From 8a3de7b1868b93fe61c9dac4e0b3a2c0cb1021d3 Mon Sep 17 00:00:00 2001
From: Michael Vogel <icarus@dabo.de>
Date: Fri, 19 Feb 2016 07:30:28 +0100
Subject: [PATCH] Issue 2367: The data for the gserver table is now sanitized.

---
 include/socgraph.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/include/socgraph.php b/include/socgraph.php
index 186326f42d..33d62dc5b9 100644
--- a/include/socgraph.php
+++ b/include/socgraph.php
@@ -722,7 +722,8 @@ function poco_check_server($server_url, $network = "", $force = false) {
 		// Will also return data for Friendica and GNU Social - but it will be overwritten later
 		// The "not implemented" is a special treatment for really, really old Friendica versions
 		$serverret = z_fetch_url($server_url."/api/statusnet/version.json");
-		if ($serverret["success"] AND ($serverret["body"] != '{"error":"not implemented"}') AND ($serverret["body"] != '') AND (strlen($serverret["body"]) < 250)) {
+		if ($serverret["success"] AND ($serverret["body"] != '{"error":"not implemented"}') AND
+			($serverret["body"] != '') AND (strlen($serverret["body"]) < 30)) {
 			$platform = "StatusNet";
 			$version = trim($serverret["body"], '"');
 			$network = NETWORK_OSTATUS;
@@ -730,7 +731,8 @@ function poco_check_server($server_url, $network = "", $force = false) {
 
 		// Test for GNU Social
 		$serverret = z_fetch_url($server_url."/api/gnusocial/version.json");
-		if ($serverret["success"] AND ($serverret["body"] != '{"error":"not implemented"}') AND ($serverret["body"] != '') AND (strlen($serverret["body"]) < 250)) {
+		if ($serverret["success"] AND ($serverret["body"] != '{"error":"not implemented"}') AND
+			($serverret["body"] != '') AND (strlen($serverret["body"]) < 30)) {
 			$platform = "GNU Social";
 			$version = trim($serverret["body"], '"');
 			$network = NETWORK_OSTATUS;
@@ -857,6 +859,11 @@ function poco_check_server($server_url, $network = "", $force = false) {
 	// Check again if the server exists
 	$servers = q("SELECT `nurl` FROM `gserver` WHERE `nurl` = '%s'", dbesc(normalise_link($server_url)));
 
+	$version = strip_tags($version);
+	$site_name = strip_tags($site_name);
+	$info = strip_tags($info);
+	$platform = strip_tags($platform);
+
 	if ($servers)
 		 q("UPDATE `gserver` SET `url` = '%s', `version` = '%s', `site_name` = '%s', `info` = '%s', `register_policy` = %d, `poco` = '%s', `noscrape` = '%s',
 			`network` = '%s', `platform` = '%s', `last_contact` = '%s', `last_failure` = '%s' WHERE `nurl` = '%s'",