From bafae56b39d018dd2ef778399fd753302e0ab8c3 Mon Sep 17 00:00:00 2001
From: Friendika <info@friendika.com>
Date: Tue, 1 Feb 2011 17:50:49 -0800
Subject: [PATCH] make sure content is unaltered

---
 include/items.php | 33 ++++++++++++++++++---------------
 1 file changed, 18 insertions(+), 15 deletions(-)

diff --git a/include/items.php b/include/items.php
index d06cc30cd4..d091e4c038 100644
--- a/include/items.php
+++ b/include/items.php
@@ -388,7 +388,8 @@ function get_atom_elements($feed,$item) {
 		$have_real_body = true;
 		$res['body'] = $rawenv[0]['data'];
 		$res['body'] = str_replace(array(' ',"\t","\r","\n"), array('','','',''),$res['body']);
-		$res['body'] = base64url_decode($res['body']);
+		// make sure nobody is trying to sneak some html tags by us
+		$res['body'] = notags(base64url_decode($res['body']));
 		$res['realbody'] = true;
 	}
 
@@ -407,27 +408,29 @@ function get_atom_elements($feed,$item) {
 	// html.
 
 
-	if((! $have_real_body) || (strpos($res['body'],'<')) || (strpos($res['body'],'>'))) {
+	if(! $have_real_body) {
+		if((strpos($res['body'],'<')) || (strpos($res['body'],'>'))) {
 
-		$res['body'] = preg_replace('#<object[^>]+>.+?' . 'http://www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s',
-			'[youtube]$1[/youtube]', $res['body']);
+			$res['body'] = preg_replace('#<object[^>]+>.+?' . 'http://www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s',
+				'[youtube]$1[/youtube]', $res['body']);
 
-		$res['body'] = oembed_html2bbcode($res['body']);
+			$res['body'] = oembed_html2bbcode($res['body']);
 	
-		$config = HTMLPurifier_Config::createDefault();
-		$config->set('Cache.DefinitionImpl', null);
+			$config = HTMLPurifier_Config::createDefault();
+			$config->set('Cache.DefinitionImpl', null);
 
-		// we shouldn't need a whitelist, because the bbcode converter
-		// will strip out any unsupported tags.
-		// $config->set('HTML.Allowed', 'p,b,a[href],i'); 
+			// we shouldn't need a whitelist, because the bbcode converter
+			// will strip out any unsupported tags.
+			// $config->set('HTML.Allowed', 'p,b,a[href],i'); 
 
-		$purifier = new HTMLPurifier($config);
-		$res['body'] = $purifier->purify($res['body']);
+			$purifier = new HTMLPurifier($config);
+			$res['body'] = $purifier->purify($res['body']);
 
-		$res['body'] = html2bbcode($res['body']);
+			$res['body'] = html2bbcode($res['body']);
+		}
+		else
+			$res['body'] = escape_tags($res['body']);
 	}
-	else
-		$res['body'] = escape_tags($res['body']);
 	
 
 	$allow = $item->get_item_tags(NAMESPACE_DFRN,'comment-allow');