XSS vulnerability when remote-subscribing

[quix0rs-gnu-social.git] / actions / addpeopletag.php
diff --git a/actions/addpeopletag.php b/actions/addpeopletag.php

index 1e130e27e858328d52585973adf6d20856a90d58..b501ce0fd9679b245d36f300164f7b433e9cce26 100644 (file)
--- a/actions/addpeopletag.php
+++ b/actions/addpeopletag.php
@@ -77,7 +77,6 @@ class AddpeopletagAction extends Action
              // TRANS: Client error displayed when the session token does not match or is not given.
              $this->clientError(_('There was a problem with your session token.'.
                                   ' Try again, please.'));
-            return false;
          }
  
          // Only for logged-in users
@@ -87,40 +86,25 @@ class AddpeopletagAction extends Action
          if (empty($this->user)) {
              // TRANS: Error message displayed when trying to perform an action that requires a logged in user.
              $this->clientError(_('Not logged in.'));
-            return false;
          }
  
          // Profile to subscribe to
  
          $tagged_id = $this->arg('tagged');
  
-        $this->tagged = Profile::staticGet('id', $tagged_id);
+        $this->tagged = Profile::getKV('id', $tagged_id);
  
          if (empty($this->tagged)) {
              // TRANS: Client error displayed trying to perform an action related to a non-existing profile.
              $this->clientError(_('No such profile.'));
-            return false;
          }
  
          $id = $this->arg('peopletag_id');
-        $this->peopletag = Profile_list::staticGet('id', $id);
+        $this->peopletag = Profile_list::getKV('id', $id);
  
          if (empty($this->peopletag)) {
              // TRANS: Client error displayed trying to reference a non-existing list.
              $this->clientError(_('No such list.'));
-            return false;
-        }
-
-        // OMB 0.1 doesn't have a mechanism for local-server-
-        // originated tag.
-
-        $omb01 = Remote_profile::staticGet('id', $tagged_id);
-
-        if (!empty($omb01)) {
-            // TRANS: Client error displayed when trying to add an OMB 0.1 remote profile to a list.
-            $this->clientError(_('You cannot list an OMB 0.1 '.
-                                 'remote profile with this action.'));
-            return false;
          }
  
          return true;
@@ -142,7 +126,7 @@ class AddpeopletagAction extends Action
                                  $this->peopletag->tag);
  
          if (!$ptag) {
-            $user = User::staticGet('id', $id);
+            $user = User::getKV('id', $id);
              if ($user) {
                  $this->clientError(
                          // TRANS: Client error displayed when an unknown error occurs when adding a user to a list.
@@ -156,7 +140,6 @@ class AddpeopletagAction extends Action
                                        'The remote server is probably not responding correctly. ' .
                                        'Please try retrying later.'), $this->profile->profileurl));
              }
-            return false;
          }
          if ($this->boolean('ajax')) {
              $this->startHTML('text/xml;charset=utf-8');
@@ -168,7 +151,7 @@ class AddpeopletagAction extends Action
              $unsubscribe = new UntagButton($this, $this->tagged, $this->peopletag);
              $unsubscribe->show();
              $this->elementEnd('body');
-            $this->elementEnd('html');
+            $this->endHTML();
          } else {
              $url = common_local_url('subscriptions',
                                      array('nickname' => $this->user->nickname));