friendica
/
friendica
mirror of https://github.com/friendica/friendica
6
0
Fork 1
Code Issues Packages Projects Releases 1 Wiki Activity

Bugfix: The contact names had to be escaped

This commit is contained in:
Michael Vogel 2015-10-08 00:25:55 +02:00
parent 1f0b759e2f
commit 61c3ce7a21
11 changed files with 64 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
include/conversation.php
View File

@ -396,25 +396,25 @@ function conversation(&$a, $items, $mode, $update, $preview = false) {
$page_writeable = true; $page_writeable = true;
if(!$update) { if(!$update) {
// The special div is needed for liveUpdate to kick in for this page. // The special div is needed for liveUpdate to kick in for this page.
// We only launch liveUpdate if you aren't filtering in some incompatible // We only launch liveUpdate if you aren't filtering in some incompatible
// way and also you aren't writing a comment (discovered in javascript). // way and also you aren't writing a comment (discovered in javascript).
$live_update_div = '<div id="live-network"></div>' . "\r\n" $live_update_div = '<div id="live-network"></div>' . "\r\n"
. "<script> var profile_uid = " . $_SESSION['uid'] . "<script> var profile_uid = " . $_SESSION['uid']
. "; var netargs = '" . substr($a->cmd,8) . "; var netargs = '" . substr($a->cmd,8)
. '?f=' . '?f='
. ((x($_GET,'cid')) ? '&cid=' . $_GET['cid'] : '') . ((x($_GET,'cid')) ? '&cid=' . $_GET['cid'] : '')
. ((x($_GET,'search')) ? '&search=' . $_GET['search'] : '') . ((x($_GET,'search')) ? '&search=' . $_GET['search'] : '')
. ((x($_GET,'star')) ? '&star=' . $_GET['star'] : '') . ((x($_GET,'star')) ? '&star=' . $_GET['star'] : '')
. ((x($_GET,'order')) ? '&order=' . $_GET['order'] : '') . ((x($_GET,'order')) ? '&order=' . $_GET['order'] : '')
. ((x($_GET,'bmark')) ? '&bmark=' . $_GET['bmark'] : '') . ((x($_GET,'bmark')) ? '&bmark=' . $_GET['bmark'] : '')
. ((x($_GET,'liked')) ? '&liked=' . $_GET['liked'] : '') . ((x($_GET,'liked')) ? '&liked=' . $_GET['liked'] : '')
. ((x($_GET,'conv')) ? '&conv=' . $_GET['conv'] : '') . ((x($_GET,'conv')) ? '&conv=' . $_GET['conv'] : '')
. ((x($_GET,'spam')) ? '&spam=' . $_GET['spam'] : '') . ((x($_GET,'spam')) ? '&spam=' . $_GET['spam'] : '')
. ((x($_GET,'nets')) ? '&nets=' . $_GET['nets'] : '') . ((x($_GET,'nets')) ? '&nets=' . $_GET['nets'] : '')
. ((x($_GET,'cmin')) ? '&cmin=' . $_GET['cmin'] : '') . ((x($_GET,'cmin')) ? '&cmin=' . $_GET['cmin'] : '')
. ((x($_GET,'cmax')) ? '&cmax=' . $_GET['cmax'] : '') . ((x($_GET,'cmax')) ? '&cmax=' . $_GET['cmax'] : '')
. ((x($_GET,'file')) ? '&file=' . $_GET['file'] : '') . ((x($_GET,'file')) ? '&file=' . $_GET['file'] : '')
. "'; var profile_page = " . $a->pager['page'] . "; </script>\r\n"; . "'; var profile_page = " . $a->pager['page'] . "; </script>\r\n";
} }
@ -431,7 +431,7 @@ function conversation(&$a, $items, $mode, $update, $preview = false) {
// because browser prefetching might change it on us. We have to deliver it with the page. // because browser prefetching might change it on us. We have to deliver it with the page.
$live_update_div = '<div id="live-profile"></div>' . "\r\n" $live_update_div = '<div id="live-profile"></div>' . "\r\n"
. "<script> var profile_uid = " . $a->profile['profile_uid'] . "<script> var profile_uid = " . $a->profile['profile_uid']
. "; var netargs = '?f='; var profile_page = " . $a->pager['page'] . "; </script>\r\n"; . "; var netargs = '?f='; var profile_page = " . $a->pager['page'] . "; </script>\r\n";
} }
} }
@ -441,7 +441,7 @@ function conversation(&$a, $items, $mode, $update, $preview = false) {
$page_writeable = true; $page_writeable = true;
if(!$update) { if(!$update) {
$live_update_div = '<div id="live-notes"></div>' . "\r\n" $live_update_div = '<div id="live-notes"></div>' . "\r\n"
. "<script> var profile_uid = " . local_user() . "<script> var profile_uid = " . local_user()
. "; var netargs = '/?f='; var profile_page = " . $a->pager['page'] . "; </script>\r\n"; . "; var netargs = '/?f='; var profile_page = " . $a->pager['page'] . "; </script>\r\n";
} }
} }

8
include/diaspora.php
View File

@ -110,6 +110,9 @@ function diaspora_dispatch($importer,$msg,$attempt=1) {
elseif($xmlbase->message) { elseif($xmlbase->message) {
$ret = diaspora_message($importer,$xmlbase->message,$msg); $ret = diaspora_message($importer,$xmlbase->message,$msg);
} }
elseif($xmlbase->participation) {
$ret = diaspora_participation($importer,$xmlbase->participation);
}
else { else {
logger('diaspora_dispatch: unknown message type: ' . print_r($xmlbase,true)); logger('diaspora_dispatch: unknown message type: ' . print_r($xmlbase,true));
} }
@ -1834,7 +1837,7 @@ function diaspora_message($importer,$xml,$msg) {
$author_signature = base64_decode($msg_author_signature); $author_signature = base64_decode($msg_author_signature);
$person = find_diaspora_person_by_handle($msg_diaspora_handle); $person = find_diaspora_person_by_handle($msg_diaspora_handle);
if(is_array($person) && x($person,'pubkey')) if(is_array($person) && x($person,'pubkey'))
$key = $person['pubkey']; $key = $person['pubkey'];
else { else {
@ -1881,6 +1884,9 @@ function diaspora_message($importer,$xml,$msg) {
return; return;
} }
function diaspora_participation($importer,$xml) {
logger("Unsupported message type 'participation' ".print_r($xml, true));
}
function diaspora_photo($importer,$xml,$msg,$attempt=1) { function diaspora_photo($importer,$xml,$msg,$attempt=1) {

17
include/items.php
View File

@ -1287,11 +1287,24 @@ function item_store($arr,$force_parent = false, $notify = false, $dontcache = fa
} }
if ($arr['network'] == "") { if ($arr['network'] == "") {
$r = q("SELECT `network` FROM `contact` WHERE `id` = %d AND `uid` = %d LIMIT 1", $r = q("SELECT `network` FROM `contact` WHERE `network` IN ('%s', '%s', '%s') AND `nurl` = '%s' AND `uid` = %d LIMIT 1",
intval($arr['contact-id']), dbesc(NETWORK_DFRN), dbesc(NETWORK_DIASPORA), dbesc(NETWORK_OSTATUS),
dbesc(normalise_link($arr['author-link'])),
intval($arr['uid']) intval($arr['uid'])
); );
if(!count($r))
$r = q("SELECT `network` FROM `gcontact` WHERE `network` IN ('%s', '%s', '%s') AND `nurl` = '%s' LIMIT 1",
dbesc(NETWORK_DFRN), dbesc(NETWORK_DIASPORA), dbesc(NETWORK_OSTATUS),
dbesc(normalise_link($arr['author-link']))
);
if(!count($r))
$r = q("SELECT `network` FROM `contact` WHERE `id` = %d AND `uid` = %d LIMIT 1",
intval($arr['contact-id']),
intval($arr['uid'])
);
if(count($r)) if(count($r))
$arr['network'] = $r[0]["network"]; $arr['network'] = $r[0]["network"];

8
mod/allfriends.php
View File

@ -21,7 +21,7 @@ function allfriends_content(&$a) {
); );
$vcard_widget .= replace_macros(get_markup_template("vcard-widget.tpl"),array( $vcard_widget .= replace_macros(get_markup_template("vcard-widget.tpl"),array(
'$name' => $c[0]['name'], '$name' => htmlentities($c[0]['name']),
'$photo' => $c[0]['photo'], '$photo' => $c[0]['photo'],
'url' => z_root() . '/contacts/' . $cid 'url' => z_root() . '/contacts/' . $cid
)); ));
@ -34,7 +34,7 @@ function allfriends_content(&$a) {
return; return;
$o .= replace_macros(get_markup_template("section_title.tpl"),array( $o .= replace_macros(get_markup_template("section_title.tpl"),array(
'$title' => sprintf( t('Friends of %s'), $c[0]['name']) '$title' => sprintf( t('Friends of %s'), htmlentities($c[0]['name']))
)); ));
@ -48,10 +48,10 @@ function allfriends_content(&$a) {
$tpl = get_markup_template('common_friends.tpl'); $tpl = get_markup_template('common_friends.tpl');
foreach($r as $rr) { foreach($r as $rr) {
$o .= replace_macros($tpl,array( $o .= replace_macros($tpl,array(
'$url' => $rr['url'], '$url' => $rr['url'],
'$name' => $rr['name'], '$name' => htmlentities($rr['name']),
'$photo' => $rr['photo'], '$photo' => $rr['photo'],
'$tags' => '' '$tags' => ''
)); ));

10
mod/common.php
View File

@ -16,7 +16,7 @@ function common_content(&$a) {
if(! $uid) if(! $uid)
return; return;
if($cmd === 'loc' && $cid) { if($cmd === 'loc' && $cid) {
$c = q("select name, url, photo from contact where id = %d and uid = %d limit 1", $c = q("select name, url, photo from contact where id = %d and uid = %d limit 1",
intval($cid), intval($cid),
intval($uid) intval($uid)
@ -26,10 +26,10 @@ function common_content(&$a) {
$c = q("select name, url, photo from contact where self = 1 and uid = %d limit 1", $c = q("select name, url, photo from contact where self = 1 and uid = %d limit 1",
intval($uid) intval($uid)
); );
} }
$vcard_widget .= replace_macros(get_markup_template("vcard-widget.tpl"),array( $vcard_widget .= replace_macros(get_markup_template("vcard-widget.tpl"),array(
'$name' => $c[0]['name'], '$name' => htmlentities($c[0]['name']),
'$photo' => $c[0]['photo'], '$photo' => $c[0]['photo'],
'url' => z_root() . '/contacts/' . $cid 'url' => z_root() . '/contacts/' . $cid
)); ));
@ -97,10 +97,10 @@ function common_content(&$a) {
$tpl = get_markup_template('common_friends.tpl'); $tpl = get_markup_template('common_friends.tpl');
foreach($r as $rr) { foreach($r as $rr) {
$o .= replace_macros($tpl,array( $o .= replace_macros($tpl,array(
'$url' => $rr['url'], '$url' => $rr['url'],
'$name' => $rr['name'], '$name' => htmlentities($rr['name']),
'$photo' => $rr['photo'], '$photo' => $rr['photo'],
'$tags' => '' '$tags' => ''
)); ));

12
mod/contacts.php
View File

@ -33,7 +33,7 @@ function contacts_init(&$a) {
if($contact_id) { if($contact_id) {
$a->data['contact'] = $r[0]; $a->data['contact'] = $r[0];
$vcard_widget = replace_macros(get_markup_template("vcard-widget.tpl"),array( $vcard_widget = replace_macros(get_markup_template("vcard-widget.tpl"),array(
'$name' => $a->data['contact']['name'], '$name' => htmlentities($a->data['contact']['name']),
'$photo' => $a->data['contact']['photo'], '$photo' => $a->data['contact']['photo'],
'$url' => ($a->data['contact']['network'] == NETWORK_DFRN) ? $a->get_baseurl()."/redir/".$a->data['contact']['id'] : $a->data['contact']['url'] '$url' => ($a->data['contact']['network'] == NETWORK_DFRN) ? $a->get_baseurl()."/redir/".$a->data['contact']['id'] : $a->data['contact']['url']
)); ));
@ -432,7 +432,7 @@ function contacts_content(&$a) {
} }
$a->page['aside'] = ''; $a->page['aside'] = '';
return replace_macros(get_markup_template('contact_drop_confirm.tpl'), array( return replace_macros(get_markup_template('contact_drop_confirm.tpl'), array(
'$contact' => _contact_detail_for_template($orig_record[0]), '$contact' => _contact_detail_for_template($orig_record[0]),
'$method' => 'get', '$method' => 'get',
@ -509,7 +509,7 @@ function contacts_content(&$a) {
if(!in_array($contact['network'], array(NETWORK_DFRN, NETWORK_OSTATUS, NETWORK_DIASPORA))) if(!in_array($contact['network'], array(NETWORK_DFRN, NETWORK_OSTATUS, NETWORK_DIASPORA)))
$relation_text = ""; $relation_text = "";
$relation_text = sprintf($relation_text,$contact['name']); $relation_text = sprintf($relation_text,htmlentities($contact['name']));
if(($contact['network'] === NETWORK_DFRN) && ($contact['rel'])) { if(($contact['network'] === NETWORK_DFRN) && ($contact['rel'])) {
$url = "redir/{$contact['id']}"; $url = "redir/{$contact['id']}";
@ -632,7 +632,7 @@ function contacts_content(&$a) {
'$ffi_keyword_blacklist' => $contact['ffi_keyword_blacklist'], '$ffi_keyword_blacklist' => $contact['ffi_keyword_blacklist'],
'$ffi_keyword_blacklist' => array('ffi_keyword_blacklist', t('Blacklisted keywords'), $contact['ffi_keyword_blacklist'], t('Comma separated list of keywords that should not be converted to hashtags, when "Fetch information and keywords" is selected')), '$ffi_keyword_blacklist' => array('ffi_keyword_blacklist', t('Blacklisted keywords'), $contact['ffi_keyword_blacklist'], t('Comma separated list of keywords that should not be converted to hashtags, when "Fetch information and keywords" is selected')),
'$photo' => $contact['photo'], '$photo' => $contact['photo'],
'$name' => $contact['name'], '$name' => htmlentities($contact['name']),
'$dir_icon' => $dir_icon, '$dir_icon' => $dir_icon,
'$alt_text' => $alt_text, '$alt_text' => $alt_text,
'$sparkle' => $sparkle, '$sparkle' => $sparkle,
@ -842,8 +842,8 @@ function _contact_detail_for_template($rr){
'alt_text' => $alt_text, 'alt_text' => $alt_text,
'dir_icon' => $dir_icon, 'dir_icon' => $dir_icon,
'thumb' => proxy_url($rr['thumb'], false, PROXY_SIZE_THUMB), 'thumb' => proxy_url($rr['thumb'], false, PROXY_SIZE_THUMB),
'name' => $rr['name'], 'name' => htmlentities($rr['name']),
'username' => $rr['name'], 'username' => htmlentities($rr['name']),
'sparkle' => $sparkle, 'sparkle' => $sparkle,
'itemurl' => $rr['url'], 'itemurl' => $rr['url'],
'url' => $url, 'url' => $url,

6
mod/crepair.php
View File

@ -24,7 +24,7 @@ function crepair_init(&$a) {
$a->data['contact'] = $r[0]; $a->data['contact'] = $r[0];
$tpl = get_markup_template("vcard-widget.tpl"); $tpl = get_markup_template("vcard-widget.tpl");
$vcard_widget .= replace_macros($tpl, array( $vcard_widget .= replace_macros($tpl, array(
'$name' => $a->data['contact']['name'], '$name' => htmlentities($a->data['contact']['name']),
'$photo' => $a->data['contact']['photo'] '$photo' => $a->data['contact']['photo']
)); ));
$a->page['aside'] .= $vcard_widget; $a->page['aside'] .= $vcard_widget;
@ -179,8 +179,8 @@ function crepair_content(&$a) {
'$label_remote_self' => t('Remote Self'), '$label_remote_self' => t('Remote Self'),
'$allow_remote_self' => $allow_remote_self, '$allow_remote_self' => $allow_remote_self,
'$remote_self' => array('remote_self', t('Mirror postings from this contact'), $contact['remote_self'], t('Mark this contact as remote_self, this will cause friendica to repost new entries from this contact.'), $remote_self_options), '$remote_self' => array('remote_self', t('Mirror postings from this contact'), $contact['remote_self'], t('Mark this contact as remote_self, this will cause friendica to repost new entries from this contact.'), $remote_self_options),
'$contact_name' => $contact['name'], '$contact_name' => htmlentities($contact['name']),
'$contact_nick' => $contact['nick'], '$contact_nick' => htmlentities($contact['nick']),
'$contact_id' => $contact['id'], '$contact_id' => $contact['id'],
'$contact_url' => $contact['url'], '$contact_url' => $contact['url'],
'$request' => $contact['request'], '$request' => $contact['request'],

8
mod/network.php
View File

@ -568,14 +568,14 @@ function network_content(&$a, $update = 0) {
intval($cid) intval($cid)
); );
if(count($r)) { if(count($r)) {
$sql_post_table = " INNER JOIN (SELECT DISTINCT(`parent`) FROM `item` $sql_post_table = " INNER JOIN (SELECT DISTINCT(`parent`) FROM `item`
WHERE 1 $sql_options AND `contact-id` = ".intval($cid)." and deleted = 0 WHERE 1 $sql_options AND `contact-id` = ".intval($cid)." and deleted = 0
ORDER BY `item`.`received` DESC) AS `temp1` ORDER BY `item`.`received` DESC) AS `temp1`
ON $sql_table.$sql_parent = `temp1`.`parent` "; ON $sql_table.$sql_parent = `temp1`.`parent` ";
$sql_extra = ""; $sql_extra = "";
$o = replace_macros(get_markup_template("section_title.tpl"),array( $o = replace_macros(get_markup_template("section_title.tpl"),array(
'$title' => sprintf( t('Contact: %s'), $r[0]['name']) '$title' => sprintf( t('Contact: %s'), htmlentities($r[0]['name']))
)) . $o; )) . $o;
if($r[0]['network'] === NETWORK_OSTATUS && $r[0]['writable'] && (! get_pconfig(local_user(),'system','nowarn_insecure'))) { if($r[0]['network'] === NETWORK_OSTATUS && $r[0]['writable'] && (! get_pconfig(local_user(),'system','nowarn_insecure'))) {

4
mod/viewcontacts.php
View File

@ -63,8 +63,8 @@ function viewcontacts_content(&$a) {
'id' => $rr['id'], 'id' => $rr['id'],
'img_hover' => sprintf( t('Visit %s\'s profile [%s]'), $rr['name'], $rr['url']), 'img_hover' => sprintf( t('Visit %s\'s profile [%s]'), $rr['name'], $rr['url']),
'thumb' => proxy_url($rr['thumb'], false, PROXY_SIZE_THUMB), 'thumb' => proxy_url($rr['thumb'], false, PROXY_SIZE_THUMB),
'name' => substr($rr['name'],0,20), 'name' => htmlentities(substr($rr['name'],0,20)),
'username' => $rr['name'], 'username' => htmlentities($rr['name']),
'url' => $url, 'url' => $url,
'sparkle' => '', 'sparkle' => '',
'itemurl' => $rr['url'], 'itemurl' => $rr['url'],

2
object/Item.php
View File

@ -134,7 +134,7 @@ class Item extends BaseObject {
$filer = (($conv->get_profile_owner() == local_user()) ? t("save to folder") : false); $filer = (($conv->get_profile_owner() == local_user()) ? t("save to folder") : false);
$diff_author = ((link_compare($item['url'],$item['author-link'])) ? false : true); $diff_author = ((link_compare($item['url'],$item['author-link'])) ? false : true);
$profile_name = (((strlen($item['author-name'])) && $diff_author) ? $item['author-name'] : $item['name']); $profile_name = htmlentities(((strlen($item['author-name'])) && $diff_author) ? $item['author-name'] : $item['name']);
if($item['author-link'] && (! $item['author-name'])) if($item['author-link'] && (! $item['author-name']))
$profile_name = $item['author-link']; $profile_name = $item['author-link'];

3
view/theme/vier/theme.php
View File

@ -84,7 +84,8 @@ function cmtBbClose(id) {
EOT; EOT;
// Hide the left menu bar // Hide the left menu bar
if (($a->page['aside'] == "") AND in_array($a->argv[0], array("community", "events", "help", "manage", "notifications", "probe", "webfinger", "login"))) if (($a->page['aside'] == "") AND in_array($a->argv[0], array("community", "events", "help", "manage", "notifications",
"probe", "webfinger", "login", "invite")))
$a->page['htmlhead'] .= "<link rel='stylesheet' href='view/theme/vier/hide.css' />"; $a->page['htmlhead'] .= "<link rel='stylesheet' href='view/theme/vier/hide.css' />";
} }