From c9c9fc3a9687b4030a2849b8f918ea413ae9f2d4 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 24 Dec 2018 22:50:29 -0500 Subject: [PATCH 1/3] Code cleanup in events - Replace killme() with exit() - Use correctly escaped query string - Simplify perms2str input filtering - Add expected json header to /events/json --- mod/events.php | 27 +++++++++++++++++++-------- src/Model/Event.php | 1 - 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/mod/events.php b/mod/events.php index f147e0054..a788cc157 100644 --- a/mod/events.php +++ b/mod/events.php @@ -102,8 +102,18 @@ function events_post(App $a) $location = Strings::escapeHtml(trim(defaults($_POST, 'location', ''))); $type = 'event'; - $action = ($event_id == '') ? 'new' : "event/" . $event_id; - $onerror_path = "events/" . $action . "?summary=$summary&description=$desc&location=$location&start=$start_text&finish=$finish_text&adjust=$adjust&nofinish=$nofinish"; + $params = [ + 'summary' => $summary, + 'description' => $desc, + 'location' => $location, + 'start' => $start_text, + 'finish' => $finish_text, + 'adjust' => $adjust, + 'nofinish' => $nofinish, + ]; + + $action = ($event_id == '') ? 'new' : 'event/' . $event_id; + $onerror_path = 'events/' . $action . '?' . http_build_query($params, null, null, PHP_QUERY_RFC3986); if (strcmp($finish, $start) < 0 && !$nofinish) { notice(L10n::t('Event can not end before it has started.') . EOL); @@ -137,10 +147,10 @@ function events_post(App $a) if ($share) { - $str_group_allow = !empty($_POST['group_allow']) ? perms2str($_POST['group_allow']) : ''; - $str_contact_allow = !empty($_POST['contact_allow']) ? perms2str($_POST['contact_allow']) : ''; - $str_group_deny = !empty($_POST['group_deny']) ? perms2str($_POST['group_deny']) : ''; - $str_contact_deny = !empty($_POST['contact_deny']) ? perms2str($_POST['contact_deny']) : ''; + $str_group_allow = perms2str(defaults($_POST, 'group_allow' , '')); + $str_contact_allow = perms2str(defaults($_POST, 'contact_allow', '')); + $str_group_deny = perms2str(defaults($_POST, 'group_deny' , '')); + $str_contact_deny = perms2str(defaults($_POST, 'contact_deny' , '')); // Undo the pseudo-contact of self, since there are real contacts now if (strpos($str_contact_allow, '<' . $self . '>') !== false) { @@ -181,7 +191,7 @@ function events_post(App $a) if (intval($_REQUEST['preview'])) { $html = Event::getHTML($datarray); echo $html; - killme(); + exit(); } $item_id = Event::store($datarray); @@ -364,8 +374,9 @@ function events_content(App $a) } if ($a->argc > 1 && $a->argv[1] === 'json') { + header('Content-Type: application/json'); echo json_encode($events); - killme(); + exit(); } if (!empty($_GET['id'])) { diff --git a/src/Model/Event.php b/src/Model/Event.php index 886f12415..348ced525 100644 --- a/src/Model/Event.php +++ b/src/Model/Event.php @@ -14,7 +14,6 @@ use Friendica\Core\PConfig; use Friendica\Core\Renderer; use Friendica\Core\System; use Friendica\Database\DBA; -use Friendica\Model\Contact; use Friendica\Util\DateTimeFormat; use Friendica\Util\Map; use Friendica\Util\XML; From a8b0aa8c8d97a2d28b357fca17a63f2930c6b640 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 24 Dec 2018 22:52:21 -0500 Subject: [PATCH 2/3] Normalize expected format for event fields summary, desc and location - Remove unnecessary HTML escaping on event submit - Add HTML escaping on event display - Add HTML to BBCode conversion for received ActivityPub events --- mod/events.php | 6 +++--- src/Model/Event.php | 23 ++++++++++++----------- src/Protocol/ActivityPub/Processor.php | 24 ++++++++++++------------ 3 files changed, 27 insertions(+), 26 deletions(-) diff --git a/mod/events.php b/mod/events.php index a788cc157..cb91fae35 100644 --- a/mod/events.php +++ b/mod/events.php @@ -97,9 +97,9 @@ function events_post(App $a) // and we'll waste a bunch of time responding to it. Time that // could've been spent doing something else. - $summary = Strings::escapeHtml(trim(defaults($_POST, 'summary', ''))); - $desc = Strings::escapeHtml(trim(defaults($_POST, 'desc', ''))); - $location = Strings::escapeHtml(trim(defaults($_POST, 'location', ''))); + $summary = trim(defaults($_POST, 'summary' , '')); + $desc = trim(defaults($_POST, 'desc' , '')); + $location = trim(defaults($_POST, 'location', '')); $type = 'event'; $params = [ diff --git a/src/Model/Event.php b/src/Model/Event.php index 348ced525..d25f2a151 100644 --- a/src/Model/Event.php +++ b/src/Model/Event.php @@ -16,6 +16,7 @@ use Friendica\Core\System; use Friendica\Database\DBA; use Friendica\Util\DateTimeFormat; use Friendica\Util\Map; +use Friendica\Util\Strings; use Friendica\Util\XML; require_once 'boot.php'; @@ -52,11 +53,11 @@ class Event extends BaseObject if ($simple) { if (!empty($event['summary'])) { - $o = "

" . BBCode::convert($event['summary'], false, $simple) . "

"; + $o = "

" . BBCode::convert(Strings::escapeHtml($event['summary']), false, $simple) . "

"; } if (!empty($event['desc'])) { - $o .= "
" . BBCode::convert($event['desc'], false, $simple) . "
"; + $o .= "
" . BBCode::convert(Strings::escapeHtml($event['desc']), false, $simple) . "
"; } $o .= "

" . L10n::t('Starts:') . "

" . $event_start . "

"; @@ -66,7 +67,7 @@ class Event extends BaseObject } if (!empty($event['location'])) { - $o .= "

" . L10n::t('Location:') . "

" . BBCode::convert($event['location'], false, $simple) . "

"; + $o .= "

" . L10n::t('Location:') . "

" . BBCode::convert(Strings::escapeHtml($event['location']), false, $simple) . "

"; } return $o; @@ -74,7 +75,7 @@ class Event extends BaseObject $o = '
' . "\r\n"; - $o .= '
' . BBCode::convert($event['summary'], false, $simple) . '
' . "\r\n"; + $o .= '
' . BBCode::convert(Strings::escapeHtml($event['summary']), false, $simple) . '
' . "\r\n"; $o .= '
' . L10n::t('Starts:') . ' ' . BBCode::convert($event['desc'], false, $simple) . '
' . "\r\n"; + $o .= '
' . BBCode::convert(Strings::escapeHtml($event['desc']), false, $simple) . '
' . "\r\n"; } if (!empty($event['location'])) { $o .= '
' . L10n::t('Location:') . ' ' - . BBCode::convert($event['location'], false, $simple) + . BBCode::convert(Strings::escapeHtml($event['location']), false, $simple) . '
' . "\r\n"; // Include a map of the location if the [map] BBCode is used. @@ -591,10 +592,9 @@ class Event extends BaseObject $drop = [System::baseUrl() . '/events/drop/' . $event['id'] , L10n::t('Delete event') , '', '']; } - $title = strip_tags(html_entity_decode(BBCode::convert($event['summary']), ENT_QUOTES, 'UTF-8')); + $title = BBCode::convert(Strings::escapeHtml($event['summary'])); if (!$title) { - list($title, $_trash) = explode(" $event['id'], 'start' => $start, diff --git a/src/Protocol/ActivityPub/Processor.php b/src/Protocol/ActivityPub/Processor.php index bff8767f3..d2f5b3b2d 100644 --- a/src/Protocol/ActivityPub/Processor.php +++ b/src/Protocol/ActivityPub/Processor.php @@ -209,20 +209,20 @@ class Processor */ public static function createEvent($activity, $item) { - $event['summary'] = $activity['name']; - $event['desc'] = $activity['content']; - $event['start'] = $activity['start-time']; - $event['finish'] = $activity['end-time']; + $event['summary'] = HTML::toBBCode($activity['name']); + $event['desc'] = HTML::toBBCode($activity['content']); + $event['start'] = $activity['start-time']; + $event['finish'] = $activity['end-time']; $event['nofinish'] = empty($event['finish']); $event['location'] = $activity['location']; - $event['adjust'] = true; - $event['cid'] = $item['contact-id']; - $event['uid'] = $item['uid']; - $event['uri'] = $item['uri']; - $event['edited'] = $item['edited']; - $event['private'] = $item['private']; - $event['guid'] = $item['guid']; - $event['plink'] = $item['plink']; + $event['adjust'] = true; + $event['cid'] = $item['contact-id']; + $event['uid'] = $item['uid']; + $event['uri'] = $item['uri']; + $event['edited'] = $item['edited']; + $event['private'] = $item['private']; + $event['guid'] = $item['guid']; + $event['plink'] = $item['plink']; $condition = ['uri' => $item['uri'], 'uid' => $item['uid']]; $ev = DBA::selectFirst('event', ['id'], $condition); From 787428f68c1f889b2868e2e16e7e782ed313968e Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 24 Dec 2018 22:52:38 -0500 Subject: [PATCH 3/3] Remove template escaping for event title --- view/theme/frio/templates/event_stream_item.tpl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/view/theme/frio/templates/event_stream_item.tpl b/view/theme/frio/templates/event_stream_item.tpl index 330f88cbb..9264e9d2e 100644 --- a/view/theme/frio/templates/event_stream_item.tpl +++ b/view/theme/frio/templates/event_stream_item.tpl @@ -12,7 +12,8 @@
-
{{$title}}
+
{{$title nofilter}}
+ {{* If there is a map, we insert a button for showing/hiding the map *}} {{if $location.map}}{{/if}}