Fix escaping in email notification template

[friendica.git] / mod / follow.php

diff --git a/mod/follow.php b/mod/follow.php
index 5c6c6d9d34c37a50d3404f4fced854702aa001d6..1ee61ce9e14802448c8a8b87e59a699a18b5ed4c 100644 (file)
--- a/mod/follow.php
+++ b/mod/follow.php
@@ -13,6 +13,7 @@ use Friendica\Model\Profile;
 use Friendica\Network\Probe;
 use Friendica\Database\DBA;
 use Friendica\Util\Proxy as ProxyUtils;
+use Friendica\Util\Strings;
 
 function follow_post(App $a)
 {
@@ -21,12 +22,12 @@ function follow_post(App $a)
        }
 
        if (isset($_REQUEST['cancel'])) {
-               $a->internalRedirect('contacts');
+               $a->internalRedirect('contact');
        }
 
        $uid = local_user();
-       $url = notags(trim($_REQUEST['url']));
-       $return_path = 'contacts';
+       $url = Strings::escapeTags(trim($_REQUEST['url']));
+       $return_path = 'follow?url=' . urlencode($url);
 
        // Makes the connection request for friendica contacts easier
        // This is just a precaution if maybe this page is called somewhere directly via POST
@@ -51,7 +52,7 @@ function follow_post(App $a)
 
 function follow_content(App $a)
 {
-       $return_path = 'contacts';
+       $return_path = 'contact';
 
        if (!local_user()) {
                notice(L10n::t('Permission denied.'));
@@ -60,7 +61,7 @@ function follow_content(App $a)
        }
 
        $uid = local_user();
-       $url = notags(trim($_REQUEST['url']));
+       $url = Strings::escapeTags(trim($_REQUEST['url']));
 
        $submit = L10n::t('Submit Request');
 
@@ -68,8 +69,8 @@ function follow_content(App $a)
        $r = q("SELECT `pending` FROM `contact` WHERE `uid` = %d AND ((`rel` != %d) OR (`network` = '%s')) AND
                (`nurl` = '%s' OR `alias` = '%s' OR `alias` = '%s') AND
                `network` != '%s' LIMIT 1",
-               intval(local_user()), DBA::escape(Contact::FOLLOWER), DBA::escape(Protocol::DFRN), DBA::escape(normalise_link($url)),
-               DBA::escape(normalise_link($url)), DBA::escape($url), DBA::escape(Protocol::STATUSNET));
+               intval(local_user()), DBA::escape(Contact::FOLLOWER), DBA::escape(Protocol::DFRN), DBA::escape(Strings::normaliseLink($url)),
+               DBA::escape(Strings::normaliseLink($url)), DBA::escape($url), DBA::escape(Protocol::STATUSNET));
 
        if ($r) {
                if ($r[0]['pending']) {
@@ -130,7 +131,7 @@ function follow_content(App $a)
        $_SESSION['fastlane'] = $ret['url'];
 
        $r = q("SELECT `id`, `location`, `about`, `keywords` FROM `gcontact` WHERE `nurl` = '%s'",
-               normalise_link($ret['url']));
+               Strings::normaliseLink($ret['url']));
 
        if (!$r) {
                $r = [['location' => '', 'about' => '', 'keywords' => '']];