XSS vulnerability when remote-subscribing

[quix0rs-gnu-social.git] / plugins / Mapstraction / actions / map.php

diff --git a/plugins/Mapstraction/actions/map.php b/plugins/Mapstraction/actions/map.php
index 9834e97f9d1c53d09bc064087f382c7e426ae141..48861af9942605295b9b81bf775ed9c7032420c3 100644 (file)
--- a/plugins/Mapstraction/actions/map.php
+++ b/plugins/Mapstraction/actions/map.php
@@ -120,9 +120,11 @@ class MapAction extends Action
         $jsonArray = array();
 
         while ($this->notice->fetch()) {
-            if (!empty($this->notice->lat) && !empty($this->notice->lon)) {
-                $jsonNotice = $this->noticeAsJson($this->notice);
-                $jsonArray[] = $jsonNotice;
+            try {
+                $notloc = Notice_location::locFromStored($this->notice);
+                $jsonArray[] = $this->noticeAsJson($this->notice);
+            } catch (ServerException $e) {
+                // no location data
             }
         }
 
@@ -143,14 +145,14 @@ class MapAction extends Action
         $act = new ApiAction('/dev/null');
 
         $arr = $act->twitterStatusArray($notice, true);
-        $arr['url'] = $notice->getUrl();
+        $arr['url'] = $notice->getUrl(true);
         $arr['html'] = $notice->rendered;
         $arr['source'] = $arr['source'];
 
         if (!empty($notice->reply_to)) {
             $reply_to = Notice::getKV('id', $notice->reply_to);
             if (!empty($reply_to)) {
-                $arr['in_reply_to_status_url'] = $reply_to->getUrl();
+                $arr['in_reply_to_status_url'] = $reply_to->getUrl(true);
             }
             $reply_to = null;
         }