From b2c41163571e8b24b3d10bf36fd4b28174007caa Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 16 Nov 2020 18:16:20 -0500 Subject: [PATCH 1/9] Replace JQuery .text by .html - Prevents inserting unescaped HTML in page --- view/templates/admin/aside.tpl | 2 +- view/templates/event_head.tpl | 2 +- view/templates/photos_head.tpl | 2 +- view/templates/settings/head.tpl | 2 +- view/theme/frio/js/event_edit.js | 2 +- view/theme/frio/js/mod_photos.js | 2 +- view/theme/frio/js/modal.js | 4 ++-- view/theme/frio/js/theme.js | 8 ++++---- view/theme/frio/templates/admin/aside.tpl | 7 ++++--- view/theme/quattro/js/quattro.js | 4 ++-- view/theme/smoothly/templates/jot-header.tpl | 2 +- view/theme/vier/templates/event_head.tpl | 2 +- 12 files changed, 20 insertions(+), 19 deletions(-) diff --git a/view/templates/admin/aside.tpl b/view/templates/admin/aside.tpl index 0f624d8eb4..ecf71d8e56 100644 --- a/view/templates/admin/aside.tpl +++ b/view/templates/admin/aside.tpl @@ -4,7 +4,7 @@ $("nav").bind('nav-update', function(e,data){ var elm = $('#pending-update'); - var register = $(data).find('register').text(); + var register = $(data).find('register').html(); if (register=="0") { register=""; elm.hide();} else { elm.show(); } elm.html(register); }); diff --git a/view/templates/event_head.tpl b/view/templates/event_head.tpl index 8990c6fb25..3075408063 100644 --- a/view/templates/event_head.tpl +++ b/view/templates/event_head.tpl @@ -168,7 +168,7 @@ $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { var selstr; $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { - selstr = $(this).text(); + selstr = $(this).html(); $('#jot-public').hide(); }); if(selstr == null) { diff --git a/view/templates/photos_head.tpl b/view/templates/photos_head.tpl index 88fd067c8c..1d693e103c 100644 --- a/view/templates/photos_head.tpl +++ b/view/templates/photos_head.tpl @@ -10,7 +10,7 @@ $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { var selstr; $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { - selstr = $(this).text(); + selstr = $(this).html(); $('#jot-perms-icon').removeClass('unlock').addClass('lock'); $('#jot-public').hide(); }); diff --git a/view/templates/settings/head.tpl b/view/templates/settings/head.tpl index f1229a5aa5..6d58e54a6c 100644 --- a/view/templates/settings/head.tpl +++ b/view/templates/settings/head.tpl @@ -9,7 +9,7 @@ $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { var selstr; $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { - selstr = $(this).text(); + selstr = $(this).html(); $('#jot-perms-icon').removeClass('unlock').addClass('lock'); $('#jot-public').hide(); }); diff --git a/view/theme/frio/js/event_edit.js b/view/theme/frio/js/event_edit.js index a198eef07f..f7a9c4a760 100644 --- a/view/theme/frio/js/event_edit.js +++ b/view/theme/frio/js/event_edit.js @@ -23,7 +23,7 @@ $(document).ready(function() { $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { var selstr; $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { - selstr = $(this).text(); + selstr = $(this).html(); $('#jot-public').hide(); }); if (selstr == null) { diff --git a/view/theme/frio/js/mod_photos.js b/view/theme/frio/js/mod_photos.js index 692a7057f4..c75a997cab 100644 --- a/view/theme/frio/js/mod_photos.js +++ b/view/theme/frio/js/mod_photos.js @@ -5,7 +5,7 @@ $(document).ready(function() { $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { var selstr; $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { - selstr = $(this).text(); + selstr = $(this).html(); $('#jot-perms-icon').removeClass('unlock').addClass('lock'); $('#jot-public').hide(); }); diff --git a/view/theme/frio/js/modal.js b/view/theme/frio/js/modal.js index a088b08e34..241cfd4cea 100644 --- a/view/theme/frio/js/modal.js +++ b/view/theme/frio/js/modal.js @@ -192,12 +192,12 @@ function loadModalTitle() { var title = ""; // Get the text of the first element with "heading" class. - title = $("#modal-body .heading").first().text(); + title = $("#modal-body .heading").first().html(); // for event modals we need some speacial handling if($("#modal-body .event-wrapper .event-summary").length) { title = ' '; - var eventsum = $("#modal-body .event-wrapper .event-summary").text(); + var eventsum = $("#modal-body .event-wrapper .event-summary").html(); title = title + eventsum; } diff --git a/view/theme/frio/js/theme.js b/view/theme/frio/js/theme.js index 99ec88de1a..b630739668 100644 --- a/view/theme/frio/js/theme.js +++ b/view/theme/frio/js/theme.js @@ -146,7 +146,7 @@ $(document).ready(function(){ if( $(".search-content-wrapper").length ) { // get the text of the heading (we catch the plain text because we don't // want to have a h4 heading in the navbar - var searchText = $(".section-title-wrapper > h2").text(); + var searchText = $(".section-title-wrapper > h2").html(); // insert the plain text in a

heading and give it a class var newText = '

'+searchText+'

'; // append the new heading to the navbar @@ -208,7 +208,7 @@ $(document).ready(function(){ // get the heading element var heading = $(".network-content-wrapper > .section-title-wrapper > h2"); // get the text of the heading - var headingContent = heading.text(); + var headingContent = heading.html(); // create a new element with the content of the heading var newText = '

'+headingContent+'

'; // remove the old heading element @@ -221,7 +221,7 @@ $(document).ready(function(){ // get the heading element var heading = $(".community-content-wrapper > h3").first(); // get the text of the heading - var headingContent = heading.text(); + var headingContent = heading.html(); // create a new element with the content of the heading var newText = '

'+headingContent+'

'; // remove the old heading element @@ -790,7 +790,7 @@ function bin2hex (s) { // Dropdown menus with the class "dropdown-head" will display the active tab // as button text function toggleDropdownText(elm) { - $(elm).closest(".dropdown").find('.btn').html($(elm).text() + ' '); + $(elm).closest(".dropdown").find('.btn').html($(elm).html() + ' '); $(elm).closest(".dropdown").find('.btn').val($(elm).data('value')); $(elm).closest("ul").children("li").show(); $(elm).parent("li").hide(); diff --git a/view/theme/frio/templates/admin/aside.tpl b/view/theme/frio/templates/admin/aside.tpl index 0ba58e5aec..b02f5f6149 100644 --- a/view/theme/frio/templates/admin/aside.tpl +++ b/view/theme/frio/templates/admin/aside.tpl @@ -3,9 +3,10 @@ $(function(){ $("nav").bind('nav-update', function(e,data){ var elm = $('#pending-update'); - var register = $(data).find('register').text(); - if (register=="0") { register = ""; } - elm.html(register); + var register = parseInt($(data).find('register').text()); + if (register > 0) { + elm.html(register); + } }); }); diff --git a/view/theme/quattro/js/quattro.js b/view/theme/quattro/js/quattro.js index 89407569b7..e91794feba 100644 --- a/view/theme/quattro/js/quattro.js +++ b/view/theme/quattro/js/quattro.js @@ -2,8 +2,8 @@ $(document).ready(function(){ $('nav').bind('nav-update', function(e,data){ var notifCount = $(data).find('notif').attr('count'); - var intro = $(data).find('intro').text(); - var mail = $(data).find('mail').text(); + var intro = parseInt($(data).find('intro').text()); + var mail = parseInt($(data).find('mail').text()); $(".tool .notify").removeClass("on"); $(data).find("group").each(function() { diff --git a/view/theme/smoothly/templates/jot-header.tpl b/view/theme/smoothly/templates/jot-header.tpl index 3a70a5a9cc..71e54246b3 100644 --- a/view/theme/smoothly/templates/jot-header.tpl +++ b/view/theme/smoothly/templates/jot-header.tpl @@ -86,7 +86,7 @@ function enableOnUser(){ $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { var selstr; $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { - selstr = $(this).text(); + selstr = $(this).html(); $('#jot-perms-icon').removeClass('unlock').addClass('lock'); $('#jot-public').hide(); $('.profile-jot-net input').attr('disabled', 'disabled'); diff --git a/view/theme/vier/templates/event_head.tpl b/view/theme/vier/templates/event_head.tpl index 75f6f4b046..2c7b3070a7 100644 --- a/view/theme/vier/templates/event_head.tpl +++ b/view/theme/vier/templates/event_head.tpl @@ -170,7 +170,7 @@ $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { var selstr; $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { - selstr = $(this).text(); + selstr = $(this).html(); $('#jot-public').hide(); }); if(selstr == null) { From bbd3e44bb2b7188c5dfa3cf4c31f8ca70d6614e1 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 16 Nov 2020 18:17:24 -0500 Subject: [PATCH 2/9] Escape user names in notifications - The HTML notification message interpolation is unfiltered by the template # Conflicts: # mod/ping.php --- mod/ping.php | 40 ++++++++++++++-------------------------- 1 file changed, 14 insertions(+), 26 deletions(-) diff --git a/mod/ping.php b/mod/ping.php index 8e00ae31f1..1634ed725d 100644 --- a/mod/ping.php +++ b/mod/ping.php @@ -133,7 +133,7 @@ function ping_init(App $a) exit(); } - $notifs = ping_get_notifications(local_user()); + $notifications = ping_get_notifications(local_user()); $condition = ["`unseen` AND `uid` = ? AND NOT `origin` AND (`vid` != ? OR `vid` IS NULL)", local_user(), Verb::getID(Activity::FOLLOW)]; @@ -263,8 +263,8 @@ function ping_init(App $a) $data['birthdays'] = $birthdays; $data['birthdays-today'] = $birthdays_today; - if (DBA::isResult($notifs)) { - foreach ($notifs as $notif) { + if (DBA::isResult($notifications)) { + foreach ($notifications as $notif) { if ($notif['seen'] == 0) { $sysnotify_count ++; } @@ -277,14 +277,14 @@ function ping_init(App $a) $notif = [ 'id' => 0, 'href' => DI::baseUrl() . '/notifications/intros/' . $intro['id'], - 'name' => $intro['name'], + 'name' => BBCode::convert($intro['name']), 'url' => $intro['url'], 'photo' => $intro['photo'], 'date' => $intro['datetime'], 'seen' => false, 'message' => DI::l10n()->t('{0} wants to be your friend'), ]; - $notifs[] = $notif; + $notifications[] = $notif; } } @@ -314,7 +314,7 @@ function ping_init(App $a) 'seen' => false, 'message' => DI::l10n()->t('{0} and %d others requested registration', count($regs) - 1), ]; - $notifs[] = $notif; + $notifications[] = $notif; } } @@ -337,28 +337,16 @@ function ping_init(App $a) } return ($adate < $bdate) ? 1 : -1; }; - usort($notifs, $sort_function); + usort($notifications, $sort_function); - if (DBA::isResult($notifs)) { - foreach ($notifs as $notif) { - $contact = Contact::getByURL($notif['url'], false, ['micro', 'id', 'avatar']); - $notif['photo'] = Contact::getMicro($contact, $notif['photo']); - - $local_time = DateTimeFormat::local($notif['date']); - - $notifications[] = [ - 'id' => $notif['id'], - 'href' => $notif['href'], - 'name' => $notif['name'], - 'url' => $notif['url'], - 'photo' => $notif['photo'], - 'date' => Temporal::getRelativeDate($notif['date']), - 'message' => $notif['message'], - 'seen' => $notif['seen'], - 'timestamp' => strtotime($local_time) - ]; + array_walk($notifications, function (&$notification) { + if (empty($notification['photo'])) { + $contact = Contact::getByURL($notification['url'], false, ['micro', 'id', 'avatar']); + $notification['photo'] = Contact::getMicro($contact, $notif['photo']); } - } + + $notification['timestamp'] = DateTimeFormat::local($notification['date']); + }); } $sysmsgs = []; From b2666e779434f08e2984c781892f808cdfb64d09 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 16 Nov 2020 18:18:11 -0500 Subject: [PATCH 3/9] Escape user name in introduction fields help text - HTML help text aren't escaped in the template # Conflicts: # src/Module/Notifications/Introductions.php --- src/Module/Notifications/Introductions.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/Module/Notifications/Introductions.php b/src/Module/Notifications/Introductions.php index bd0445b07a..2a8a6ef44a 100644 --- a/src/Module/Notifications/Introductions.php +++ b/src/Module/Notifications/Introductions.php @@ -23,6 +23,7 @@ namespace Friendica\Module\Notifications; use Friendica\Content\ContactSelector; use Friendica\Content\Nav; +use Friendica\Content\Text\BBCode; use Friendica\Core\Protocol; use Friendica\Core\Renderer; use Friendica\Database\DBA; @@ -124,9 +125,11 @@ class Introductions extends BaseNotifications $knowyou = ''; } + $convertedName = BBCode::convert($notification->getName()); + $helptext = DI::l10n()->t('Shall your connection be bidirectional or not?'); - $helptext2 = DI::l10n()->t('Accepting %s as a friend allows %s to subscribe to your posts, and you will also receive updates from them in your news feed.', $notification->getName(), $notification->getName()); - $helptext3 = DI::l10n()->t('Accepting %s as a subscriber allows them to subscribe to your posts, but you will not receive updates from them in your news feed.', $notification->getName()); + $helptext2 = DI::l10n()->t('Accepting %s as a friend allows %s to subscribe to your posts, and you will also receive updates from them in your news feed.', $convertedName, $convertedName); + $helptext3 = DI::l10n()->t('Accepting %s as a subscriber allows them to subscribe to your posts, but you will not receive updates from them in your news feed.', $convertedName); $friend = ['duplex', DI::l10n()->t('Friend'), '1', $helptext2, true]; $follower = ['duplex', DI::l10n()->t('Subscriber'), '0', $helptext3, false]; From 54aef550c5c6b7dbe2e772ed1dee8462c2de4d98 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Tue, 17 Nov 2020 17:52:30 -0500 Subject: [PATCH 4/9] Remove superfluous mentions of parent-uri in Protocol\Diaspora - Address part of https://github.com/friendica/friendica/issues/9252#issuecomment-729171051 --- src/Protocol/Diaspora.php | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/Protocol/Diaspora.php b/src/Protocol/Diaspora.php index 9e9f1a574b..7ab41eb52b 100644 --- a/src/Protocol/Diaspora.php +++ b/src/Protocol/Diaspora.php @@ -1565,7 +1565,6 @@ class Diaspora $datarray["gravity"] = GRAVITY_COMMENT; $datarray['thr-parent'] = $thr_parent ?: $toplevel_parent_item['uri']; - $datarray['parent-uri'] = $toplevel_parent_item['uri']; $datarray["object-type"] = Activity\ObjectType::COMMENT; @@ -1963,7 +1962,6 @@ class Diaspora $datarray["verb"] = Activity::FOLLOW; $datarray["gravity"] = GRAVITY_ACTIVITY; $datarray['thr-parent'] = $toplevel_parent_item['uri']; - $datarray['parent-uri'] = $toplevel_parent_item['parent-uri']; $datarray["object-type"] = Activity\ObjectType::NOTE; @@ -2356,7 +2354,6 @@ class Diaspora $datarray['guid'] = $parent['guid'] . '-' . $guid; $datarray['uri'] = self::getUriFromGuid($author, $datarray['guid']); $datarray['thr-parent'] = $parent['uri']; - $datarray['parent-uri'] = $parent['parent-uri']; $datarray['verb'] = $datarray['body'] = Activity::ANNOUNCE; $datarray['gravity'] = GRAVITY_ACTIVITY; From 283b70928d9df3a9f4b2f457bdefdadc8586a32d Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Tue, 17 Nov 2020 17:53:03 -0500 Subject: [PATCH 5/9] Remove top-level parent check from Protocol\OStatus - It's done in Item::insert instead - Address part of https://github.com/friendica/friendica/issues/9252#issuecomment-729171051 --- src/Protocol/OStatus.php | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/Protocol/OStatus.php b/src/Protocol/OStatus.php index 9d9e10f7a3..b8724acc7f 100644 --- a/src/Protocol/OStatus.php +++ b/src/Protocol/OStatus.php @@ -521,12 +521,6 @@ class OStatus Logger::log("Item with uri ".self::$itemlist[0]['uri']." will be imported since the thread contains posts or shares.", Logger::DEBUG); } } - } else { - // But we will only import complete threads - $valid = Item::exists(['uid' => $importer["uid"], 'uri' => self::$itemlist[0]['parent-uri']]); - if ($valid) { - Logger::log("Item with uri ".self::$itemlist[0]["uri"]." belongs to parent ".self::$itemlist[0]['thr-parent']." of user ".$importer["uid"].". It will be imported.", Logger::DEBUG); - } } if ($valid) { From 93380b8471164a8ed5d1d46e94d53bf37fe87cee Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Tue, 17 Nov 2020 17:57:37 -0500 Subject: [PATCH 6/9] Suppress notice while logging in Model\Contact - Address https://github.com/friendica/friendica/issues/9252#issuecomment-716042132 --- src/Model/Contact.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Model/Contact.php b/src/Model/Contact.php index 656506d84d..80a5d93cb2 100644 --- a/src/Model/Contact.php +++ b/src/Model/Contact.php @@ -1113,7 +1113,7 @@ class Contact $contact = self::selectFirst(['id'], ['nurl' => $urls, 'uid' => $uid]); if (!empty($contact['id'])) { $contact_id = $contact['id']; - Logger::info('Fetched id by url', ['cid' => $contact_id, 'uid' => $uid, 'url' => $url, 'probed_url' => $data['url'], 'alias' => $data['alias'], 'addr' => $data['addr']]); + Logger::info('Fetched id by url', ['cid' => $contact_id, 'uid' => $uid, 'url' => $url, 'data' => $data]); } } From ccad67c68fde4dc2529509b85a2d5714628a0855 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Tue, 17 Nov 2020 17:59:39 -0500 Subject: [PATCH 7/9] Use correct contact key in Protocol\ActivityPub\Transmitter - Address https://github.com/friendica/friendica/issues/9252#issuecomment-719866843 --- src/Protocol/ActivityPub/Transmitter.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Protocol/ActivityPub/Transmitter.php b/src/Protocol/ActivityPub/Transmitter.php index 43a4384d4d..531a23a69b 100644 --- a/src/Protocol/ActivityPub/Transmitter.php +++ b/src/Protocol/ActivityPub/Transmitter.php @@ -719,7 +719,7 @@ class Transmitter continue; } - if ($isforum && ($contact['dfrn'] == Protocol::DFRN)) { + if ($isforum && ($contact['network'] == Protocol::DFRN)) { continue; } From 260b9e7bd3b8e663f77d05970df6cfb76e3ca430 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Tue, 17 Nov 2020 18:01:03 -0500 Subject: [PATCH 8/9] Improve expectation for not modified check in theme/vier/style - Address https://github.com/friendica/friendica/issues/9252#issuecomment-721994406 --- view/theme/vier/style.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/view/theme/vier/style.php b/view/theme/vier/style.php index ac5cd08efb..8cd0d7a32a 100644 --- a/view/theme/vier/style.php +++ b/view/theme/vier/style.php @@ -61,7 +61,7 @@ header('Cache-Control: public'); header('ETag: "'.$etag.'"'); header('Last-Modified: '.$modified); -if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) || isset($_SERVER['HTTP_IF_NONE_MATCH'])) { +if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) && isset($_SERVER['HTTP_IF_NONE_MATCH'])) { $cached_modified = gmdate('r', strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE'])); $cached_etag = str_replace(['"', "-gzip"], ['', ''], stripslashes($_SERVER['HTTP_IF_NONE_MATCH'])); From 096cb19d1205952142b3ed85d3760e6af4364d49 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Tue, 17 Nov 2020 18:06:16 -0500 Subject: [PATCH 9/9] Suppress notice when causer-id exists but not causer-link in Model\Item::isAllowedByUser - Address https://github.com/friendica/friendica/issues/9252#issuecomment-723440980 --- src/Model/Item.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Model/Item.php b/src/Model/Item.php index 0fcb445e0b..9890c8a995 100644 --- a/src/Model/Item.php +++ b/src/Model/Item.php @@ -3980,12 +3980,12 @@ class Item // The causer is set during a thread completion, for example because of a reshare. It countains the responsible actor. if (!empty($item['causer-id']) && Contact\User::isBlocked($item['causer-id'], $user_id)) { - Logger::notice('Causer is blocked by user', ['causer-link' => $item['causer-link'], 'uid' => $user_id, 'item-uri' => $item['uri']]); + Logger::notice('Causer is blocked by user', ['causer-link' => $item['causer-link'] ?? $item['causer-id'], 'uid' => $user_id, 'item-uri' => $item['uri']]); return false; } if (!empty($item['causer-id']) && ($item['gravity'] === GRAVITY_PARENT) && Contact\User::isIgnored($item['causer-id'], $user_id)) { - Logger::notice('Causer is ignored by user', ['causer-link' => $item['causer-link'], 'uid' => $user_id, 'item-uri' => $item['uri']]); + Logger::notice('Causer is ignored by user', ['causer-link' => $item['causer-link'] ?? $item['causer-id'], 'uid' => $user_id, 'item-uri' => $item['uri']]); return false; }