]> git.mxchange.org Git - quix0rs-gnu-social.git/commitdiff
Don't trust local HTML either
authorMikael Nordfeldth <mmn@hethane.se>
Fri, 29 Jan 2016 23:00:37 +0000 (00:00 +0100)
committerMikael Nordfeldth <mmn@hethane.se>
Fri, 29 Jan 2016 23:00:37 +0000 (00:00 +0100)
If we reallyreally want to include <img> or <script> or whatever then we
have to do that after Notice::saveActivity sets ->rendered.

classes/Notice.php

index bbf543e5a610727f08d67c91a640116525007bce..ccd398003d4ad7f362753ad02f3f5f3e08695e8b 100644 (file)
@@ -848,13 +848,12 @@ class Notice extends Managed_DataObject
         $stored->url = $url;
         $stored->verb = $act->verb;
 
-        // Notice content. We trust local users to provide HTML we like, but of course not remote users.
-        // FIXME: What about local users importing feeds? Mirror functions must filter out bad HTML first...
         $content = $act->content ?: $act->summary;
         if (is_null($content) && !is_null($actobj)) {
             $content = $actobj->content ?: $actobj->summary;
         }
-        $stored->rendered = $actor->isLocal() ? $content : common_purify($content);
+        // Strip out any bad HTML
+        $stored->rendered = common_purify($content);
         // yeah, just don't use getRendered() here since it's not inserted yet ;)
         $stored->content = common_strip_html($stored->rendered);
         if (trim($stored->content) === '') {