diff --git a/mod/admin.php b/mod/admin.php index 89514397f..eab2e7226 100644 --- a/mod/admin.php +++ b/mod/admin.php @@ -1444,9 +1444,7 @@ function admin_page_site(App $a) $banner = 'Friendica'; } - $banner = htmlspecialchars($banner); $info = Config::get('config', 'info'); - $info = htmlspecialchars($info); // Automatically create temporary paths get_temppath(); diff --git a/mod/allfriends.php b/mod/allfriends.php index b233a4618..7a39c481d 100644 --- a/mod/allfriends.php +++ b/mod/allfriends.php @@ -81,9 +81,9 @@ function allfriends_content(App $a) $entry = [ 'url' => $rr['url'], 'itemurl' => defaults($contact_details, 'addr', $rr['url']), - 'name' => htmlentities($contact_details['name']), + 'name' => $contact_details['name'], 'thumb' => ProxyUtils::proxifyUrl($contact_details['thumb'], false, ProxyUtils::SIZE_THUMB), - 'img_hover' => htmlentities($contact_details['name']), + 'img_hover' => $contact_details['name'], 'details' => $contact_details['location'], 'tags' => $contact_details['keywords'], 'about' => $contact_details['about'], @@ -100,9 +100,7 @@ function allfriends_content(App $a) $tab_str = Module\Contact::getTabsHTML($a, $contact, 4); $tpl = Renderer::getMarkupTemplate('viewcontact_template.tpl'); - $o .= Renderer::replaceMacros($tpl, [ - //'$title' => L10n::t('Friends of %s', htmlentities($c[0]['name'])), '$tab_str' => $tab_str, '$contacts' => $entries, '$paginate' => $pager->renderFull($total), diff --git a/mod/babel.php b/mod/babel.php index b9846e4fb..64c955776 100644 --- a/mod/babel.php +++ b/mod/babel.php @@ -142,7 +142,7 @@ function babel_content() $tpl = Renderer::getMarkupTemplate('babel.tpl'); $o = Renderer::replaceMacros($tpl, [ - '$text' => ['text', L10n::t('Source text'), htmlentities(defaults($_REQUEST, 'text', '')), ''], + '$text' => ['text', L10n::t('Source text'), defaults($_REQUEST, 'text', ''), ''], '$type_bbcode' => ['type', L10n::t('BBCode'), 'bbcode', '', defaults($_REQUEST, 'type', 'bbcode') == 'bbcode'], '$type_markdown' => ['type', L10n::t('Markdown'), 'markdown', '', defaults($_REQUEST, 'type', 'bbcode') == 'markdown'], '$type_html' => ['type', L10n::t('HTML'), 'html', '', defaults($_REQUEST, 'type', 'bbcode') == 'html'], diff --git a/mod/common.php b/mod/common.php index c88d6ee77..c93edf3b3 100644 --- a/mod/common.php +++ b/mod/common.php @@ -50,7 +50,7 @@ function common_content(App $a) if (DBA::isResult($contact)) { $vcard_widget = Renderer::replaceMacros(Renderer::getMarkupTemplate("vcard-widget.tpl"), [ - '$name' => htmlentities($contact['name']), + '$name' => $contact['name'], '$photo' => $contact['photo'], 'url' => 'contact/' . $cid ]); @@ -123,7 +123,7 @@ function common_content(App $a) 'itemurl' => defaults($contact_details, 'addr', $common_friend['url']), 'name' => $contact_details['name'], 'thumb' => ProxyUtils::proxifyUrl($contact_details['thumb'], false, ProxyUtils::SIZE_THUMB), - 'img_hover' => htmlentities($contact_details['name']), + 'img_hover' => $contact_details['name'], 'details' => $contact_details['location'], 'tags' => $contact_details['keywords'], 'about' => $contact_details['about'], diff --git a/mod/credits.php b/mod/credits.php index c53c86b8b..f397bdca7 100644 --- a/mod/credits.php +++ b/mod/credits.php @@ -13,7 +13,7 @@ function credits_content() { /* fill the page with credits */ $credits_string = file_get_contents('util/credits.txt'); - $names = explode("\n", htmlspecialchars($credits_string)); + $names = explode("\n", $credits_string); $tpl = Renderer::getMarkupTemplate('credits.tpl'); return Renderer::replaceMacros($tpl, [ '$title' => L10n::t('Credits'), diff --git a/mod/crepair.php b/mod/crepair.php index 8623d3c4a..91b22dbc9 100644 --- a/mod/crepair.php +++ b/mod/crepair.php @@ -158,8 +158,8 @@ function crepair_content(App $a) $remote_self_options ], - '$name' => ['name', L10n::t('Name') , htmlentities($contact['name'])], - '$nick' => ['nick', L10n::t('Account Nickname'), htmlentities($contact['nick'])], + '$name' => ['name', L10n::t('Name') , $contact['name']], + '$nick' => ['nick', L10n::t('Account Nickname'), $contact['nick']], '$attag' => ['attag', L10n::t('@Tagname - overrides Name/Nickname'), $contact['attag']], '$url' => ['url', L10n::t('Account URL'), $contact['url']], '$request' => ['request', L10n::t('Friend Request URL'), $contact['request']], diff --git a/mod/editpost.php b/mod/editpost.php index b518588a5..1e5328583 100644 --- a/mod/editpost.php +++ b/mod/editpost.php @@ -6,6 +6,7 @@ use Friendica\App; use Friendica\Content\Feature; use Friendica\Core\Addon; use Friendica\Core\Config; +use Friendica\Core\Hook; use Friendica\Core\L10n; use Friendica\Core\Renderer; use Friendica\Core\System; @@ -54,8 +55,6 @@ function editpost_content(App $a) '$nickname' => $a->user['nickname'] ]); - $tpl = Renderer::getMarkupTemplate("jot.tpl"); - if (strlen($item['allow_cid']) || strlen($item['allow_gid']) || strlen($item['deny_cid']) || strlen($item['deny_gid'])) { $lockstate = 'lock'; } else { @@ -84,9 +83,9 @@ function editpost_content(App $a) } } - Addon::callHooks('jot_tool', $jotplugins); - //Addon::callHooks('jot_networks', $jotnets); + Hook::callAll('jot_tool', $jotplugins); + $tpl = Renderer::getMarkupTemplate("jot.tpl"); $o .= Renderer::replaceMacros($tpl, [ '$is_edit' => true, '$return_path' => '/display/' . $item['guid'], @@ -119,7 +118,7 @@ function editpost_content(App $a) '$emailcc' => L10n::t('CC: email addresses'), '$public' => L10n::t('Public post'), '$jotnets' => $jotnets, - '$title' => htmlspecialchars($item['title']), + '$title' => $item['title'], '$placeholdertitle' => L10n::t('Set title'), '$category' => FileTag::fileToList($item['file'], 'category'), '$placeholdercategory' => (Feature::isEnabled(local_user(),'categories') ? L10n::t("Categories \x28comma-separated list\x29") : ''), diff --git a/mod/follow.php b/mod/follow.php index 1ee61ce9e..f8e2539d9 100644 --- a/mod/follow.php +++ b/mod/follow.php @@ -144,11 +144,8 @@ function follow_content(App $a) $r[0]['about'] = ''; } - $header = L10n::t('Connect/Follow'); - $o = Renderer::replaceMacros($tpl, [ - '$header' => htmlentities($header), - //'$photo' => ProxyUtils::proxifyUrl($ret['photo'], false, ProxyUtils::SIZE_SMALL), + '$header' => L10n::t('Connect/Follow'), '$desc' => '', '$pls_answer' => L10n::t('Please answer the following:'), '$does_know_you' => ['knowyou', L10n::t('Does %s know you?', $ret['name']), false, '', [L10n::t('No'), L10n::t('Yes')]], @@ -170,13 +167,6 @@ function follow_content(App $a) '$url_label' => L10n::t('Profile URL'), '$myaddr' => $myaddr, '$request' => $request, - /* - * @TODO commented out? - '$location' => Friendica\Content\Text\BBCode::::convert($r[0]['location']), - '$location_label'=> L10n::t('Location:'), - '$about' => Friendica\Content\Text\BBCode::::convert($r[0]['about'], false, false), - '$about_label' => L10n::t('About:'), - */ '$keywords' => $r[0]['keywords'], '$keywords_label'=> L10n::t('Tags:') ]); diff --git a/mod/message.php b/mod/message.php index af1948799..d0993698b 100644 --- a/mod/message.php +++ b/mod/message.php @@ -247,22 +247,22 @@ function message_content(App $a) $tpl = Renderer::getMarkupTemplate('prv_message.tpl'); $o .= Renderer::replaceMacros($tpl, [ - '$header' => L10n::t('Send Private Message'), - '$to' => L10n::t('To:'), + '$header' => L10n::t('Send Private Message'), + '$to' => L10n::t('To:'), '$showinputs' => 'true', - '$prefill' => $prefill, - '$preid' => $preid, - '$subject' => L10n::t('Subject:'), - '$subjtxt' => !empty($_REQUEST['subject']) ? strip_tags($_REQUEST['subject']) : '', - '$text' => !empty($_REQUEST['body']) ? Strings::escapeHtml(htmlspecialchars($_REQUEST['body'])) : '', - '$readonly' => '', - '$yourmessage' => L10n::t('Your message:'), - '$select' => $select, - '$parent' => '', - '$upload' => L10n::t('Upload photo'), - '$insert' => L10n::t('Insert web link'), - '$wait' => L10n::t('Please wait'), - '$submit' => L10n::t('Submit') + '$prefill' => $prefill, + '$preid' => $preid, + '$subject' => L10n::t('Subject:'), + '$subjtxt' => defaults($_REQUEST, 'subject', ''), + '$text' => defaults($_REQUEST, 'body', ''), + '$readonly' => '', + '$yourmessage'=> L10n::t('Your message:'), + '$select' => $select, + '$parent' => '', + '$upload' => L10n::t('Upload photo'), + '$insert' => L10n::t('Insert web link'), + '$wait' => L10n::t('Please wait'), + '$submit' => L10n::t('Submit') ]); return $o; } diff --git a/mod/network.php b/mod/network.php index 46861e394..6a4413b54 100644 --- a/mod/network.php +++ b/mod/network.php @@ -667,7 +667,7 @@ function networkThreadedView(App $a, $update, $parent) $entries[0] = [ 'id' => 'network', - 'name' => htmlentities($contact['name']), + 'name' => $contact['name'], 'itemurl' => defaults($contact, 'addr', $contact['nurl']), 'thumb' => ProxyUtils::proxifyUrl($contact['thumb'], false, ProxyUtils::SIZE_THUMB), 'details' => $contact['location'], diff --git a/mod/profile.php b/mod/profile.php index f84a4be19..87ad9a9e9 100644 --- a/mod/profile.php +++ b/mod/profile.php @@ -33,24 +33,16 @@ function profile_init(App $a) $a->page['aside'] = ''; } - if ($a->argc > 1) { - $which = htmlspecialchars($a->argv[1]); - } else { - $r = q("SELECT `nickname` FROM `user` WHERE `blocked` = 0 AND `account_expired` = 0 AND `account_removed` = 0 AND `verified` = 1 ORDER BY RAND() LIMIT 1"); - if (DBA::isResult($r)) { - $a->internalRedirect('profile/' . $r[0]['nickname']); - } else { - Logger::log('profile error: mod_profile ' . $a->query_string, Logger::DEBUG); - notice(L10n::t('Requested profile is not available.') . EOL); - $a->error = 404; - return; - } + if ($a->argc < 2) { + System::httpExit(400); } + $which = filter_var($a->argv[1], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH | FILTER_FLAG_STRIP_BACKTICK); + $profile = 0; if (local_user() && $a->argc > 2 && $a->argv[2] === 'view') { $which = $a->user['nickname']; - $profile = htmlspecialchars($a->argv[1]); + $profile = filter_var($a->argv[1], FILTER_SANITIZE_NUMBER_INT); } else { DFRN::autoRedir($a, $which); } diff --git a/mod/unfollow.php b/mod/unfollow.php index 433a4782f..a66c88aef 100644 --- a/mod/unfollow.php +++ b/mod/unfollow.php @@ -114,10 +114,8 @@ function unfollow_content(App $a) // Makes the connection request for friendica contacts easier $_SESSION['fastlane'] = $contact['url']; - $header = L10n::t('Disconnect/Unfollow'); - $o = Renderer::replaceMacros($tpl, [ - '$header' => htmlentities($header), + '$header' => L10n::t('Disconnect/Unfollow'), '$desc' => '', '$pls_answer' => '', '$does_know_you' => '', diff --git a/mod/viewcontacts.php b/mod/viewcontacts.php index 8b7acffbd..d36ea96c7 100644 --- a/mod/viewcontacts.php +++ b/mod/viewcontacts.php @@ -29,18 +29,13 @@ function viewcontacts_init(App $a) Nav::setSelected('home'); - $nick = $a->argv[1]; - $r = q("SELECT * FROM `user` WHERE `nickname` = '%s' AND `blocked` = 0 LIMIT 1", - DBA::escape($nick) - ); - - if (!DBA::isResult($r)) { + $user = DBA::selectFirst('user', [], ['nickname' => $a->argv[1], 'blocked' => false]); + if (!DBA::isResult($user)) { System::httpExit(404, ["title" => L10n::t('Page not found.')]); } - $a->data['user'] = $r[0]; - $a->profile_uid = $r[0]['uid']; - $is_owner = (local_user() && (local_user() == $a->profile_uid)); + $a->data['user'] = $user; + $a->profile_uid = $user['uid']; Profile::load($a, $a->argv[1]); } @@ -54,82 +49,69 @@ function viewcontacts_content(App $a) $is_owner = $a->profile['profile_uid'] == local_user(); - $o = ""; - // tabs - $o .= Profile::getTabs($a, $is_owner, $a->data['user']['nickname']); + $o = Profile::getTabs($a, $is_owner, $a->data['user']['nickname']); if (!count($a->profile) || $a->profile['hide-friends']) { notice(L10n::t('Permission denied.') . EOL); return $o; } - $total = 0; - $r = q("SELECT COUNT(*) AS `total` FROM `contact` - WHERE `uid` = %d AND NOT `blocked` AND NOT `pending` - AND NOT `hidden` AND NOT `archive` - AND `network` IN ('%s', '%s', '%s', '%s')", - intval($a->profile['uid']), - DBA::escape(Protocol::ACTIVITYPUB), - DBA::escape(Protocol::DFRN), - DBA::escape(Protocol::DIASPORA), - DBA::escape(Protocol::OSTATUS) - ); - if (DBA::isResult($r)) { - $total = $r[0]['total']; - } + $condition = [ + 'uid' => $a->profile['uid'], + 'blocked' => false, + 'pending' => false, + 'hidden' => false, + 'archive' => false, + 'network' => [Protocol::ACTIVITYPUB, Protocol::DFRN, Protocol::DIASPORA, Protocol::OSTATUS] + ]; + + $total = DBA::count('count', $condition); + $pager = new Pager($a->query_string); - $r = q("SELECT * FROM `contact` - WHERE `uid` = %d AND NOT `blocked` AND NOT `pending` - AND NOT `hidden` AND NOT `archive` - AND `network` IN ('%s', '%s', '%s', '%s') - ORDER BY `name` ASC LIMIT %d, %d", - intval($a->profile['uid']), - DBA::escape(Protocol::ACTIVITYPUB), - DBA::escape(Protocol::DFRN), - DBA::escape(Protocol::DIASPORA), - DBA::escape(Protocol::OSTATUS), - $pager->getStart(), - $pager->getItemsPerPage() - ); - if (!DBA::isResult($r)) { - info(L10n::t('No contacts.').EOL); + $params = ['order' => ['name' => false], 'limit' => [$pager->getStart(), $pager->getItemsPerPage()]]; + + $contacts_stmt = DBA::select('contact', [], $condition, $params); + + if (!DBA::isResult($contacts_stmt)) { + info(L10n::t('No contacts.') . EOL); return $o; } $contacts = []; - foreach ($r as $rr) { + while ($contact = DBA::fetch($contacts_stmt)) { /// @TODO This triggers an E_NOTICE if 'self' is not there - if ($rr['self']) { + if ($contact['self']) { continue; } - $contact_details = Contact::getDetailsByURL($rr['url'], $a->profile['uid'], $rr); + $contact_details = Contact::getDetailsByURL($contact['url'], $a->profile['uid'], $contact); $contacts[] = [ - 'id' => $rr['id'], - 'img_hover' => L10n::t('Visit %s\'s profile [%s]', $contact_details['name'], $rr['url']), - 'photo_menu' => Contact::photoMenu($rr), - 'thumb' => ProxyUtils::proxifyUrl($contact_details['thumb'], false, ProxyUtils::SIZE_THUMB), - 'name' => htmlentities(substr($contact_details['name'], 0, 20)), - 'username' => htmlentities($contact_details['name']), - 'details' => $contact_details['location'], - 'tags' => $contact_details['keywords'], - 'about' => $contact_details['about'], - 'account_type' => Contact::getAccountType($contact_details), - 'url' => Contact::magicLink($rr['url']), - 'sparkle' => '', - 'itemurl' => (($contact_details['addr'] != "") ? $contact_details['addr'] : $rr['url']), - 'network' => ContactSelector::networkToName($rr['network'], $rr['url']), + 'id' => $contact['id'], + 'img_hover' => L10n::t('Visit %s\'s profile [%s]', $contact_details['name'], $contact['url']), + 'photo_menu' => Contact::photoMenu($contact), + 'thumb' => ProxyUtils::proxifyUrl($contact_details['thumb'], false, ProxyUtils::SIZE_THUMB), + 'name' => substr($contact_details['name'], 0, 20), + 'username' => $contact_details['name'], + 'details' => $contact_details['location'], + 'tags' => $contact_details['keywords'], + 'about' => $contact_details['about'], + 'account_type' => Contact::getAccountType($contact_details), + 'url' => Contact::magicLink($contact['url']), + 'sparkle' => '', + 'itemurl' => (($contact_details['addr'] != "") ? $contact_details['addr'] : $contact['url']), + 'network' => ContactSelector::networkToName($contact['network'], $contact['url']), ]; } + DBA::close($contacts_stmt); $tpl = Renderer::getMarkupTemplate("viewcontact_template.tpl"); $o .= Renderer::replaceMacros($tpl, [ - '$title' => L10n::t('Contacts'), + '$title' => L10n::t('Contacts'), '$contacts' => $contacts, '$paginate' => $pager->renderFull($total), ]); diff --git a/mod/wallmessage.php b/mod/wallmessage.php index d93104644..780230b8c 100644 --- a/mod/wallmessage.php +++ b/mod/wallmessage.php @@ -125,20 +125,20 @@ function wallmessage_content(App $a) { $tpl = Renderer::getMarkupTemplate('wallmessage.tpl'); $o = Renderer::replaceMacros($tpl, [ - '$header' => L10n::t('Send Private Message'), - '$subheader' => L10n::t('If you wish for %s to respond, please check that the privacy settings on your site allow private mail from unknown senders.', $user['username']), - '$to' => L10n::t('To:'), - '$subject' => L10n::t('Subject:'), - '$recipname' => $user['username'], - '$nickname' => $user['nickname'], - '$subjtxt' => (!empty($_REQUEST['subject']) ? strip_tags($_REQUEST['subject']) : ''), - '$text' => (!empty($_REQUEST['body']) ? Strings::escapeHtml(htmlspecialchars($_REQUEST['body'])) : ''), - '$readonly' => '', - '$yourmessage' => L10n::t('Your message:'), - '$parent' => '', - '$upload' => L10n::t('Upload photo'), - '$insert' => L10n::t('Insert web link'), - '$wait' => L10n::t('Please wait') + '$header' => L10n::t('Send Private Message'), + '$subheader' => L10n::t('If you wish for %s to respond, please check that the privacy settings on your site allow private mail from unknown senders.', $user['username']), + '$to' => L10n::t('To:'), + '$subject' => L10n::t('Subject:'), + '$recipname' => $user['username'], + '$nickname' => $user['nickname'], + '$subjtxt' => defaults($_REQUEST, 'subject', ''), + '$text' => defaults($_REQUEST, 'body', ''), + '$readonly' => '', + '$yourmessage'=> L10n::t('Your message:'), + '$parent' => '', + '$upload' => L10n::t('Upload photo'), + '$insert' => L10n::t('Insert web link'), + '$wait' => L10n::t('Please wait') ]); return $o; diff --git a/src/Content/Text/HTML.php b/src/Content/Text/HTML.php index e452e6835..276094a8f 100644 --- a/src/Content/Text/HTML.php +++ b/src/Content/Text/HTML.php @@ -961,7 +961,7 @@ class HTML $save_label = $mode === 'text' ? L10n::t('Save') : L10n::t('Follow'); $values = [ - '$s' => htmlspecialchars($s), + '$s' => $s, '$id' => $id, '$action_url' => $url, '$search_label' => L10n::t('Search'), diff --git a/src/Module/Itemsource.php b/src/Module/Itemsource.php index 2da679eee..4d85ef15c 100644 --- a/src/Module/Itemsource.php +++ b/src/Module/Itemsource.php @@ -25,12 +25,12 @@ class Itemsource extends \Friendica\BaseModule $conversation = Model\Conversation::getByItemUri($item['uri']); $item_uri = $item['uri']; - $source = htmlspecialchars($conversation['source']); + $source = $conversation['source']; } $tpl = Renderer::getMarkupTemplate('debug/itemsource.tpl'); $o = Renderer::replaceMacros($tpl, [ - '$guid' => ['guid', L10n::t('Item Guid'), htmlentities(defaults($_REQUEST, 'guid', '')), ''], + '$guid' => ['guid', L10n::t('Item Guid'), defaults($_REQUEST, 'guid', ''), ''], '$source' => $source, '$item_uri' => $item_uri ]); diff --git a/view/templates/babel.tpl b/view/templates/babel.tpl index 659864af3..caa829621 100644 --- a/view/templates/babel.tpl +++ b/view/templates/babel.tpl @@ -21,7 +21,7 @@