friendica/friendica
6
0
Fork 1
mirror of https://github.com/friendica/friendica synced 2024-05-22 10:54:58 +02:00
Code Issues Packages Projects Releases 1 Wiki Activity

"escapeTags" is finally removed

Browse source
This commit is contained in:
Michael 2021-11-07 09:18:25 +00:00
parent f99d37d87e
commit cfac13790b
11 changed files with 11 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
mod/photos.php
View file

@ -204,7 +204,7 @@ function photos_post(App $a)
} }
// RENAME photo album // RENAME photo album
$newalbum = Strings::escapeTags(trim($_POST['albumname'])); $newalbum = trim($_POST['albumname']);
if ($newalbum != $album) { if ($newalbum != $album) {
Photo::update(['album' => $newalbum], ['album' => $album, 'uid' => $page_owner_uid]); Photo::update(['album' => $newalbum], ['album' => $album, 'uid' => $page_owner_uid]);
// Update the photo albums cache // Update the photo albums cache

7
mod/tagger.php
View file

@ -32,7 +32,6 @@ use Friendica\Model\Item;
use Friendica\Model\Post; use Friendica\Model\Post;
use Friendica\Model\Tag; use Friendica\Model\Tag;
use Friendica\Protocol\Activity; use Friendica\Protocol\Activity;
use Friendica\Util\Strings;
use Friendica\Util\XML; use Friendica\Util\XML;
use Friendica\Worker\Delivery; use Friendica\Worker\Delivery;
@ -42,15 +41,15 @@ function tagger_content(App $a) {
return; return;
} }
$term = Strings::escapeTags(trim($_GET['term'])); $term = trim($_GET['term']);
// no commas allowed // no commas allowed
$term = str_replace([',',' '],['','_'],$term); $term = str_replace([',',' ', '<', '>'],['','_', '', ''], $term);
if (!$term) { if (!$term) {
return; return;
} }
$item_id = ((DI::args()->getArgc() > 1) ? Strings::escapeTags(trim(DI::args()->getArgv()[1])) : 0); $item_id = ((DI::args()->getArgc() > 1) ? trim(DI::args()->getArgv()[1]) : 0);
Logger::notice('tagger: tag ' . $term . ' item ' . $item_id); Logger::notice('tagger: tag ' . $term . ' item ' . $item_id);

1
src/Module/BaseSearch.php
View file

@ -48,7 +48,6 @@ class BaseSearch extends BaseModule
*/ */
public static function performContactSearch($search, $prefix = '') public static function performContactSearch($search, $prefix = '')
{ {
$a = DI::app();
$config = DI::config(); $config = DI::config();
$type = Search::TYPE_ALL; $type = Search::TYPE_ALL;

2
src/Module/Invite.php
View file

@ -58,7 +58,7 @@ class Invite extends BaseModule
$recipients = !empty($_POST['recipients']) ? explode("\n", $_POST['recipients']) : []; $recipients = !empty($_POST['recipients']) ? explode("\n", $_POST['recipients']) : [];
$message = !empty($_POST['message']) ? Strings::escapeTags(trim($_POST['message'])) : ''; $message = !empty($_POST['message']) ? Strings::escapeHtml(trim($_POST['message'])) : '';
$total = 0; $total = 0;
$invitation_only = false; $invitation_only = false;

3
src/Module/Search/Directory.php
View file

@ -25,7 +25,6 @@ use Friendica\Content\Widget;
use Friendica\DI; use Friendica\DI;
use Friendica\Module\BaseSearch; use Friendica\Module\BaseSearch;
use Friendica\Module\Security\Login; use Friendica\Module\Security\Login;
use Friendica\Util\Strings;
/** /**
* Directory search module * Directory search module
@ -39,7 +38,7 @@ class Directory extends BaseSearch
return Login::form(); return Login::form();
} }
$search = Strings::escapeTags(trim(rawurldecode($_REQUEST['search'] ?? ''))); $search = trim(rawurldecode($_REQUEST['search'] ?? ''));
if (empty(DI::page()['aside'])) { if (empty(DI::page()['aside'])) {
DI::page()['aside'] = ''; DI::page()['aside'] = '';

5
src/Module/Search/Index.php
View file

@ -38,13 +38,12 @@ use Friendica\Model\Post;
use Friendica\Model\Tag; use Friendica\Model\Tag;
use Friendica\Module\BaseSearch; use Friendica\Module\BaseSearch;
use Friendica\Network\HTTPException; use Friendica\Network\HTTPException;
use Friendica\Util\Strings;
class Index extends BaseSearch class Index extends BaseSearch
{ {
public static function content(array $parameters = []) public static function content(array $parameters = [])
{ {
$search = (!empty($_GET['q']) ? Strings::escapeTags(trim(rawurldecode($_GET['q']))) : ''); $search = (!empty($_GET['q']) ? trim(rawurldecode($_GET['q'])) : '');
if (DI::config()->get('system', 'block_public') && !Session::isAuthenticated()) { if (DI::config()->get('system', 'block_public') && !Session::isAuthenticated()) {
throw new HTTPException\ForbiddenException(DI::l10n()->t('Public access denied.')); throw new HTTPException\ForbiddenException(DI::l10n()->t('Public access denied.'));
@ -88,7 +87,7 @@ class Index extends BaseSearch
$tag = false; $tag = false;
if (!empty($_GET['tag'])) { if (!empty($_GET['tag'])) {
$tag = true; $tag = true;
$search = '#' . Strings::escapeTags(trim(rawurldecode($_GET['tag']))); $search = '#' . trim(rawurldecode($_GET['tag']));
} }
// contruct a wrapper for the search header // contruct a wrapper for the search header

3
src/Module/Search/Saved.php
View file

@ -25,14 +25,13 @@ use Friendica\BaseModule;
use Friendica\Core\Search; use Friendica\Core\Search;
use Friendica\Database\DBA; use Friendica\Database\DBA;
use Friendica\DI; use Friendica\DI;
use Friendica\Util\Strings;
class Saved extends BaseModule class Saved extends BaseModule
{ {
public static function init(array $parameters = []) public static function init(array $parameters = [])
{ {
$action = DI::args()->get(2, 'none'); $action = DI::args()->get(2, 'none');
$search = Strings::escapeTags(trim(rawurldecode($_GET['term'] ?? ''))); $search = trim(rawurldecode($_GET['term'] ?? ''));
$return_url = $_GET['return_url'] ?? Search::getSearchPath($search); $return_url = $_GET['return_url'] ?? Search::getSearchPath($search);

16
src/Util/Strings.php
View file

@ -59,22 +59,6 @@ class Strings
return !empty($hexCode) ? @preg_match("/^[a-f0-9]{2,}$/i", $hexCode) && !(strlen($hexCode) & 1) : false; return !empty($hexCode) ? @preg_match("/^[a-f0-9]{2,}$/i", $hexCode) && !(strlen($hexCode) & 1) : false;
} }
/**
* This is our primary input filter.
*
* Use this on any text input where angle chars are not valid or permitted
* They will be replaced with safer brackets. This may be filtered further
* if these are not allowed either.
*
* @param string $string Input string
* @return string Filtered string
* @deprecated since 2020.09 Please use Smarty default HTML escaping for templates or htmlspecialchars() otherwise
*/
public static function escapeTags($string)
{
return str_replace(["<", ">"], ['[', ']'], $string);
}
/** /**
* Use this on "body" or "content" input where angle chars shouldn't be removed, * Use this on "body" or "content" input where angle chars shouldn't be removed,
* and allow them to be safely displayed. * and allow them to be safely displayed.

2
tests/src/Util/StringsTest.php
View file

@ -90,10 +90,8 @@ class StringsTest extends TestCase
{ {
$invalidstring='<submit type="button" onclick="alert(\'failed!\');" />'; $invalidstring='<submit type="button" onclick="alert(\'failed!\');" />';
$validstring = Strings::escapeTags($invalidstring);
$escapedString = Strings::escapeHtml($invalidstring); $escapedString = Strings::escapeHtml($invalidstring);
self::assertEquals('[submit type="button" onclick="alert(\'failed!\');" /]', $validstring);
self::assertEquals( self::assertEquals(
"&lt;submit type=&quot;button&quot; onclick=&quot;alert('failed!');&quot; /&gt;", "&lt;submit type=&quot;button&quot; onclick=&quot;alert('failed!');&quot; /&gt;",
$escapedString $escapedString

2
view/templates/directory_header.tpl
View file

@ -9,7 +9,7 @@
<div id="directory-search-wrapper"> <div id="directory-search-wrapper">
<form id="directory-search-form" action="{{$search_mod}}" method="get"> <form id="directory-search-form" action="{{$search_mod}}" method="get">
<span class="dirsearch-desc">{{$desc nofilter}}</span> <span class="dirsearch-desc">{{$desc}}</span>
<input type="text" name="search" id="directory-search" class="search-input" onfocus="this.select();" value="{{$search}}" /> <input type="text" name="search" id="directory-search" class="search-input" onfocus="this.select();" value="{{$search}}" />
<input type="submit" name="submit" id="directory-search-submit" value="{{$submit}}" class="button" /> <input type="submit" name="submit" id="directory-search-submit" value="{{$submit}}" class="button" />
</form> </form>

2
view/theme/frio/templates/directory_header.tpl
View file

@ -15,7 +15,7 @@
<div class="col-md-2"></div> <div class="col-md-2"></div>
<div class="col-md-8 "> <div class="col-md-8 ">
<div class="form-group form-group-search"> <div class="form-group form-group-search">
<input type="text" name="search" id="directory-search" class="search-input form-control form-search" onfocus="this.select();" value="{{$search}}" placeholder="{{$desc nofilter}}"/> <input type="text" name="search" id="directory-search" class="search-input form-control form-search" onfocus="this.select();" value="{{$search}}" placeholder="{{$desc}}"/>
<button class="btn btn-default btn-sm form-button-search" type="submit" id="directory-search-submit">{{$submit}}</button> <button class="btn btn-default btn-sm form-button-search" type="submit" id="directory-search-submit">{{$submit}}</button>
</div> </div>
</div> </div>