Merge branch '0.9.x' into 1.0.x

diff --combined lib/util.php
index b20ed8225f4a991f2e9842fddda8843734ae4b97,35fcfdb090a7f862b446fc6f77e09e61e82d3d12..df339d4b1e39e6058c84ea3d31becf2e1bb05210
--- 1/lib/util.php
--- 2/lib/util.php
+++ b/lib/util.php
@@@ -145,6 -145,7 +145,6 @@@ function common_switch_locale($language
      textdomain("statusnet");
  }
  
 -
  function common_timezone()
  {
      if (common_logged_in()) {
@@@ -157,38 -158,22 +157,38 @@@
      return common_config('site', 'timezone');
  }
  
 +function common_valid_language($lang)
 +{
 +    if ($lang) {
 +        // Validate -- we don't want to end up with a bogus code
 +        // left over from some old junk.
 +        foreach (common_config('site', 'languages') as $code => $info) {
 +            if ($info['lang'] == $lang) {
 +                return true;
 +            }
 +        }
 +    }
 +    return false;
 +}
 +
  function common_language()
  {
 +    // Allow ?uselang=xx override, very useful for debugging
 +    // and helping translators check usage and context.
 +    if (isset($_GET['uselang'])) {
 +        $uselang = strval($_GET['uselang']);
 +        if (common_valid_language($uselang)) {
 +            return $uselang;
 +        }
 +    }
 +
      // If there is a user logged in and they've set a language preference
      // then return that one...
      if (_have_config() && common_logged_in()) {
          $user = common_current_user();
 -        $user_language = $user->language;
 -
 -        if ($user->language) {
 -            // Validate -- we don't want to end up with a bogus code
 -            // left over from some old junk.
 -            foreach (common_config('site', 'languages') as $code => $info) {
 -                if ($info['lang'] == $user_language) {
 -                    return $user_language;
 -                }
 -            }
 +
 +        if (common_valid_language($user->language)) {
 +            return $user->language;
          }
      }
  
@@@ -916,23 -901,33 +916,45 @@@ function common_linkify($url) 
  
  function common_shorten_links($text, $always = false)
  {
 -    $maxLength = Notice::maxContent();
 -    if (!$always && ($maxLength == 0 || mb_strlen($text) <= $maxLength)) return $text;
 -    return common_replace_urls_callback($text, array('File_redirection', 'makeShort'));
 +    common_debug("common_shorten_links() called");
 +
 +    $user = common_current_user();
 +
 +    $maxLength = User_urlshortener_prefs::maxNoticeLength($user);
 +
 +    common_debug("maxLength = $maxLength");
 +
 +    if ($always || mb_strlen($text) > $maxLength) {
 +        common_debug("Forcing shortening");
 +        return common_replace_urls_callback($text, array('File_redirection', 'forceShort'));
 +    } else {
 +        common_debug("Not forcing shortening");
 +        return common_replace_urls_callback($text, array('File_redirection', 'makeShort'));
 +    }
  }
  
+ /**
+  * Very basic stripping of invalid UTF-8 input text.
+  *
+  * @param string $str
+  * @return mixed string or null if invalid input
+  *
+  * @todo ideally we should drop bad chars, and maybe do some of the checks
+  *       from common_xml_safe_str. But we can't strip newlines, etc.
+  * @todo Unicode normalization might also be useful, but not needed now.
+  */
+ function common_validate_utf8($str)
+ {
+     // preg_replace will return NULL on invalid UTF-8 input.
+     return preg_replace('//u', '', $str);
+ }
+ 
+ /**
+  * Make sure an arbitrary string is safe for output in XML as a single line.
+  *
+  * @param string $str
+  * @return string
+  */
  function common_xml_safe_str($str)
  {
      // Replace common eol and extra whitespace input chars
@@@ -1276,8 -1271,14 +1298,8 @@@ function common_redirect($url, $code=30
      exit;
  }
  
 -function common_broadcast_notice($notice, $remote=false)
 -{
 -    // DO NOTHING!
 -}
 +// Stick the notice on the queue
  
 -/**
 - * Stick the notice on the queue.
 - */
  function common_enqueue_notice($notice)
  {
      static $localTransports = array('omb',
@@@ -1291,9 -1292,18 +1313,9 @@@
          $transports[] = 'plugin';
      }
  
 -    $xmpp = common_config('xmpp', 'enabled');
 -
 -    if ($xmpp) {
 -        $transports[] = 'jabber';
 -    }
 -
      // We can skip these for gatewayed notices.
      if ($notice->isLocal()) {
          $transports = array_merge($transports, $localTransports);
 -        if ($xmpp) {
 -            $transports[] = 'public';
 -        }
      }
  
      if (Event::handle('StartEnqueueNotice', array($notice, &$transports))) {
@@@ -1675,19 -1685,25 +1697,25 @@@ function common_config($main, $sub
              array_key_exists($sub, $config[$main])) ? $config[$main][$sub] : false;
  }
  
+ /**
+  * Pull arguments from a GET/POST/REQUEST array with first-level input checks:
+  * strips "magic quotes" slashes if necessary, and kills invalid UTF-8 strings.
+  *
+  * @param array $from
+  * @return array
+  */
  function common_copy_args($from)
  {
      $to = array();
      $strip = get_magic_quotes_gpc();
      foreach ($from as $k => $v) {
-         if($strip) {
-             if(is_array($v)) {
-                 $to[$k] = common_copy_args($v);
-             } else {
-                 $to[$k] = stripslashes($v);
-             }
+         if(is_array($v)) {
+             $to[$k] = common_copy_args($v);
          } else {
-             $to[$k] = $v;
+             if ($strip) {
+                 $v = stripslashes($v);
+             }
+             $to[$k] = strval(common_validate_utf8($v));
          }
      }
      return $to;
@@@ -1825,6 -1841,21 +1853,6 @@@ function common_session_token(
      return $_SESSION['token'];
  }
  
 -function common_cache_key($extra)
 -{
 -    return Cache::key($extra);
 -}
 -
 -function common_keyize($str)
 -{
 -    return Cache::keyize($str);
 -}
 -
 -function common_memcache()
 -{
 -    return Cache::instance();
 -}
 -
  function common_license_terms($uri)
  {
      if(preg_match('/creativecommons.org\/licenses\/([^\/]+)/', $uri, $matches)) {
@@@ -1865,42 -1896,30 +1893,42 @@@ function common_database_tablename($tab
  /**
   * Shorten a URL with the current user's configured shortening service,
   * or ur1.ca if configured, or not at all if no shortening is set up.
 - * Length is not considered.
   *
 - * @param string $long_url
 + * @param string  $long_url original URL
 + * @param boolean $force    Force shortening (used when notice is too long)
 + *
   * @return string may return the original URL if shortening failed
   *
   * @fixme provide a way to specify a particular shortener
   * @fixme provide a way to specify to use a given user's shortening preferences
   */
 -function common_shorten_url($long_url)
 +
 +function common_shorten_url($long_url, $force = false)
  {
 +    common_debug("Shortening URL '$long_url' (force = $force)");
 +
      $long_url = trim($long_url);
 +
      $user = common_current_user();
 -    if (empty($user)) {
 -        // common current user does not find a user when called from the XMPP daemon
 -        // therefore we'll set one here fix, so that XMPP given URLs may be shortened
 -        $shortenerName = 'ur1.ca';
 -    } else {
 -        $shortenerName = $user->urlshorteningservice;
 +
 +    $maxUrlLength = User_urlshortener_prefs::maxUrlLength($user);
 +    common_debug("maxUrlLength = $maxUrlLength");
 +
 +    // $force forces shortening even if it's not strictly needed
 +
 +    if (mb_strlen($long_url) < $maxUrlLength && !$force) {
 +        common_debug("Skipped shortening URL.");
 +        return $long_url;
      }
  
 -    if(Event::handle('StartShortenUrl', array($long_url,$shortenerName,&$shortenedUrl))){
 +    $shortenerName = User_urlshortener_prefs::urlShorteningService($user);
 +
 +    common_debug("Shortener name = '$shortenerName'");
 +
 +    if (Event::handle('StartShortenUrl', array($long_url, $shortenerName, &$shortenedUrl))) {
          //URL wasn't shortened, so return the long url
          return $long_url;
 -    }else{
 +    } else {
          //URL was shortened, so return the result
          return trim($shortenedUrl);
      }