X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=src%2FUtil%2FACLFormatter.php;h=352c914bcf54222953eefaebd243003b71531d1f;hb=51ebb1541a62c0fd691d995326d61775cc7d61d3;hp=a7d851508d4e22d1c9441b959eb541c56e2875b9;hpb=9f215fc33b55b58348091ef0f08327074226dbdb;p=friendica.git

diff --git a/src/Util/ACLFormatter.php b/src/Util/ACLFormatter.php
index a7d851508d..352c914bcf 100644
--- a/src/Util/ACLFormatter.php
+++ b/src/Util/ACLFormatter.php
@@ -1,4 +1,23 @@
 <?php
+/**
+ * @copyright Copyright (C) 2010-2021, the Friendica project
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ */
 
 namespace Friendica\Util;
 
@@ -12,33 +31,60 @@ final class ACLFormatter
 	/**
 	 * Turn user/group ACLs stored as angle bracketed text into arrays
 	 *
-	 * @param string|null $ids A angle-bracketed list of IDs
+	 * @param string|null $acl_string A angle-bracketed list of IDs
 	 *
 	 * @return array The array based on the IDs (empty in case there is no list)
 	 */
-	public function expand(string $ids = null)
+	public function expand(string $acl_string = null)
 	{
 		// In case there is no ID list, return empty array (=> no ACL set)
-		if (!isset($ids)) {
+		if (!isset($acl_string)) {
 			return [];
 		}
 
 		// turn string array of angle-bracketed elements into numeric array
 		// e.g. "<1><2><3>" => array(1,2,3);
-		preg_match_all('/<(' . Group::FOLLOWERS . '|'. Group::MUTUALS . '|[0-9]+)>/', $ids, $matches, PREG_PATTERN_ORDER);
+		preg_match_all('/<(' . Group::FOLLOWERS . '|'. Group::MUTUALS . '|[0-9]+)>/', $acl_string, $matches, PREG_PATTERN_ORDER);
 
 		return $matches[1];
 	}
 
+	/**
+	 * Takes an arbitrary ACL string and sanitizes it for storage
+	 *
+	 * @param string|null $acl_string
+	 * @return string
+	 */
+	public function sanitize(string $acl_string = null)
+	{
+		if (empty($acl_string)) {
+			return '';
+		}
+
+		$cleaned_list = trim($acl_string, '<>');
+
+		if (empty($cleaned_list)) {
+			return '';
+		}
+
+		$elements = explode('><', $cleaned_list);
+
+		sort($elements);
+
+		array_walk($elements, [$this, 'sanitizeItem']);
+
+		return implode('', $elements);
+	}
+
 	/**
 	 * Wrap ACL elements in angle brackets for storage
 	 *
 	 * @param string $item The item to sanitise
 	 */
-	private function sanitize(string &$item) {
+	private function sanitizeItem(string &$item) {
 		// The item is an ACL int value
 		if (intval($item)) {
-			$item = '<' . intval(Strings::escapeTags(trim($item))) . '>';
+			$item = '<' . intval($item) . '>';
 		// The item is a allowed ACL character
 		} elseif (in_array($item, [Group::FOLLOWERS, Group::MUTUALS])) {
 			$item = '<' . $item . '>';
@@ -70,7 +116,7 @@ final class ACLFormatter
 		}
 
 		if (is_array($item)) {
-			array_walk($item, [$this, 'sanitize']);
+			array_walk($item, [$this, 'sanitizeItem']);
 			$return = implode('', $item);
 		}
 		return $return;