Escape user names in notifications

- The HTML notification message interpolation is unfiltered by the template

# Conflicts:
#	mod/ping.php
This commit is contained in:
Hypolite Petovan 2020-11-16 18:17:24 -05:00
parent b2c4116357
commit bbd3e44bb2

View file

@ -133,7 +133,7 @@ function ping_init(App $a)
exit(); exit();
} }
$notifs = ping_get_notifications(local_user()); $notifications = ping_get_notifications(local_user());
$condition = ["`unseen` AND `uid` = ? AND NOT `origin` AND (`vid` != ? OR `vid` IS NULL)", $condition = ["`unseen` AND `uid` = ? AND NOT `origin` AND (`vid` != ? OR `vid` IS NULL)",
local_user(), Verb::getID(Activity::FOLLOW)]; local_user(), Verb::getID(Activity::FOLLOW)];
@ -263,8 +263,8 @@ function ping_init(App $a)
$data['birthdays'] = $birthdays; $data['birthdays'] = $birthdays;
$data['birthdays-today'] = $birthdays_today; $data['birthdays-today'] = $birthdays_today;
if (DBA::isResult($notifs)) { if (DBA::isResult($notifications)) {
foreach ($notifs as $notif) { foreach ($notifications as $notif) {
if ($notif['seen'] == 0) { if ($notif['seen'] == 0) {
$sysnotify_count ++; $sysnotify_count ++;
} }
@ -277,14 +277,14 @@ function ping_init(App $a)
$notif = [ $notif = [
'id' => 0, 'id' => 0,
'href' => DI::baseUrl() . '/notifications/intros/' . $intro['id'], 'href' => DI::baseUrl() . '/notifications/intros/' . $intro['id'],
'name' => $intro['name'], 'name' => BBCode::convert($intro['name']),
'url' => $intro['url'], 'url' => $intro['url'],
'photo' => $intro['photo'], 'photo' => $intro['photo'],
'date' => $intro['datetime'], 'date' => $intro['datetime'],
'seen' => false, 'seen' => false,
'message' => DI::l10n()->t('{0} wants to be your friend'), 'message' => DI::l10n()->t('{0} wants to be your friend'),
]; ];
$notifs[] = $notif; $notifications[] = $notif;
} }
} }
@ -314,7 +314,7 @@ function ping_init(App $a)
'seen' => false, 'seen' => false,
'message' => DI::l10n()->t('{0} and %d others requested registration', count($regs) - 1), 'message' => DI::l10n()->t('{0} and %d others requested registration', count($regs) - 1),
]; ];
$notifs[] = $notif; $notifications[] = $notif;
} }
} }
@ -337,28 +337,16 @@ function ping_init(App $a)
} }
return ($adate < $bdate) ? 1 : -1; return ($adate < $bdate) ? 1 : -1;
}; };
usort($notifs, $sort_function); usort($notifications, $sort_function);
if (DBA::isResult($notifs)) { array_walk($notifications, function (&$notification) {
foreach ($notifs as $notif) { if (empty($notification['photo'])) {
$contact = Contact::getByURL($notif['url'], false, ['micro', 'id', 'avatar']); $contact = Contact::getByURL($notification['url'], false, ['micro', 'id', 'avatar']);
$notif['photo'] = Contact::getMicro($contact, $notif['photo']); $notification['photo'] = Contact::getMicro($contact, $notif['photo']);
$local_time = DateTimeFormat::local($notif['date']);
$notifications[] = [
'id' => $notif['id'],
'href' => $notif['href'],
'name' => $notif['name'],
'url' => $notif['url'],
'photo' => $notif['photo'],
'date' => Temporal::getRelativeDate($notif['date']),
'message' => $notif['message'],
'seen' => $notif['seen'],
'timestamp' => strtotime($local_time)
];
} }
}
$notification['timestamp'] = DateTimeFormat::local($notification['date']);
});
} }
$sysmsgs = []; $sysmsgs = [];