]> git.mxchange.org Git - friendica.git/commitdiff
projects / friendica.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9f1f9da)
sanitise all incoming url's - also stop them from getting mangled by simplepie
authorFriendika <info@friendika.com>
Thu, 17 Feb 2011 01:32:15 +0000 (17:32 -0800)
committerFriendika <info@friendika.com>
Thu, 17 Feb 2011 01:32:15 +0000 (17:32 -0800)
boot.php patch | blob | history
images/remote-link.gif [new file with mode: 0644] patch | blob
include/items.php patch | blob | history
mod/follow.php patch | blob | history
simplepie/simplepie.inc patch | blob | history

diff --git a/boot.php b/boot.php
index dcf5b1c1aac8f0299507d11107adcdade6047eca..322a4e307497dafd5095e26abd2dd1f758b3139e 100644 (file)
--- a/boot.php
+++ b/boot.php
@@ -2453,7 +2453,12 @@ if(! function_exists('get_plink')) {
 function get_plink($item) {
        $a = get_app(); 
        $plink = (((x($item,'plink')) && (! $item['private'])) ? '<div class="wall-item-links-wrapper"><a href="' 
-                       . $item['plink'] . '" title="' . t('link to source') . '"><img src="' . $a->get_baseurl() . '/images/link-icon.gif" alt="' . t('link to source') . '" /></a></div>' : '');
+                       . $item['plink'] . '" title="' . t('link to source') . '"><img src="' . $a->get_baseurl() . '/images/remote-link.gif" alt="' . t('link to source') . '" /></a></div>' : '');
        return $plink;
 }}
 
+if(! function_exists('unamp')) {
+function unamp($s) {
+       return str_replace('&amp;', '&', $s);
+}}
+
diff --git a/images/remote-link.gif b/images/remote-link.gif
new file mode 100644 (file)
index 0000000..008397f
Binary files /dev/null and b/images/remote-link.gif differ
diff --git a/include/items.php b/include/items.php
index 153debd7d321f803f2fa11a5fc934f0647092ae4..0951adbae1b0873f5c4101cac1fd002f94274aa6 100644 (file)
--- a/include/items.php
+++ b/include/items.php
@@ -350,7 +350,7 @@ function get_atom_elements($feed,$item) {
                        '[youtube]$1[/youtube]', $res['body']);
 
                $res['body'] = oembed_html2bbcode($res['body']);
-       
+
                $config = HTMLPurifier_Config::createDefault();
                $config->set('Cache.DefinitionImpl', null);
 
@@ -363,7 +363,7 @@ function get_atom_elements($feed,$item) {
 
                $res['body'] = html2bbcode($res['body']);
        }
-       
+
        $allow = $item->get_item_tags(NAMESPACE_DFRN,'comment-allow');
        if($allow && $allow[0]['data'] == 1)
                $res['last-child'] = 1;
diff --git a/mod/follow.php b/mod/follow.php
index eaee7d5aca2f0002fa56f2dcd9f7fb69afc53782..763ffb1b01c456e436057d9cfe72f94324273974 100644 (file)
--- a/mod/follow.php
+++ b/mod/follow.php
@@ -19,15 +19,15 @@ function follow_post(&$a) {
                if(count($links)) {
                        foreach($links as $link) {
                                if($link['@attributes']['rel'] === NAMESPACE_DFRN)
-                                       $dfrn = $link['@attributes']['href'];
+                                       $dfrn = unamp($link['@attributes']['href']);
                                if($link['@attributes']['rel'] === 'salmon')
-                                       $notify = $link['@attributes']['href'];
+                                       $notify = unamp($link['@attributes']['href']);
                                if($link['@attributes']['rel'] === NAMESPACE_FEED)
-                                       $poll = $link['@attributes']['href'];
+                                       $poll = unamp($link['@attributes']['href']);
                                if($link['@attributes']['rel'] === 'http://microformats.org/profile/hcard')
-                                       $hcard = $link['@attributes']['href'];
+                                       $hcard = unamp($link['@attributes']['href']);
                                if($link['@attributes']['rel'] === 'http://webfinger.net/rel/profile-page')
-                                       $profile = $link['@attributes']['href'];
+                                       $profile = unamp($link['@attributes']['href']);
 
                        }
 
@@ -43,10 +43,10 @@ function follow_post(&$a) {
                                        if(strpos($link['@attributes']['href'],'@') === false) {
                                                if(isset($profile)) {
                                                        if($link['@attributes']['href'] !== $profile)
-                                                               $alias = $link['@attributes']['href'];
+                                                               $alias = unamp($link['@attributes']['href']);
                                                }
                                                else
-                                                       $profile = $link['@attributes']['href'];
+                                                       $profile = unamp($link['@attributes']['href']);
                                        }
                                }
                        }
@@ -103,7 +103,7 @@ function follow_post(&$a) {
                $ret = scrape_feed($url);
 
                if(count($ret) && ($ret['feed_atom'] || $ret['feed_rss'])) {
-                       $poll = ((x($ret,'feed_atom')) ? $ret['feed_atom'] : $ret['feed_rss']);
+                       $poll = ((x($ret,'feed_atom')) ? unamp($ret['feed_atom']) : unamp($ret['feed_rss']));
                        $vcard = array();
                        require_once('simplepie/simplepie.inc');
                    $feed = new SimplePie();
@@ -116,27 +116,31 @@ function follow_post(&$a) {
                        $vcard['photo'] = $feed->get_image_url();
                        $author = $feed->get_author();
                        if($author) {                   
-                               $vcard['fn'] = trim($author->get_name());
-                               $vcard['nick'] = strtolower($vcard['fn']);
+                               $vcard['fn'] = unxmlify(trim($author->get_name()));
+                               $vcard['nick'] = strtolower(notags(unxmlify($vcard['fn'])));
                                if(strpos($vcard['nick'],' '))
                                        $vcard['nick'] = trim(substr($vcard['nick'],0,strpos($vcard['nick'],' ')));
-                               $email = $author->get_email();
+                               $email = unxmlify($author->get_email());
                        }
                        else {
                                $item = $feed->get_item(0);
                                if($item) {
                                        $author = $item->get_author();
                                        if($author) {                   
-                                               $vcard['fn'] = trim($author->get_name());
-                                               $vcard['nick'] = strtolower($vcard['fn']);
+                                               $vcard['fn'] = trim(unxmlify($author->get_name()));
+                                               if(! $vcard['fn'])
+                                                       $vcard['fn'] = trim(unxmlify($author->get_email()));
+                                               if(strpos($vcard['fn'],'@') !== false)
+                                                       $vcard['fn'] = substr($vcard['fn'],0,strpos($vcard['fn'],'@'));
+                                               $vcard['nick'] = strtolower(unxmlify($vcard['fn']));
                                                if(strpos($vcard['nick'],' '))
                                                        $vcard['nick'] = trim(substr($vcard['nick'],0,strpos($vcard['nick'],' ')));
-                                               $email = $author->get_email();
+                                               $email = unxmlify($author->get_email());
                                        }
                                        if(! $vcard['photo']) {
                                                $rawmedia = $item->get_item_tags('http://search.yahoo.com/mrss/','thumbnail');
                                                if($rawmedia && $rawmedia[0]['attribs']['']['url'])
-                                                       $vcard['photo'] = $rawmedia[0]['attribs']['']['url'];
+                                                       $vcard['photo'] = unxmlify($rawmedia[0]['attribs']['']['url']);
                                        }
                                }
                        }
@@ -150,6 +154,9 @@ function follow_post(&$a) {
 
        logger('follow: poll=' . $poll . ' notify=' . $notify . ' profile=' . $profile . ' vcard=' . print_r($vcard,true));
 
+       $vcard['fn'] = notags($vcard['fn']);
+       $vcard['nick'] = notags($vcard['nick']);
+
        // do we have enough information?
        
        if(! ((x($vcard['fn'])) && ($poll) && ($profile))) {
@@ -157,6 +164,7 @@ function follow_post(&$a) {
                goaway($_SESSION['return_url']);
        }
 
+
        if(! $notify) {
                notice( t('Limited profile. This person will be unable to receive direct/personal notifications from you.') . EOL);
        }
diff --git a/simplepie/simplepie.inc b/simplepie/simplepie.inc
index 185e17bccf4b56c47d9689e1d83f392212cc3921..c3ba02b7db9531d63ff49c815baec37827e21798 100644 (file)
--- a/simplepie/simplepie.inc
+++ b/simplepie/simplepie.inc
@@ -9226,6 +9226,7 @@ class SimplePie_Misc
 
        function absolutize_url($relative, $base)
        {
+return $relative;
                $iri = SimplePie_IRI::absolutize(new SimplePie_IRI($base), $relative);
                return $iri->get_iri();
        }
Unnamed repository; edit this file 'description' to name the repository.