"escapeTags" is finally removed

diff --git a/mod/photos.php b/mod/photos.php
index 1b8d5069f84e6c873186c59be406b482ad4cb5f6..6cfdd6a998a558bb611704c350fdcc58eebf5270 100644 (file)
--- a/mod/photos.php
+++ b/mod/photos.php
@@ -204,7 +204,7 @@ function photos_post(App $a)
                }
 
                // RENAME photo album
-               $newalbum = Strings::escapeTags(trim($_POST['albumname']));
+               $newalbum = trim($_POST['albumname']);
                if ($newalbum != $album) {
                        Photo::update(['album' => $newalbum], ['album' => $album, 'uid' => $page_owner_uid]);
                        // Update the photo albums cache

diff --git a/mod/tagger.php b/mod/tagger.php
index af555790a53fda3a083758d36ca30d44187bce31..4afe6efb67a9115b9c0714bc3f464eaa0e460284 100644 (file)
--- a/mod/tagger.php
+++ b/mod/tagger.php
@@ -32,7 +32,6 @@ use Friendica\Model\Item;
 use Friendica\Model\Post;
 use Friendica\Model\Tag;
 use Friendica\Protocol\Activity;
-use Friendica\Util\Strings;
 use Friendica\Util\XML;
 use Friendica\Worker\Delivery;
 
@@ -42,15 +41,15 @@ function tagger_content(App $a) {
                return;
        }
 
-       $term = Strings::escapeTags(trim($_GET['term']));
+       $term = trim($_GET['term']);
        // no commas allowed
-       $term = str_replace([',',' '],['','_'],$term);
+       $term = str_replace([',',' ', '<', '>'],['','_', '', ''], $term);
 
        if (!$term) {
                return;
        }
 
-       $item_id = ((DI::args()->getArgc() > 1) ? Strings::escapeTags(trim(DI::args()->getArgv()[1])) : 0);
+       $item_id = ((DI::args()->getArgc() > 1) ? trim(DI::args()->getArgv()[1]) : 0);
 
        Logger::notice('tagger: tag ' . $term . ' item ' . $item_id);
 

diff --git a/src/Module/BaseSearch.php b/src/Module/BaseSearch.php
index bccfc94de594d9c0b6d42d8a78adf5bc5272203d..a3e7a8a8ccb4b97a079e6143e9f7d1cdd8a2e3e1 100644 (file)
--- a/src/Module/BaseSearch.php
+++ b/src/Module/BaseSearch.php
@@ -48,7 +48,6 @@ class BaseSearch extends BaseModule
         */
        public static function performContactSearch($search, $prefix = '')
        {
-               $a      = DI::app();
                $config = DI::config();
 
                $type = Search::TYPE_ALL;

diff --git a/src/Module/Invite.php b/src/Module/Invite.php
index 566e54b129db3da2ba97c543f00a49abbfb9c23f..65438c15146f828a608a5fe76241f5fc4c9c6879 100644 (file)
--- a/src/Module/Invite.php
+++ b/src/Module/Invite.php
@@ -58,7 +58,7 @@ class Invite extends BaseModule
 
 
                $recipients = !empty($_POST['recipients']) ? explode("\n", $_POST['recipients']) : [];
-               $message = !empty($_POST['message']) ? Strings::escapeTags(trim($_POST['message'])) : '';
+               $message = !empty($_POST['message']) ? Strings::escapeHtml(trim($_POST['message'])) : '';
 
                $total = 0;
                $invitation_only = false;

diff --git a/src/Module/Search/Directory.php b/src/Module/Search/Directory.php
index 6c898ecd0abbe282bc91bf5b7e73f6473bfc40f1..692122155f0288ce1c5a4829b28f1d9904a12dc8 100644 (file)
--- a/src/Module/Search/Directory.php
+++ b/src/Module/Search/Directory.php
@@ -25,7 +25,6 @@ use Friendica\Content\Widget;
 use Friendica\DI;
 use Friendica\Module\BaseSearch;
 use Friendica\Module\Security\Login;
-use Friendica\Util\Strings;
 
 /**
  * Directory search module
@@ -39,7 +38,7 @@ class Directory extends BaseSearch
                        return Login::form();
                }
 
-               $search = Strings::escapeTags(trim(rawurldecode($_REQUEST['search'] ?? '')));
+               $search = trim(rawurldecode($_REQUEST['search'] ?? ''));
 
                if (empty(DI::page()['aside'])) {
                        DI::page()['aside'] = '';

diff --git a/src/Module/Search/Index.php b/src/Module/Search/Index.php
index e9086cf587240b0c2d97927317856d355b70b0db..769d5f90d2a2ee9862097f68bf795b4a43e63e87 100644 (file)
--- a/src/Module/Search/Index.php
+++ b/src/Module/Search/Index.php
@@ -38,13 +38,12 @@ use Friendica\Model\Post;
 use Friendica\Model\Tag;
 use Friendica\Module\BaseSearch;
 use Friendica\Network\HTTPException;
-use Friendica\Util\Strings;
 
 class Index extends BaseSearch
 {
        public static function content(array $parameters = [])
        {
-               $search = (!empty($_GET['q']) ? Strings::escapeTags(trim(rawurldecode($_GET['q']))) : '');
+               $search = (!empty($_GET['q']) ? trim(rawurldecode($_GET['q'])) : '');
 
                if (DI::config()->get('system', 'block_public') && !Session::isAuthenticated()) {
                        throw new HTTPException\ForbiddenException(DI::l10n()->t('Public access denied.'));
@@ -88,7 +87,7 @@ class Index extends BaseSearch
                $tag = false;
                if (!empty($_GET['tag'])) {
                        $tag = true;
-                       $search = '#' . Strings::escapeTags(trim(rawurldecode($_GET['tag'])));
+                       $search = '#' . trim(rawurldecode($_GET['tag']));
                }
 
                // contruct a wrapper for the search header

diff --git a/src/Module/Search/Saved.php b/src/Module/Search/Saved.php
index 723860bd80cf04e75c50d9974f612004edb49a4e..d5cc15ceea3f0da5476e26da020c77b747df468a 100644 (file)
--- a/src/Module/Search/Saved.php
+++ b/src/Module/Search/Saved.php
@@ -25,14 +25,13 @@ use Friendica\BaseModule;
 use Friendica\Core\Search;
 use Friendica\Database\DBA;
 use Friendica\DI;
-use Friendica\Util\Strings;
 
 class Saved extends BaseModule
 {
        public static function init(array $parameters = [])
        {
                $action = DI::args()->get(2, 'none');
-               $search = Strings::escapeTags(trim(rawurldecode($_GET['term'] ?? '')));
+               $search = trim(rawurldecode($_GET['term'] ?? ''));
 
                $return_url = $_GET['return_url'] ?? Search::getSearchPath($search);
 

diff --git a/src/Util/Strings.php b/src/Util/Strings.php
index 2f27e4a5ff9b1cbb91f358bf7b64a572123e0d49..1be56d0e78f307db5c487ed24d1ab96488e5f73e 100644 (file)
--- a/src/Util/Strings.php
+++ b/src/Util/Strings.php
@@ -59,22 +59,6 @@ class Strings
                return !empty($hexCode) ? @preg_match("/^[a-f0-9]{2,}$/i", $hexCode) && !(strlen($hexCode) & 1) : false;
        }
 
-       /**
-        * This is our primary input filter.
-        *
-        * Use this on any text input where angle chars are not valid or permitted
-        * They will be replaced with safer brackets. This may be filtered further
-        * if these are not allowed either.
-        *
-        * @param string $string Input string
-        * @return string Filtered string
-        * @deprecated since 2020.09 Please use Smarty default HTML escaping for templates or htmlspecialchars() otherwise
-        */
-       public static function escapeTags($string)
-       {
-               return str_replace(["<", ">"], ['[', ']'], $string);
-       }
-
        /**
         * Use this on "body" or "content" input where angle chars shouldn't be removed,
         * and allow them to be safely displayed.

diff --git a/tests/src/Util/StringsTest.php b/tests/src/Util/StringsTest.php
index 5adaa9157aa9f8a8c6c96032dd24975015c8180a..7bfe9906b47119ce36a226c99bbd33c837215c33 100644 (file)
--- a/tests/src/Util/StringsTest.php
+++ b/tests/src/Util/StringsTest.php
@@ -90,10 +90,8 @@ class StringsTest extends TestCase
        {
                $invalidstring='<submit type="button" onclick="alert(\'failed!\');" />';
 
-               $validstring = Strings::escapeTags($invalidstring);
                $escapedString = Strings::escapeHtml($invalidstring);
 
-               self::assertEquals('[submit type="button" onclick="alert(\'failed!\');" /]', $validstring);
                self::assertEquals(
                        "&lt;submit type=&quot;button&quot; onclick=&quot;alert('failed!');&quot; /&gt;",
                        $escapedString

diff --git a/view/templates/directory_header.tpl b/view/templates/directory_header.tpl
index e277c29dacaadaa69c318ff8fe68aa323756eddc..7ee38a64a57003b188897a3955732dc7a6470476 100644 (file)
--- a/view/templates/directory_header.tpl
+++ b/view/templates/directory_header.tpl
@@ -9,7 +9,7 @@
 
 <div id="directory-search-wrapper">
        <form id="directory-search-form" action="{{$search_mod}}" method="get">
-               <span class="dirsearch-desc">{{$desc nofilter}}</span>
+               <span class="dirsearch-desc">{{$desc}}</span>
                <input type="text" name="search" id="directory-search" class="search-input" onfocus="this.select();" value="{{$search}}" />
                <input type="submit" name="submit" id="directory-search-submit" value="{{$submit}}" class="button" />
        </form>

diff --git a/view/theme/frio/templates/directory_header.tpl b/view/theme/frio/templates/directory_header.tpl
index f4c9f0f4b78adc69ebd735b7465c8e1f079907ff..cef6208ad08eeda6dbccc5cf024e5f14660bc6a4 100644 (file)
--- a/view/theme/frio/templates/directory_header.tpl
+++ b/view/theme/frio/templates/directory_header.tpl
@@ -15,7 +15,7 @@
                                <div class="col-md-2"></div>
                                <div class="col-md-8 ">
                                        <div class="form-group form-group-search">
-                                               <input type="text" name="search" id="directory-search" class="search-input form-control form-search" onfocus="this.select();" value="{{$search}}" placeholder="{{$desc nofilter}}"/>
+                                               <input type="text" name="search" id="directory-search" class="search-input form-control form-search" onfocus="this.select();" value="{{$search}}" placeholder="{{$desc}}"/>
                                                <button class="btn btn-default btn-sm form-button-search" type="submit" id="directory-search-submit">{{$submit}}</button>
                                        </div>
                                </div>