::escapeTags(trim(hex2bin($a->argv[2])))]); $a->internalRedirect($_SESSION['photo_return']); } diff --git a/mod/unfollow.php b/mod/unfollow.php index 9ca965bfd0..9b1049286b 100644 --- a/mod/unfollow.php +++ b/mod/unfollow.php @@ -25,7 +25,7 @@ function unfollow_post(App $a) } $uid = local_user(); - $url = Strings::removeTags(trim(defaults($_REQUEST, 'url', ''))); + $url = Strings::escapeTags(trim(defaults($_REQUEST, 'url', ''))); $condition = ["`uid` = ? AND (`rel` = ? OR `rel` = ?) AND (`nurl` = ? OR `alias` = ? OR `alias` = ?)", $uid, Contact::SHARING, Contact::FRIEND, Strings::normaliseLink($url), @@ -80,7 +80,7 @@ function unfollow_content(App $a) } $uid = local_user(); - $url = Strings::removeTags(trim($_REQUEST['url'])); + $url = Strings::escapeTags(trim($_REQUEST['url'])); $condition = ["`uid` = ? AND (`rel` = ? OR `rel` = ?) AND (`nurl` = ? OR `alias` = ? OR `alias` = ?)", local_user(), Contact::SHARING, Contact::FRIEND, Strings::normaliseLink($url), diff --git a/mod/wall_upload.php b/mod/wall_upload.php index 0322c66066..3358433da1 100644 --- a/mod/wall_upload.php +++ b/mod/wall_upload.php @@ -24,7 +24,7 @@ function wall_upload_post(App $a, $desktopmode = true) Logger::log("wall upload: starting new upload", Logger::DEBUG); $r_json = (x($_GET, 'response') && $_GET['response'] == 'json'); - $album = (x($_GET, 'album') ? Strings::removeTags(trim($_GET['album'])) : ''); + $album = (x($_GET, 'album') ? Strings::escapeTags(trim($_GET['album'])) : ''); if ($a->argc > 1) { if (!x($_FILES, 'media')) { diff --git a/mod/wallmessage.php b/mod/wallmessage.php index 06b3720f73..b7a62b3ad4 100644 --- a/mod/wallmessage.php +++ b/mod/wallmessage.php @@ -20,10 +20,10 @@ function wallmessage_post(App $a) { return; } - $subject = ((x($_REQUEST,'subject')) ? Strings::removeTags(trim($_REQUEST['subject'])) : ''); + $subject = ((x($_REQUEST,'subject')) ? Strings::escapeTags(trim($_REQUEST['subject'])) : ''); $body = ((x($_REQUEST,'body')) ? Strings::escapeHtml(trim($_REQUEST['body'])) : ''); - $recipient = (($a->argc > 1) ? Strings::removeTags($a->argv[1]) : ''); + $recipient = (($a->argc > 1) ? Strings::escapeTags($a->argv[1]) : ''); if ((! $recipient) || (! $body)) { return; } diff --git a/mod/xrd.php b/mod/xrd.php index 657a0f0ca9..4b9b0ee8fb 100644 --- a/mod/xrd.php +++ b/mod/xrd.php @@ -18,7 +18,7 @@ function xrd_init(App $a) System::httpExit(404); } - $uri = urldecode(Strings::removeTags(trim($_GET['uri']))); + $uri = urldecode(Strings::escapeTags(trim($_GET['uri']))); if (defaults($_SERVER, 'HTTP_ACCEPT', '') == 'application/jrd+json') { $mode = 'json'; } else { @@ -29,7 +29,7 @@ function xrd_init(App $a) System::httpExit(404); } - $uri = urldecode(Strings::removeTags(trim($_GET['resource']))); + $uri = urldecode(Strings::escapeTags(trim($_GET['resource']))); if (defaults($_SERVER, 'HTTP_ACCEPT', '') == 'application/xrd+xml') { $mode = 'xml'; } else { diff --git a/src/Model/Item.php b/src/Model/Item.php index c088685e8d..30c29e1518 100644 --- a/src/Model/Item.php +++ b/src/Model/Item.php @@ -1150,7 +1150,7 @@ class Item extends BaseObject private static function guid($item, $notify) { if (!empty($item['guid'])) { - return Strings::removeTags(trim($item['guid'])); + return Strings::escapeTags(trim($item['guid'])); } if ($notify) { @@ -1265,7 +1265,7 @@ class Item extends BaseObject } $item['guid'] = self::guid($item, $notify); - $item['uri'] = Strings::removeTags(trim(defaults($item, 'uri', self::newURI($item['uid'], $item['guid'])))); + $item['uri'] = Strings::escapeTags(trim(defaults($item, 'uri', self::newURI($item['uid'], $item['guid'])))); // Store URI data $item['uri-id'] = ItemURI::insert(['uri' => $item['uri'], 'guid' => $item['guid']]); diff --git a/src/Model/Profile.php b/src/Model/Profile.php index b6a7546022..c45bcdb84b 100644 --- a/src/Model/Profile.php +++ b/src/Model/Profile.php @@ -882,7 +882,7 @@ class Profile $tab = false; if (x($_GET, 'tab')) { - $tab = Strings::removeTags(trim($_GET['tab'])); + $tab = Strings::escapeTags(trim($_GET['tab'])); } $url = System::baseUrl() . '/profile/' . $nickname; diff --git a/src/Model/User.php b/src/Model/User.php index e03bf1c395..0f397aadc2 100644 --- a/src/Model/User.php +++ b/src/Model/User.php @@ -402,18 +402,18 @@ class User $using_invites = Config::get('system', 'invitation_only'); $num_invites = Config::get('system', 'number_invites'); - $invite_id = !empty($data['invite_id']) ? Strings::removeTags(trim($data['invite_id'])) : ''; - $username = !empty($data['username']) ? Strings::removeTags(trim($data['username'])) : ''; - $nickname = !empty($data['nickname']) ? Strings::removeTags(trim($data['nickname'])) : ''; - $email = !empty($data['email']) ? Strings::removeTags(trim($data['email'])) : ''; - $openid_url = !empty($data['openid_url']) ? Strings::removeTags(trim($data['openid_url'])) : ''; - $photo = !empty($data['photo']) ? Strings::removeTags(trim($data['photo'])) : ''; + $invite_id = !empty($data['invite_id']) ? Strings::escapeTags(trim($data['invite_id'])) : ''; + $username = !empty($data['username']) ? Strings::escapeTags(trim($data['username'])) : ''; + $nickname = !empty($data['nickname']) ? Strings::escapeTags(trim($data['nickname'])) : ''; + $email = !empty($data['email']) ? Strings::escapeTags(trim($data['email'])) : ''; + $openid_url = !empty($data['openid_url']) ? Strings::escapeTags(trim($data['openid_url'])) : ''; + $photo = !empty($data['photo']) ? Strings::escapeTags(trim($data['photo'])) : ''; $password = !empty($data['password']) ? trim($data['password']) : ''; $password1 = !empty($data['password1']) ? trim($data['password1']) : ''; $confirm = !empty($data['confirm']) ? trim($data['confirm']) : ''; $blocked = !empty($data['blocked']) ? intval($data['blocked']) : 0; $verified = !empty($data['verified']) ? intval($data['verified']) : 0; - $language = !empty($data['language']) ? Strings::removeTags(trim($data['language'])) : 'en'; + $language = !empty($data['language']) ? Strings::escapeTags(trim($data['language'])) : 'en'; $publish = !empty($data['profile_publish_reg']) && intval($data['profile_publish_reg']) ? 1 : 0; $netpublish = strlen(Config::get('system', 'directory')) ? $publish : 0; diff --git a/src/Module/Contact.php b/src/Module/Contact.php index 9987871880..b7e182dc14 100644 --- a/src/Module/Contact.php +++ b/src/Module/Contact.php @@ -602,7 +602,7 @@ class Contact extends BaseModule '$lbl_vis2' => L10n::t('Please choose the profile you would like to display to %s when viewing your profile securely.', $contact['name']), '$lbl_info1' => $lbl_info1, '$lbl_info2' => L10n::t('Their personal note'), - '$reason' => trim(Strings::removeTags($contact['reason'])), + '$reason' => trim(Strings::escapeTags($contact['reason'])), '$infedit' => L10n::t('Edit contact notes'), '$common_link' => 'common/loc/' . local_user() . '/' . $contact['id'], '$relation_text' => $relation_text, @@ -695,8 +695,8 @@ class Contact extends BaseModule $sql_extra .= sprintf(" AND `network` != '%s' ", Protocol::PHANTOM); - $search = Strings::removeTags(trim(defaults($_GET, 'search', ''))); - $nets = Strings::removeTags(trim(defaults($_GET, 'nets' , ''))); + $search = Strings::escapeTags(trim(defaults($_GET, 'search', ''))); + $nets = Strings::escapeTags(trim(defaults($_GET, 'nets' , ''))); $tabs = [ [ diff --git a/src/Module/Install.php b/src/Module/Install.php index f6e5fc6c5f..2e0f16c4e9 100644 --- a/src/Module/Install.php +++ b/src/Module/Install.php @@ -71,10 +71,10 @@ class Install extends BaseModule break; case self::SITE_SETTINGS: - $dbhost = Strings::removeTags(trim(defaults($_POST, 'dbhost', Core\Installer::DEFAULT_HOST))); - $dbuser = Strings::removeTags(trim(defaults($_POST, 'dbuser', ''))); - $dbpass = Strings::removeTags(trim(defaults($_POST, 'dbpass', ''))); - $dbdata = Strings::removeTags(trim(defaults($_POST, 'dbdata', ''))); + $dbhost = Strings::escapeTags(trim(defaults($_POST, 'dbhost', Core\Installer::DEFAULT_HOST))); + $dbuser = Strings::escapeTags(trim(defaults($_POST, 'dbuser', ''))); + $dbpass = Strings::escapeTags(trim(defaults($_POST, 'dbpass', ''))); + $dbdata = Strings::escapeTags(trim(defaults($_POST, 'dbdata', ''))); // If we cannot connect to the database, return to the previous step if (!self::$installer->checkDB($dbhost, $dbuser, $dbpass, $dbdata)) { @@ -85,13 +85,13 @@ class Install extends BaseModule case self::FINISHED: $urlpath = $a->getURLPath(); - $dbhost = Strings::removeTags(trim(defaults($_POST, 'dbhost', Core\Installer::DEFAULT_HOST))); - $dbuser = Strings::removeTags(trim(defaults($_POST, 'dbuser', ''))); - $dbpass = Strings::removeTags(trim(defaults($_POST, 'dbpass', ''))); - $dbdata = Strings::removeTags(trim(defaults($_POST, 'dbdata', ''))); - $timezone = Strings::removeTags(trim(defaults($_POST, 'timezone', Core\Installer::DEFAULT_TZ))); - $language = Strings::removeTags(trim(defaults($_POST, 'language', Core\Installer::DEFAULT_LANG))); - $adminmail = Strings::removeTags(trim(defaults($_POST, 'adminmail', ''))); + $dbhost = Strings::escapeTags(trim(defaults($_POST, 'dbhost', Core\Installer::DEFAULT_HOST))); + $dbuser = Strings::escapeTags(trim(defaults($_POST, 'dbuser', ''))); + $dbpass = Strings::escapeTags(trim(defaults($_POST, 'dbpass', ''))); + $dbdata = Strings::escapeTags(trim(defaults($_POST, 'dbdata', ''))); + $timezone = Strings::escapeTags(trim(defaults($_POST, 'timezone', Core\Installer::DEFAULT_TZ))); + $language = Strings::escapeTags(trim(defaults($_POST, 'language', Core\Installer::DEFAULT_LANG))); + $adminmail = Strings::escapeTags(trim(defaults($_POST, 'adminmail', ''))); // If we cannot connect to the database, return to the Database config wizard if (!self::$installer->checkDB($dbhost, $dbuser, $dbpass, $dbdata)) { @@ -140,12 +140,12 @@ class Install extends BaseModule break; case self::DATABASE_CONFIG: - $dbhost = Strings::removeTags(trim(defaults($_POST, 'dbhost' , Core\Installer::DEFAULT_HOST))); - $dbuser = Strings::removeTags(trim(defaults($_POST, 'dbuser' , '' ))); - $dbpass = Strings::removeTags(trim(defaults($_POST, 'dbpass' , '' ))); - $dbdata = Strings::removeTags(trim(defaults($_POST, 'dbdata' , '' ))); - $phpath = Strings::removeTags(trim(defaults($_POST, 'phpath' , '' ))); - $adminmail = Strings::removeTags(trim(defaults($_POST, 'adminmail', '' ))); + $dbhost = Strings::escapeTags(trim(defaults($_POST, 'dbhost' , Core\Installer::DEFAULT_HOST))); + $dbuser = Strings::escapeTags(trim(defaults($_POST, 'dbuser' , '' ))); + $dbpass = Strings::escapeTags(trim(defaults($_POST, 'dbpass' , '' ))); + $dbdata = Strings::escapeTags(trim(defaults($_POST, 'dbdata' , '' ))); + $phpath = Strings::escapeTags(trim(defaults($_POST, 'phpath' , '' ))); + $adminmail = Strings::escapeTags(trim(defaults($_POST, 'adminmail', '' ))); $tpl = Renderer::getMarkupTemplate('install_db.tpl'); $output .= Renderer::replaceMacros($tpl, [ @@ -191,13 +191,13 @@ class Install extends BaseModule break; case self::SITE_SETTINGS: - $dbhost = Strings::removeTags(trim(defaults($_POST, 'dbhost', Core\Installer::DEFAULT_HOST))); - $dbuser = Strings::removeTags(trim(defaults($_POST, 'dbuser', '' ))); - $dbpass = Strings::removeTags(trim(defaults($_POST, 'dbpass', '' ))); - $dbdata = Strings::removeTags(trim(defaults($_POST, 'dbdata', '' ))); - $phpath = Strings::removeTags(trim(defaults($_POST, 'phpath', '' ))); + $dbhost = Strings::escapeTags(trim(defaults($_POST, 'dbhost', Core\Installer::DEFAULT_HOST))); + $dbuser = Strings::escapeTags(trim(defaults($_POST, 'dbuser', '' ))); + $dbpass = Strings::escapeTags(trim(defaults($_POST, 'dbpass', '' ))); + $dbdata = Strings::escapeTags(trim(defaults($_POST, 'dbdata', '' ))); + $phpath = Strings::escapeTags(trim(defaults($_POST, 'phpath', '' ))); - $adminmail = Strings::removeTags(trim(defaults($_POST, 'adminmail', ''))); + $adminmail = Strings::escapeTags(trim(defaults($_POST, 'adminmail', ''))); $timezone = defaults($_POST, 'timezone', Core\Installer::DEFAULT_TZ); /* Installed langs */ diff --git a/src/Module/Login.php b/src/Module/Login.php index 7cf1bd8787..0cc65c3c32 100644 --- a/src/Module/Login.php +++ b/src/Module/Login.php @@ -149,7 +149,7 @@ class Login extends BaseModule ); } } catch (Exception $e) { - Logger::log('authenticate: failed login attempt: ' . Strings::removeTags($username) . ' from IP ' . $_SERVER['REMOTE_ADDR']); + Logger::log('authenticate: failed login attempt: ' . Strings::escapeTags($username) . ' from IP ' . $_SERVER['REMOTE_ADDR']); info('Login failed. Please check your credentials.' . EOL); $a->internalRedirect(); } diff --git a/src/Network/Probe.php b/src/Network/Probe.php index 60250a5a00..d870e06f97 100644 --- a/src/Network/Probe.php +++ b/src/Network/Probe.php @@ -1674,7 +1674,7 @@ class Probe } } - $data["name"] = Strings::removeTags($data["name"]); + $data["name"] = Strings::escapeTags($data["name"]); } } } diff --git a/src/Protocol/DFRN.php b/src/Protocol/DFRN.php index a430b26468..ff50811838 100644 --- a/src/Protocol/DFRN.php +++ b/src/Protocol/DFRN.php @@ -2494,7 +2494,7 @@ class DFRN $item["body"] = XML::getFirstNodeValue($xpath, "dfrn:env/text()", $entry); $item["body"] = str_replace([' ',"\t","\r","\n"], ['','','',''], $item["body"]); // make sure nobody is trying to sneak some html tags by us - $item["body"] = Strings::removeTags(Strings::base64UrlDecode($item["body"])); + $item["body"] = Strings::escapeTags(Strings::base64UrlDecode($item["body"])); $item["body"] = BBCode::limitBodySize($item["body"]); diff --git a/src/Protocol/Diaspora.php b/src/Protocol/Diaspora.php index 0434dcef65..d59eb7a0ad 100644 --- a/src/Protocol/Diaspora.php +++ b/src/Protocol/Diaspora.php @@ -1506,9 +1506,9 @@ class Diaspora */ private static function receiveAccountMigration(array $importer, $data) { - $old_handle = Strings::removeTags(XML::unescape($data->author)); - $new_handle = Strings::removeTags(XML::unescape($data->profile->author)); - $signature = Strings::removeTags(XML::unescape($data->signature)); + $old_handle = Strings::escapeTags(XML::unescape($data->author)); + $new_handle = Strings::escapeTags(XML::unescape($data->profile->author)); + $signature = Strings::escapeTags(XML::unescape($data->signature)); $contact = self::contactByHandle($importer["uid"], $old_handle); if (!$contact) { @@ -1566,7 +1566,7 @@ class Diaspora */ private static function receiveAccountDeletion($data) { - $author = Strings::removeTags(XML::unescape($data->author)); + $author = Strings::escapeTags(XML::unescape($data->author)); $contacts = DBA::select('contact', ['id'], ['addr' => $author]); while ($contact = DBA::fetch($contacts)) { @@ -1657,19 +1657,19 @@ class Diaspora */ private static function receiveComment(array $importer, $sender, $data, $xml) { - $author = Strings::removeTags(XML::unescape($data->author)); - $guid = Strings::removeTags(XML::unescape($data->guid)); - $parent_guid = Strings::removeTags(XML::unescape($data->parent_guid)); + $author = Strings::escapeTags(XML::unescape($data->author)); + $guid = Strings::escapeTags(XML::unescape($data->guid)); + $parent_guid = Strings::escapeTags(XML::unescape($data->parent_guid)); $text = XML::unescape($data->text); if (isset($data->created_at)) { - $created_at = DateTimeFormat::utc(Strings::removeTags(XML::unescape($data->created_at))); + $created_at = DateTimeFormat::utc(Strings::escapeTags(XML::unescape($data->created_at))); } else { $created_at = DateTimeFormat::utcNow(); } if (isset($data->thread_parent_guid)) { - $thread_parent_guid = Strings::removeTags(XML::unescape($data->thread_parent_guid)); + $thread_parent_guid = Strings::escapeTags(XML::unescape($data->thread_parent_guid)); $thr_uri = self::getUriFromGuid("", $thread_parent_guid, true); } else { $thr_uri = ""; @@ -1774,24 +1774,24 @@ class Diaspora */ private static function receiveConversationMessage(array $importer, array $contact, $data, $msg, $mesg, $conversation) { - $author = Strings::removeTags(XML::unescape($data->author)); - $guid = Strings::removeTags(XML::unescape($data->guid)); - $subject = Strings::removeTags(XML::unescape($data->subject)); + $author = Strings::escapeTags(XML::unescape($data->author)); + $guid = Strings::escapeTags(XML::unescape($data->guid)); + $subject = Strings::escapeTags(XML::unescape($data->subject)); // "diaspora_handle" is the element name from the old version // "author" is the element name from the new version if ($mesg->author) { - $msg_author = Strings::removeTags(XML::unescape($mesg->author)); + $msg_author = Strings::escapeTags(XML::unescape($mesg->author)); } elseif ($mesg->diaspora_handle) { - $msg_author = Strings::removeTags(XML::unescape($mesg->diaspora_handle)); + $msg_author = Strings::escapeTags(XML::unescape($mesg->diaspora_handle)); } else { return false; } - $msg_guid = Strings::removeTags(XML::unescape($mesg->guid)); - $msg_conversation_guid = Strings::removeTags(XML::unescape($mesg->conversation_guid)); + $msg_guid = Strings::escapeTags(XML::unescape($mesg->guid)); + $msg_conversation_guid = Strings::escapeTags(XML::unescape($mesg->conversation_guid)); $msg_text = XML::unescape($mesg->text); - $msg_created_at = DateTimeFormat::utc(Strings::removeTags(XML::unescape($mesg->created_at))); + $msg_created_at = DateTimeFormat::utc(Strings::escapeTags(XML::unescape($mesg->created_at))); if ($msg_conversation_guid != $guid) { Logger::log("message conversation guid does not belong to the current conversation."); @@ -1862,11 +1862,11 @@ class Diaspora */ private static function receiveConversation(array $importer, $msg, $data) { - $author = Strings::removeTags(XML::unescape($data->author)); - $guid = Strings::removeTags(XML::unescape($data->guid)); - $subject = Strings::removeTags(XML::unescape($data->subject)); - $created_at = DateTimeFormat::utc(Strings::removeTags(XML::unescape($data->created_at))); - $participants = Strings::removeTags(XML::unescape($data->participants)); + $author = Strings::escapeTags(XML::unescape($data->author)); + $guid = Strings::escapeTags(XML::unescape($data->guid)); + $subject = Strings::escapeTags(XML::unescape($data->subject)); + $created_at = DateTimeFormat::utc(Strings::escapeTags(XML::unescape($data->created_at))); + $participants = Strings::escapeTags(XML::unescape($data->participants)); $messages = $data->message; @@ -1920,11 +1920,11 @@ class Diaspora */ private static function receiveLike(array $importer, $sender, $data) { - $author = Strings::removeTags(XML::unescape($data->author)); - $guid = Strings::removeTags(XML::unescape($data->guid)); - $parent_guid = Strings::removeTags(XML::unescape($data->parent_guid)); - $parent_type = Strings::removeTags(XML::unescape($data->parent_type)); - $positive = Strings::removeTags(XML::unescape($data->positive)); + $author = Strings::escapeTags(XML::unescape($data->author)); + $guid = Strings::escapeTags(XML::unescape($data->guid)); + $parent_guid = Strings::escapeTags(XML::unescape($data->parent_guid)); + $parent_type = Strings::escapeTags(XML::unescape($data->parent_type)); + $positive = Strings::escapeTags(XML::unescape($data->positive)); // likes on comments aren't supported by Diaspora - only on posts // But maybe this will be supported in the future, so we will accept it. @@ -2029,11 +2029,11 @@ class Diaspora */ private static function receiveMessage(array $importer, $data) { - $author = Strings::removeTags(XML::unescape($data->author)); - $guid = Strings::removeTags(XML::unescape($data->guid)); - $conversation_guid = Strings::removeTags(XML::unescape($data->conversation_guid)); + $author = Strings::escapeTags(XML::unescape($data->author)); + $guid = Strings::escapeTags(XML::unescape($data->guid)); + $conversation_guid = Strings::escapeTags(XML::unescape($data->conversation_guid)); $text = XML::unescape($data->text); - $created_at = DateTimeFormat::utc(Strings::removeTags(XML::unescape($data->created_at))); + $created_at = DateTimeFormat::utc(Strings::escapeTags(XML::unescape($data->created_at))); $contact = self::allowedContactByHandle($importer, $author, true); if (!$contact) { @@ -2104,8 +2104,8 @@ class Diaspora */ private static function receiveParticipation(array $importer, $data) { - $author = strtolower(Strings::removeTags(XML::unescape($data->author))); - $parent_guid = Strings::removeTags(XML::unescape($data->parent_guid)); + $author = strtolower(Strings::escapeTags(XML::unescape($data->author))); + $parent_guid = Strings::escapeTags(XML::unescape($data->parent_guid)); $contact_id = Contact::getIdForURL($author); if (!$contact_id) { @@ -2197,7 +2197,7 @@ class Diaspora */ private static function receiveProfile(array $importer, $data) { - $author = strtolower(Strings::removeTags(XML::unescape($data->author))); + $author = strtolower(Strings::escapeTags(XML::unescape($data->author))); $contact = self::contactByHandle($importer["uid"], $author); if (!$contact) { @@ -2574,13 +2574,13 @@ class Diaspora */ private static function receiveReshare(array $importer, $data, $xml) { - $author = Strings::removeTags(XML::unescape($data->author)); - $guid = Strings::removeTags(XML::unescape($data->guid)); - $created_at = DateTimeFormat::utc(Strings::removeTags(XML::unescape($data->created_at))); - $root_author = Strings::removeTags(XML::unescape($data->root_author)); - $root_guid = Strings::removeTags(XML::unescape($data->root_guid)); + $author = Strings::escapeTags(XML::unescape($data->author)); + $guid = Strings::escapeTags(XML::unescape($data->guid)); + $created_at = DateTimeFormat::utc(Strings::escapeTags(XML::unescape($data->created_at))); + $root_author = Strings::escapeTags(XML::unescape($data->root_author)); + $root_guid = Strings::escapeTags(XML::unescape($data->root_guid)); /// @todo handle unprocessed property "provider_display_name" - $public = Strings::removeTags(XML::unescape($data->public)); + $public = Strings::escapeTags(XML::unescape($data->public)); $contact = self::allowedContactByHandle($importer, $author, false); if (!$contact) { @@ -2666,9 +2666,9 @@ class Diaspora */ private static function itemRetraction(array $importer, array $contact, $data) { - $author = Strings::removeTags(XML::unescape($data->author)); - $target_guid = Strings::removeTags(XML::unescape($data->target_guid)); - $target_type = Strings::removeTags(XML::unescape($data->target_type)); + $author = Strings::escapeTags(XML::unescape($data->author)); + $target_guid = Strings::escapeTags(XML::unescape($data->target_guid)); + $target_type = Strings::escapeTags(XML::unescape($data->target_type)); $person = self::personByHandle($author); if (!is_array($person)) { @@ -2730,7 +2730,7 @@ class Diaspora */ private static function receiveRetraction(array $importer, $sender, $data) { - $target_type = Strings::removeTags(XML::unescape($data->target_type)); + $target_type = Strings::escapeTags(XML::unescape($data->target_type)); $contact = self::contactByHandle($importer["uid"], $sender); if (!$contact && (in_array($target_type, ["Contact", "Person"]))) { @@ -2775,12 +2775,12 @@ class Diaspora */ private static function receiveStatusMessage(array $importer, SimpleXMLElement $data, $xml) { - $author = Strings::removeTags(XML::unescape($data->author)); - $guid = Strings::removeTags(XML::unescape($data->guid)); - $created_at = DateTimeFormat::utc(Strings::removeTags(XML::unescape($data->created_at))); - $public = Strings::removeTags(XML::unescape($data->public)); + $author = Strings::escapeTags(XML::unescape($data->author)); + $guid = Strings::escapeTags(XML::unescape($data->guid)); + $created_at = DateTimeFormat::utc(Strings::escapeTags(XML::unescape($data->created_at))); + $public = Strings::escapeTags(XML::unescape($data->public)); $text = XML::unescape($data->text); - $provider_display_name = Strings::removeTags(XML::unescape($data->provider_display_name)); + $provider_display_name = Strings::escapeTags(XML::unescape($data->provider_display_name)); $contact = self::allowedContactByHandle($importer, $author, false); if (!$contact) { @@ -2795,7 +2795,7 @@ class Diaspora $address = []; if ($data->location) { foreach ($data->location->children() as $fieldname => $data) { - $address[$fieldname] = Strings::removeTags(XML::unescape($data)); + $address[$fieldname] = Strings::escapeTags(XML::unescape($data)); } } diff --git a/src/Util/Strings.php b/src/Util/Strings.php index 7acf1c9ef2..48e580d678 100644 --- a/src/Util/Strings.php +++ b/src/Util/Strings.php @@ -31,14 +31,7 @@ class Strings } /** - * This is our primary input filter. - * - * The high bit hack only involved some old IE browser, forget which (IE5/Mac?) - * that had an XSS attack vector due to stripping the high-bit on an 8-bit character - * after cleansing, and angle chars with the high bit set could get through as markup. - * - * This is now disabled because it was interfering with some legitimate unicode sequences - * and hopefully there aren't a lot of those browsers left. + * @brief This is our primary input filter. * * Use this on any text input where angle chars are not valid or permitted * They will be replaced with safer brackets. This may be filtered further @@ -47,7 +40,7 @@ class Strings * @param string $string Input string * @return string Filtered string */ - public static function removeTags($string) + public static function escapeTags($string) { return str_replace(["<", ">"], ['[', ']'], $string); } diff --git a/src/Worker/OnePoll.php b/src/Worker/OnePoll.php index fcbcabd709..22fbf700a2 100644 --- a/src/Worker/OnePoll.php +++ b/src/Worker/OnePoll.php @@ -475,9 +475,9 @@ class OnePoll $datarray['title'] .= $subpart->text; } } - $datarray['title'] = Strings::removeTags(trim($datarray['title'])); + $datarray['title'] = Strings::escapeTags(trim($datarray['title'])); - //$datarray['title'] = Strings::removeTags(trim($meta->subject)); + //$datarray['title'] = Strings::escapeTags(trim($meta->subject)); $datarray['created'] = DateTimeFormat::utc($meta->date); // Is it a reply? diff --git a/tests/src/Util/StringsTest.php b/tests/src/Util/StringsTest.php index 352fe3089b..21349c8483 100644 --- a/tests/src/Util/StringsTest.php +++ b/tests/src/Util/StringsTest.php @@ -73,7 +73,7 @@ class StringsTest extends TestCase { $invalidstring=''; - $validstring = Strings::removeTags($invalidstring); + $validstring = Strings::escapeTags($invalidstring); $escapedString = Strings::escapeHtml($invalidstring); $this->assertEquals('[submit type="button" onclick="alert(\'failed!\');" /]', $validstring); diff --git a/view/theme/frio/theme.php b/view/theme/frio/theme.php index 6621fd5540..aa59081d91 100644 --- a/view/theme/frio/theme.php +++ b/view/theme/frio/theme.php @@ -301,7 +301,7 @@ function frio_remote_nav($a, &$nav) */ function frio_acl_lookup(App $a, &$results) { - $nets = x($_GET, 'nets') ? Strings::removeTags(trim($_GET['nets'])) : ''; + $nets = x($_GET, 'nets') ? Strings::escapeTags(trim($_GET['nets'])) : ''; // we introduce a new search type, r should do the same query like it's // done in /src/Module/Contact.php for connections