Merge remote-tracking branch 'upstream/develop' into 1607-performance

[friendica.git] / include / bbcode.php

diff --git a/include/bbcode.php b/include/bbcode.php
index 359a7ba2f0333e4f34dcb7ede125a7288e049986..27213007cebdfc8a6751a14fc0472ddadd0abe1b 100644 (file)
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -1,4 +1,6 @@
 <?php
+use \Friendica\Core\Config;
+
 require_once("include/oembed.php");
 require_once('include/event.php');
 require_once('include/map.php');
@@ -34,7 +36,6 @@ function bb_map_location($match) {
 function bb_attachment($Text, $simplehtml = false, $tryoembed = true) {
 
        $data = get_attachment_data($Text);
-
        if (!$data)
                return $Text;
 
@@ -85,7 +86,7 @@ function bb_attachment($Text, $simplehtml = false, $tryoembed = true) {
                                $text .= $oembed;
 
                        if (trim($data["description"]) != "")
-                               $text .= sprintf('<blockquote>%s</blockquote></span>', trim($data["description"]));
+                               $text .= sprintf('<blockquote>%s</blockquote></span>', trim(bbcode($data["description"])));
                }
        }
        return $data["text"].$text.$data["after"];
@@ -147,7 +148,7 @@ function cleancss($input) {
                if (($char >= "a") and ($char <= "z"))
                        $cleaned .= $char;
 
-               if (!(strpos(" #;:0123456789-_", $char) === false))
+               if (!(strpos(" #;:0123456789-_.%", $char) === false))
                        $cleaned .= $char;
        }
 
@@ -415,21 +416,21 @@ function bb_ShareAttributes($share, $simplehtml) {
 
        $data = get_contact_details_by_url($profile);
 
-       if (isset($data["name"]) AND isset($data["addr"]))
+       if (isset($data["name"]) AND ($data["name"] != "") AND isset($data["addr"]) AND ($data["addr"] != ""))
                $userid_compact = $data["name"]." (".$data["addr"].")";
        else
                $userid_compact = GetProfileUsername($profile,$author, true);
 
-       if (isset($data["addr"]))
+       if (isset($data["addr"]) AND ($data["addr"] != ""))
                $userid = $data["addr"];
        else
                $userid = GetProfileUsername($profile,$author, false);
 
-       if (isset($data["name"]))
+       if (isset($data["name"]) AND ($data["name"] != ""))
                $author = $data["name"];
 
-       if (isset($data["thumb"]))
-               $avatar = $data["thumb"];
+       if (isset($data["micro"]) AND ($data["micro"] != ""))
+               $avatar = $data["micro"];
 
        $preshare = trim($share[1]);
 
@@ -893,8 +894,7 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true, $simplehtml = fal
        // we may need to restrict this further if it picks up too many strays
        // link acct:user@host to a webfinger profile redirector
 
-       $Text = preg_replace('/acct:(.*?)@(.*?)([ ,])/', '<a href="' . $a->get_baseurl() . '/acctlink?addr=' . "$1@$2"
-               . '" target="extlink" >acct:' . "$1@$2$3" . '</a>',$Text);
+       $Text = preg_replace('/acct:([^@]+)@((?!\-)(?:[a-zA-Z\d\-]{0,62}[a-zA-Z\d]\.){1,126}(?!\d+)[a-zA-Z\d]{1,63})/', '<a href="' . $a->get_baseurl() . '/acctlink?addr=$1@$2" target="extlink">acct:$1@$2</a>',$Text);
 
        // Perform MAIL Search
        $Text = preg_replace("/\[mail\]([$MAILSearchString]*)\[\/mail\]/", '<a href="mailto:$1">$1</a>', $Text);
@@ -921,6 +921,9 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true, $simplehtml = fal
        $Text = preg_replace("(\[h5\](.*?)\[\/h5\])ism",'<h5>$1</h5>',$Text);
        $Text = preg_replace("(\[h6\](.*?)\[\/h6\])ism",'<h6>$1</h6>',$Text);
 
+       // Check for paragraph
+       $Text = preg_replace("(\[p\](.*?)\[\/p\])ism",'<p>$1</p>',$Text);
+
        // Check for bold text
        $Text = preg_replace("(\[b\](.*?)\[\/b\])ism",'<strong>$1</strong>',$Text);
 
@@ -1140,6 +1143,7 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true, $simplehtml = fal
                $Text = preg_replace("/\[event\-finish\](.*?)\[\/event\-finish\]/ism",'',$Text);
                $Text = preg_replace("/\[event\-location\](.*?)\[\/event\-location\]/ism",'',$Text);
                $Text = preg_replace("/\[event\-adjust\](.*?)\[\/event\-adjust\]/ism",'',$Text);
+               $Text = preg_replace("/\[event\-id\](.*?)\[\/event\-id\]/ism",'',$Text);
        }
 
 
@@ -1159,11 +1163,24 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true, $simplehtml = fal
        $Text = preg_replace('/\&quot\;/','"',$Text);
 
        // fix any escaped ampersands that may have been converted into links
-       $Text = preg_replace("/\<([^>]*?)(src|href)=(.*?)\&amp\;(.*?)\>/ism",'<$1$2=$3&$4>',$Text);
-       $Text = preg_replace("/\<([^>]*?)(src|href)=\"(?!http|ftp|mailto|gopher|cid)(.*?)\>/ism",'<$1$2="">',$Text);
+       $Text = preg_replace('/\<([^>]*?)(src|href)=(.*?)\&amp\;(.*?)\>/ism', '<$1$2=$3&$4>', $Text);
+
+       // sanitizes src attributes (only relative redir URIs or http URLs)
+       $Text = preg_replace('#<([^>]*?)(src)="(?!http|redir)(.*?)"(.*?)>#ism', '<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text);
 
-       if($saved_image)
+       // sanitize href attributes (only whitelisted protocols URLs)
+       // default value for backward compatibility
+       $allowed_link_protocols = Config::get('system', 'allowed_link_protocols', array('ftp', 'mailto', 'gopher', 'cid'));
+
+       // Always allowed protocol even if config isn't set or not including it
+       $allowed_link_protocols[] = 'http';
+
+       $regex = '#<([^>]*?)(href)="(?!' . implode('|', $allowed_link_protocols) . ')(.*?)"(.*?)>#ism';
+       $Text = preg_replace($regex, '<$1$2="javascript:void(0)"$4 class="invalid-href" title="' . t('Invalid link protocol') . '">', $Text);
+
+       if($saved_image) {
                $Text = bb_replace_images($Text, $saved_image);
+       }
 
        // Clean up the HTML by loading and saving the HTML with the DOM.
        // Bad structured html can break a whole page.