"escapeTags" is finally removed
This commit is contained in:
parent
f99d37d87e
commit
cfac13790b
11 changed files with 11 additions and 34 deletions
|
@ -204,7 +204,7 @@ function photos_post(App $a)
|
||||||
}
|
}
|
||||||
|
|
||||||
// RENAME photo album
|
// RENAME photo album
|
||||||
$newalbum = Strings::escapeTags(trim($_POST['albumname']));
|
$newalbum = trim($_POST['albumname']);
|
||||||
if ($newalbum != $album) {
|
if ($newalbum != $album) {
|
||||||
Photo::update(['album' => $newalbum], ['album' => $album, 'uid' => $page_owner_uid]);
|
Photo::update(['album' => $newalbum], ['album' => $album, 'uid' => $page_owner_uid]);
|
||||||
// Update the photo albums cache
|
// Update the photo albums cache
|
||||||
|
|
|
@ -32,7 +32,6 @@ use Friendica\Model\Item;
|
||||||
use Friendica\Model\Post;
|
use Friendica\Model\Post;
|
||||||
use Friendica\Model\Tag;
|
use Friendica\Model\Tag;
|
||||||
use Friendica\Protocol\Activity;
|
use Friendica\Protocol\Activity;
|
||||||
use Friendica\Util\Strings;
|
|
||||||
use Friendica\Util\XML;
|
use Friendica\Util\XML;
|
||||||
use Friendica\Worker\Delivery;
|
use Friendica\Worker\Delivery;
|
||||||
|
|
||||||
|
@ -42,15 +41,15 @@ function tagger_content(App $a) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
$term = Strings::escapeTags(trim($_GET['term']));
|
$term = trim($_GET['term']);
|
||||||
// no commas allowed
|
// no commas allowed
|
||||||
$term = str_replace([',',' '],['','_'],$term);
|
$term = str_replace([',',' ', '<', '>'],['','_', '', ''], $term);
|
||||||
|
|
||||||
if (!$term) {
|
if (!$term) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
$item_id = ((DI::args()->getArgc() > 1) ? Strings::escapeTags(trim(DI::args()->getArgv()[1])) : 0);
|
$item_id = ((DI::args()->getArgc() > 1) ? trim(DI::args()->getArgv()[1]) : 0);
|
||||||
|
|
||||||
Logger::notice('tagger: tag ' . $term . ' item ' . $item_id);
|
Logger::notice('tagger: tag ' . $term . ' item ' . $item_id);
|
||||||
|
|
||||||
|
|
|
@ -48,7 +48,6 @@ class BaseSearch extends BaseModule
|
||||||
*/
|
*/
|
||||||
public static function performContactSearch($search, $prefix = '')
|
public static function performContactSearch($search, $prefix = '')
|
||||||
{
|
{
|
||||||
$a = DI::app();
|
|
||||||
$config = DI::config();
|
$config = DI::config();
|
||||||
|
|
||||||
$type = Search::TYPE_ALL;
|
$type = Search::TYPE_ALL;
|
||||||
|
|
|
@ -58,7 +58,7 @@ class Invite extends BaseModule
|
||||||
|
|
||||||
|
|
||||||
$recipients = !empty($_POST['recipients']) ? explode("\n", $_POST['recipients']) : [];
|
$recipients = !empty($_POST['recipients']) ? explode("\n", $_POST['recipients']) : [];
|
||||||
$message = !empty($_POST['message']) ? Strings::escapeTags(trim($_POST['message'])) : '';
|
$message = !empty($_POST['message']) ? Strings::escapeHtml(trim($_POST['message'])) : '';
|
||||||
|
|
||||||
$total = 0;
|
$total = 0;
|
||||||
$invitation_only = false;
|
$invitation_only = false;
|
||||||
|
|
|
@ -25,7 +25,6 @@ use Friendica\Content\Widget;
|
||||||
use Friendica\DI;
|
use Friendica\DI;
|
||||||
use Friendica\Module\BaseSearch;
|
use Friendica\Module\BaseSearch;
|
||||||
use Friendica\Module\Security\Login;
|
use Friendica\Module\Security\Login;
|
||||||
use Friendica\Util\Strings;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Directory search module
|
* Directory search module
|
||||||
|
@ -39,7 +38,7 @@ class Directory extends BaseSearch
|
||||||
return Login::form();
|
return Login::form();
|
||||||
}
|
}
|
||||||
|
|
||||||
$search = Strings::escapeTags(trim(rawurldecode($_REQUEST['search'] ?? '')));
|
$search = trim(rawurldecode($_REQUEST['search'] ?? ''));
|
||||||
|
|
||||||
if (empty(DI::page()['aside'])) {
|
if (empty(DI::page()['aside'])) {
|
||||||
DI::page()['aside'] = '';
|
DI::page()['aside'] = '';
|
||||||
|
|
|
@ -38,13 +38,12 @@ use Friendica\Model\Post;
|
||||||
use Friendica\Model\Tag;
|
use Friendica\Model\Tag;
|
||||||
use Friendica\Module\BaseSearch;
|
use Friendica\Module\BaseSearch;
|
||||||
use Friendica\Network\HTTPException;
|
use Friendica\Network\HTTPException;
|
||||||
use Friendica\Util\Strings;
|
|
||||||
|
|
||||||
class Index extends BaseSearch
|
class Index extends BaseSearch
|
||||||
{
|
{
|
||||||
public static function content(array $parameters = [])
|
public static function content(array $parameters = [])
|
||||||
{
|
{
|
||||||
$search = (!empty($_GET['q']) ? Strings::escapeTags(trim(rawurldecode($_GET['q']))) : '');
|
$search = (!empty($_GET['q']) ? trim(rawurldecode($_GET['q'])) : '');
|
||||||
|
|
||||||
if (DI::config()->get('system', 'block_public') && !Session::isAuthenticated()) {
|
if (DI::config()->get('system', 'block_public') && !Session::isAuthenticated()) {
|
||||||
throw new HTTPException\ForbiddenException(DI::l10n()->t('Public access denied.'));
|
throw new HTTPException\ForbiddenException(DI::l10n()->t('Public access denied.'));
|
||||||
|
@ -88,7 +87,7 @@ class Index extends BaseSearch
|
||||||
$tag = false;
|
$tag = false;
|
||||||
if (!empty($_GET['tag'])) {
|
if (!empty($_GET['tag'])) {
|
||||||
$tag = true;
|
$tag = true;
|
||||||
$search = '#' . Strings::escapeTags(trim(rawurldecode($_GET['tag'])));
|
$search = '#' . trim(rawurldecode($_GET['tag']));
|
||||||
}
|
}
|
||||||
|
|
||||||
// contruct a wrapper for the search header
|
// contruct a wrapper for the search header
|
||||||
|
|
|
@ -25,14 +25,13 @@ use Friendica\BaseModule;
|
||||||
use Friendica\Core\Search;
|
use Friendica\Core\Search;
|
||||||
use Friendica\Database\DBA;
|
use Friendica\Database\DBA;
|
||||||
use Friendica\DI;
|
use Friendica\DI;
|
||||||
use Friendica\Util\Strings;
|
|
||||||
|
|
||||||
class Saved extends BaseModule
|
class Saved extends BaseModule
|
||||||
{
|
{
|
||||||
public static function init(array $parameters = [])
|
public static function init(array $parameters = [])
|
||||||
{
|
{
|
||||||
$action = DI::args()->get(2, 'none');
|
$action = DI::args()->get(2, 'none');
|
||||||
$search = Strings::escapeTags(trim(rawurldecode($_GET['term'] ?? '')));
|
$search = trim(rawurldecode($_GET['term'] ?? ''));
|
||||||
|
|
||||||
$return_url = $_GET['return_url'] ?? Search::getSearchPath($search);
|
$return_url = $_GET['return_url'] ?? Search::getSearchPath($search);
|
||||||
|
|
||||||
|
|
|
@ -59,22 +59,6 @@ class Strings
|
||||||
return !empty($hexCode) ? @preg_match("/^[a-f0-9]{2,}$/i", $hexCode) && !(strlen($hexCode) & 1) : false;
|
return !empty($hexCode) ? @preg_match("/^[a-f0-9]{2,}$/i", $hexCode) && !(strlen($hexCode) & 1) : false;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* This is our primary input filter.
|
|
||||||
*
|
|
||||||
* Use this on any text input where angle chars are not valid or permitted
|
|
||||||
* They will be replaced with safer brackets. This may be filtered further
|
|
||||||
* if these are not allowed either.
|
|
||||||
*
|
|
||||||
* @param string $string Input string
|
|
||||||
* @return string Filtered string
|
|
||||||
* @deprecated since 2020.09 Please use Smarty default HTML escaping for templates or htmlspecialchars() otherwise
|
|
||||||
*/
|
|
||||||
public static function escapeTags($string)
|
|
||||||
{
|
|
||||||
return str_replace(["<", ">"], ['[', ']'], $string);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Use this on "body" or "content" input where angle chars shouldn't be removed,
|
* Use this on "body" or "content" input where angle chars shouldn't be removed,
|
||||||
* and allow them to be safely displayed.
|
* and allow them to be safely displayed.
|
||||||
|
|
|
@ -90,10 +90,8 @@ class StringsTest extends TestCase
|
||||||
{
|
{
|
||||||
$invalidstring='<submit type="button" onclick="alert(\'failed!\');" />';
|
$invalidstring='<submit type="button" onclick="alert(\'failed!\');" />';
|
||||||
|
|
||||||
$validstring = Strings::escapeTags($invalidstring);
|
|
||||||
$escapedString = Strings::escapeHtml($invalidstring);
|
$escapedString = Strings::escapeHtml($invalidstring);
|
||||||
|
|
||||||
self::assertEquals('[submit type="button" onclick="alert(\'failed!\');" /]', $validstring);
|
|
||||||
self::assertEquals(
|
self::assertEquals(
|
||||||
"<submit type="button" onclick="alert('failed!');" />",
|
"<submit type="button" onclick="alert('failed!');" />",
|
||||||
$escapedString
|
$escapedString
|
||||||
|
|
|
@ -9,7 +9,7 @@
|
||||||
|
|
||||||
<div id="directory-search-wrapper">
|
<div id="directory-search-wrapper">
|
||||||
<form id="directory-search-form" action="{{$search_mod}}" method="get">
|
<form id="directory-search-form" action="{{$search_mod}}" method="get">
|
||||||
<span class="dirsearch-desc">{{$desc nofilter}}</span>
|
<span class="dirsearch-desc">{{$desc}}</span>
|
||||||
<input type="text" name="search" id="directory-search" class="search-input" onfocus="this.select();" value="{{$search}}" />
|
<input type="text" name="search" id="directory-search" class="search-input" onfocus="this.select();" value="{{$search}}" />
|
||||||
<input type="submit" name="submit" id="directory-search-submit" value="{{$submit}}" class="button" />
|
<input type="submit" name="submit" id="directory-search-submit" value="{{$submit}}" class="button" />
|
||||||
</form>
|
</form>
|
||||||
|
|
|
@ -15,7 +15,7 @@
|
||||||
<div class="col-md-2"></div>
|
<div class="col-md-2"></div>
|
||||||
<div class="col-md-8 ">
|
<div class="col-md-8 ">
|
||||||
<div class="form-group form-group-search">
|
<div class="form-group form-group-search">
|
||||||
<input type="text" name="search" id="directory-search" class="search-input form-control form-search" onfocus="this.select();" value="{{$search}}" placeholder="{{$desc nofilter}}"/>
|
<input type="text" name="search" id="directory-search" class="search-input form-control form-search" onfocus="this.select();" value="{{$search}}" placeholder="{{$desc}}"/>
|
||||||
<button class="btn btn-default btn-sm form-button-search" type="submit" id="directory-search-submit">{{$submit}}</button>
|
<button class="btn btn-default btn-sm form-button-search" type="submit" id="directory-search-submit">{{$submit}}</button>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
Loading…
Reference in a new issue