more bugs

diff --git a/boot.php b/boot.php
index 1a60ee173d2a6ffa5a2df64ce9a077e3207ea2ac..56d85f63829f7f9c92b416d132b9fd97b7c9e92b 100644 (file)
--- a/boot.php
+++ b/boot.php
@@ -205,12 +205,10 @@ function notags($string) {
        return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string));
 }}
 
-// The PHP built-in tag escape function has traditionally been buggy
 if(! function_exists('escape_tags')) {
 function escape_tags($string) {
-       return(str_replace(
-               array('&', '"', "'", '<', '>'), 
-               array('&amp;', '&quot;', '&#39;', '&lt;', '&gt;'), $string));
+
+       return(htmlspecialchars($string));
 }}
 
 if(! function_exists('login')) {

diff --git a/include/items.php b/include/items.php
index d583ffecc38f3b9088d81341ce4a288d15537c6c..937fc39fd988c63cb17832ad5ad74e96d70bda8a 100644 (file)
--- a/include/items.php
+++ b/include/items.php
@@ -63,7 +63,7 @@ function get_feed_for(&$a,$dfrn_id,$owner_id,$last_update) {
                `contact`.`id` AS `contact-id`, `contact`.`uid` AS `contact-uid`
                FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id`
                WHERE `item`.`uid` = %d AND `item`.`visible` = 1 AND `item`.`deleted` = 0
-               AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0 
+               AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
                AND `item`.`edited` > '%s'
                $sql_extra
                ORDER BY `parent` ASC, `created` ASC LIMIT 0, 300",
@@ -114,7 +114,7 @@ function get_feed_for(&$a,$dfrn_id,$owner_id,$last_update) {
                                        '$published' => xmlify(datetime_convert('UTC', 'UTC', $item['created'] . '+00:00' , 'Y-m-d\TH:i:s\Z')),
                                        '$updated' => xmlify(datetime_convert('UTC', 'UTC', $item['edited'] . '+00:00' , 'Y-m-d\TH:i:s\Z')),
                                        '$content' =>xmlify($item['body']),
-                                       '$comment_allow' => (($item['last-child'] && strlen($contact['dfrn-id'] && (! $contact['blocked']))) ? 1 : 0)
+                                       '$comment_allow' => (($item['last-child'] && strlen($contact['dfrn-id'])) ? 1 : 0)
                                ));
                        }
                        else {

diff --git a/include/notifier.php b/include/notifier.php
index b8eef3971f44d850d625bf34d64fbca1697a732f..bd787dbfb887a0bfa9f3dd2aeaf2dd062d825d14 100644 (file)
--- a/include/notifier.php
+++ b/include/notifier.php
@@ -96,7 +96,7 @@ dbg(3);
                $conversant_str = dbesc(implode(', ',$conversants));
        }
 
-       $r = q("SELECT * FROM `contact` WHERE `id` IN ( $conversant_str ) AND `blocked` = 0 ");
+       $r = q("SELECT * FROM `contact` WHERE `id` IN ( $conversant_str ) AND `blocked` = 0 AND `pending` = 0");
 
        if( ! count($r))
                killme();

diff --git a/include/security.php b/include/security.php
index 8b34525349bf337d891f7a51abba7500ce1d72d0..a71391dbaca30cc20cc44657d40b5199afeaa4ab 100644 (file)
--- a/include/security.php
+++ b/include/security.php
@@ -6,7 +6,7 @@ function can_write_wall(&$a,$owner) {
         if((local_user()) && ($_SESSION['uid'] == $owner))
                 return true;
 
-        $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `id` = %d AND `blocked` = 0",
+        $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `id` = %d AND `blocked` = 0 AND `pending` = 0 LIMIT 1",
                 intval($owner),
                 intval($_SESSION['visitor_id'])
         );

diff --git a/mod/contacts.php b/mod/contacts.php
index 585ac1423227b7d5d4878feaa6f5f1c1c73c324f..4f48c1c3d5f4f205589d40eb80f443101ce2fac6 100644 (file)
--- a/mod/contacts.php
+++ b/mod/contacts.php
@@ -119,7 +119,7 @@ function contacts_content(&$a) {
                                                $p['id']);
                                }
                        }
-                       if($intval($contact_id))
+                       if(intval($contact_id))
                                q("DELETE FROM `item` WHERE `contact-id` = %d LIMIT 1",
                                        intval($contact_id)
                                );
@@ -184,7 +184,7 @@ function contacts_content(&$a) {
                return $o;
 
        }
-dbg(2);
+
        if(($a->argc == 2) && ($a->argv[1] == 'all'))
                $sql_extra = '';
        else
@@ -212,7 +212,7 @@ dbg(2);
                        break;
        }
 
-       $r = q("SELECT * FROM `contact` WHERE `uid` = %d $sql_extra $sql_extra2 ",
+       $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `pending` = 0 $sql_extra $sql_extra2 ",
                intval($_SESSION['uid']));
 
        if(count($r)) {

diff --git a/mod/dfrn_confirm.php b/mod/dfrn_confirm.php
index e02fbf3d0a3cb78693175365f9ee8b5b76344810..1a3947d970bf445690c460148506f72539c30ce5 100644 (file)
--- a/mod/dfrn_confirm.php
+++ b/mod/dfrn_confirm.php
@@ -136,7 +136,7 @@ function dfrn_confirm_post(&$a) {
                                $thumb = $a->get_baseurl() . '/images/default-profile-sm.jpg';
                        }
 
-                       $r = q("UPDATE `contact` SET `photo` = '%s', `thumb` = '%s', `blocked` = 0 WHERE `id` = %d LIMIT 1",
+                       $r = q("UPDATE `contact` SET `photo` = '%s', `thumb` = '%s', `blocked` = 0, `pending` = 0 WHERE `id` = %d LIMIT 1",
                                dbesc($photo),
                                dbesc($thumb),
                                intval($dfrn_record)
@@ -361,7 +361,7 @@ function dfrn_confirm_post(&$a) {
                        $thumb = $a->get_baseurl() . '/images/default-profile-sm.jpg';
                }
 
-               $r = q("UPDATE `contact` SET `photo` = '%s', `thumb` = '%s', `blocked` = 0 WHERE `id` = %d LIMIT 1",
+               $r = q("UPDATE `contact` SET `photo` = '%s', `thumb` = '%s', `blocked` = 0, `pending` = 0 WHERE `id` = %d LIMIT 1",
                        dbesc($photo),
                        dbesc($thumb),
                        intval($contact_id)

diff --git a/mod/dfrn_notify.php b/mod/dfrn_notify.php
index 1d7ca3a505e649e65e45d1e5d590f034649f6923..ead49982bec5519434b9eddce697d98b442bf679 100644 (file)
--- a/mod/dfrn_notify.php
+++ b/mod/dfrn_notify.php
@@ -143,7 +143,7 @@ dbg(3);
 
 
                        $datarray = get_atom_elements($item);
-                       $datarray['parent-uri'] = $item['uri']
+                       $datarray['parent-uri'] = $item_id;
                        $datarray['uid'] = $importer['uid'];
                        $datarray['contact-id'] = $importer['id'];
                        $r = post_remote($a,$datarray);
@@ -176,7 +176,7 @@ function dfrn_notify_content(&$a) {
                        intval(time() + 60 )
                );
 
-               $r = q("SELECT * FROM `contact` WHERE `issued-id` = '%s' AND `blocked` = 0 LIMIT 1",
+               $r = q("SELECT * FROM `contact` WHERE `issued-id` = '%s' AND `blocked` = 0 AND `pending` = 0 LIMIT 1",
                        dbesc($_GET['dfrn_id']));
                if((! count($r)) || (! strlen($r[0]['prvkey'])))
                        $status = 1;

diff --git a/mod/dfrn_poll.php b/mod/dfrn_poll.php
index 6b4c50ad2e78e1cd8cfcfeb22d04ddcae422a12e..e3da6c9526f718f5b99455902548ea04b36e57df 100644 (file)
--- a/mod/dfrn_poll.php
+++ b/mod/dfrn_poll.php
@@ -165,7 +165,7 @@ function dfrn_poll_content(&$a) {
                        dbesc($last_update)
                );
 
-               $r = q("SELECT * FROM `contact` WHERE `issued-id` = '%s' AND `blocked` = 0 LIMIT 1",
+               $r = q("SELECT * FROM `contact` WHERE `issued-id` = '%s' AND `blocked` = 0 AND `pending` = 0 LIMIT 1",
                        dbesc($_GET['dfrn_id']));
                if((! count($r)) || (! strlen($r[0]['prvkey'])))
                        $status = 1;

diff --git a/mod/item.php b/mod/item.php
index 4de9dc59f8e2df9b552a9309ad04c429cabd80e5..e0497af7a54e79e240915d6fa1365252d04e706a 100644 (file)
--- a/mod/item.php
+++ b/mod/item.php
@@ -5,7 +5,7 @@ function sanitise_acl(&$item) {
 }
 
 function item_post(&$a) {
-dbg(3);
+
        if((! local_user()) && (! remote_user()))
                return;
 
@@ -170,6 +170,6 @@ dbg(3);
                        array(),$foo));
 
        }
-//     goaway($a->get_baseurl() . "/" . $_POST['return'] );
+       goaway($a->get_baseurl() . "/" . $_POST['return'] );
        return; // NOTREACHED
 }
\ No newline at end of file

diff --git a/mod/network.php b/mod/network.php
index 3ccd8be485f9ed2373ba53557ccf20f9d2042817..51b528832a88a55747003f2a6649573904d5e614 100644 (file)
--- a/mod/network.php
+++ b/mod/network.php
@@ -40,7 +40,7 @@ function network_content(&$a) {
        $r = q("SELECT COUNT(*) AS `total`
                FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id`
                WHERE `item`.`uid` = %d AND `item`.`visible` = 1 AND `item`.`deleted` = 0
-               AND `contact`.`blocked` = 0 
+               AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
                $sql_extra ",
                intval($_SESSION['uid'])
        );
@@ -54,7 +54,7 @@ function network_content(&$a) {
                `contact`.`id` AS `cid`, `contact`.`uid` AS `contact-uid`
                FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id`
                WHERE `item`.`uid` = %d AND `item`.`visible` = 1 AND `item`.`deleted` = 0
-               AND `contact`.`blocked` = 0 
+               AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
                $sql_extra
                ORDER BY `parent` DESC, `created` ASC LIMIT %d ,%d ",
                intval($_SESSION['uid']),

diff --git a/mod/profile.php b/mod/profile.php
index 7a3858ba260c40bb0ae8e20d1f785db04fcbdf9a..5cd13d596125f70641b0e1307c77f246ec49b053 100644 (file)
--- a/mod/profile.php
+++ b/mod/profile.php
@@ -155,7 +155,7 @@ function profile_content(&$a) {
        $r = q("SELECT COUNT(*) AS `total`
                FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id`
                WHERE `item`.`uid` = %d AND `item`.`visible` = 1 AND `item`.`deleted` = 0
-               AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0 
+               AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0 
                $sql_extra ",
                intval($a->profile['uid'])
 
@@ -171,7 +171,7 @@ function profile_content(&$a) {
                `contact`.`id` AS `cid`, `contact`.`uid` AS `contact-uid`
                FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id`
                WHERE `item`.`uid` = %d AND `item`.`visible` = 1 AND `item`.`deleted` = 0
-               AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0 
+               AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
                $sql_extra
                ORDER BY `parent` DESC, `id` ASC LIMIT %d ,%d ",
                intval($a->profile['uid']),

diff --git a/mod/register.php b/mod/register.php
index 2e5d02273a002ee10b4a239a52b0fd980eb22094..53ead682f16be7f85e491552fa85ca2ae7bacea3 100644 (file)
--- a/mod/register.php
+++ b/mod/register.php
@@ -123,9 +123,9 @@ function register_post(&$a) {
                                intval($newuid));
                        return;
                }
-               $r = q("INSERT INTO `contact` ( `uid`, `created`, `self`, `name`, `photo`, `thumb`, `blocked`, `url`,
+               $r = q("INSERT INTO `contact` ( `uid`, `created`, `self`, `name`, `photo`, `thumb`, `blocked`, `pending`, `url`,
                        `request`, `notify`, `poll`, `confirm` )
-                       VALUES ( %d, '%s', 1, '%s', '%s', '%s', 0, '%s', '%s', '%s', '%s', '%s' ) ",
+                       VALUES ( %d, '%s', 1, '%s', '%s', '%s', 0, 0, '%s', '%s', '%s', '%s', '%s' ) ",
                        intval($newuid),
                        datetime_convert(),
                        dbesc($username),

diff --git a/view/acl_selectors.php b/view/acl_selectors.php
index e3ee8c879249f931ae3795031259d8815f0128d1..09ce24d0e5000e5327ebce313564375d02ca997b 100644 (file)
--- a/view/acl_selectors.php
+++ b/view/acl_selectors.php
@@ -36,7 +36,9 @@ function contact_select($selname,$selclass,$preselected = false,$size = 4) {
 
        $o .= "<select name=\"{$selname}[]\" class=\"$selclass\" multiple=\"multiple\" size=\"$size\" />\r\n";
 
-       $r = q("SELECT `id`, `name` FROM `contact` WHERE `uid` = %d AND `self` = 0 AND `blocked` = 0 ORDER BY `name` ASC ",
+       $r = q("SELECT `id`, `name` FROM `contact` 
+               WHERE `uid` = %d AND `self` = 0 AND `blocked` = 0 AND `pending` = 0 
+               ORDER BY `name` ASC ",
                $_SESSION['uid']
        );