From a86c178ccf38875fa68edbc70f4dba0ac14c764c Mon Sep 17 00:00:00 2001
From: nobody <nobody@zotlabs.com>
Date: Wed, 10 Feb 2021 16:06:56 -0800
Subject: [PATCH 1/2] superblock: we need the entire xchan record, not just the
 url. Also prevent blocking your own site.

---
 Zotlabs/Module/Superblock.php | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/Zotlabs/Module/Superblock.php b/Zotlabs/Module/Superblock.php
index b1d07088e..8bb540f72 100644
--- a/Zotlabs/Module/Superblock.php
+++ b/Zotlabs/Module/Superblock.php
@@ -30,6 +30,13 @@ class Superblock extends Controller {
 
 		$m = parse_url($blocked);
 		if ($m['scheme'] && $m['host'] && (($type === BLOCKTYPE_SERVER) || (! $m['path']))) {
+			if (strcasecmp($m['host'],App::get_hostname()) === 0) {
+				notice(t('Blocking this site is not permitted.'));
+				if ($inline) {
+					return;
+				}
+				killme();
+			}	
 			$type = BLOCKTYPE_SERVER;
 			$blocked = $m['host'];
 		}
@@ -40,11 +47,13 @@ class Superblock extends Controller {
 		if ($blocked) {
 			$handled = true;
 			if ($type === BLOCKTYPE_CHANNEL) {
-				$r = q("select xchan_url from xchan where ( xchan_hash = '%s' or xchan_addr = '%s' or xchan_url = '%s' )",
+
+				$r = q("select * from xchan where ( xchan_hash = '%s' or xchan_addr = '%s' or xchan_url = '%s' )",
 					dbesc($blocked),
 					dbesc($blocked),
 					dbesc($blocked)
 				);
+
 				if (! $r) {
 					// not in cache - try discovery
 					$wf = discover_by_webbie($blocked,'',false);
@@ -71,6 +80,7 @@ class Superblock extends Controller {
 
 				if ($r) {
 					$r = Libzot::zot_record_preferred($r,'xchan_network');
+					$blocked = $r['xchan_hash'];
 				}
 			}
 
@@ -80,7 +90,7 @@ class Superblock extends Controller {
 				'block_type'       => $type,
 				'block_comment'    => t('Added by Superblock')
 			];
-				
+
 			LibBlock::store($bl);
 
 			$sync = [];
@@ -192,6 +202,7 @@ class Superblock extends Controller {
 	function get() {
 
 		$l = LibBlock::fetch(local_channel(),BLOCKTYPE_CHANNEL);
+
 		$list = ids_to_array($l,'block_entity');
 
 		stringify_array_elms($list,true);

From 3880c16a832c1047352b6291043e849633fe550c Mon Sep 17 00:00:00 2001
From: nobody <nobody@zotlabs.com>
Date: Wed, 10 Feb 2021 17:55:10 -0800
Subject: [PATCH 2/2] multicode_purify() continued

---
 include/bbcode.php | 27 ++++++++++++++++++++++-----
 include/text.php   |  4 +---
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/include/bbcode.php b/include/bbcode.php
index 21dd0e656..c05fc4924 100644
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -1021,6 +1021,22 @@ function bb_imgoptions($match) {
 	
 }
 
+function multicode_purify($s) {
+
+	$s = preg_replace_callback("/\[code(.*?)\](.*?)\[\/code\]/ism", function ($match) {
+		return '[code' . $match[1] . ']' . bb_code_protect($match[2]) . '[/code]';
+	}, $s);
+
+	$s = preg_replace_callback('#(^|\n)([`~]{3,})(?: *\.?([a-zA-Z0-9\-.]+))?\n+([\s\S]+?)\n+\2(\n|$)#', function ($match) {
+		return $match[1] . $match[2] . "\n" . bb_code_protect($match[4]) . "\n" . $match[2] . (($match[5]) ? $match[5] : "\n");
+	}, $s);
+	
+	$s = purify_html($s, [ 'escape' ]);
+
+	return bb_code_unprotect($s);
+
+}
+
 function bb_code_preprotect($matches) {
 	return '[code' . $matches[1] . ']' . 'b64.^8e%.' . base64_encode(str_replace('<br>','|+br+|',$matches[2])) . '.b64.$8e%' . '[/code]';
 }
@@ -1094,7 +1110,7 @@ function md_codeblock($content) {
 
 	$language = !empty($content[3]) ? filter_var($content[3], FILTER_SANITIZE_STRING) : '';
 	$class = !empty($language) ? sprintf(' class="%s language-%s"', $language, $language) : '';
-	// Build one block so that we not create each paragraph.
+	// Build one block so that we not render each paragraph separately.
 	$content = str_replace("\n", '<br>', $content[4]);
 
 	return sprintf('<pre><code%s>%s</code></pre>', $class, bb_code_protect($content));
@@ -1417,10 +1433,11 @@ function bbcode($Text, $options = []) {
 		// was moved to rendering code to allow multiple code formats
 		// A proper fix would be to escape any code blocks before purification,
 		// restore them and store the resultant intermediate multicode.
+		// This is now accomplished using multicode_purify()
 
-		if (strpbrk($Text,'<>') !== false) {
-			$Text = purify_html($Text, [ 'escape' ]);
-		}
+		//		if (strpbrk($Text,'<>') !== false) {
+		//			$Text = purify_html($Text, [ 'escape' ]);
+		//		}
 
 		// Perform some markdown conversions before translating linefeeds so as to keep the regexes manageable
 
@@ -1948,7 +1965,7 @@ function bbcode($Text, $options = []) {
 		$Text = preg_replace("/\<(.*?)(src|href)=(.*?)\&amp\;(.*?)\>/ism", '<$1$2=$3&$4>', $Text);
 
 	// This is subtle - it's an XSS filter. It only accepts links with a protocol scheme and where
-	// the scheme begins with z (zhttp), h (http(s)), f (ftp(s)), g (gemini), m (mailto), t (tel) and named anchors.
+	// the scheme begins with z (zhttp), h (http(s)), f (ftp(s)), g (gemini), m (mailto|magnet), t (tel) and named anchors.
 	// data: urls are allowed if exporting to activitypub which allows inline svg to federate, but not 
 	// to be used for local display
 
diff --git a/include/text.php b/include/text.php
index 2aafd1507..a203fbea0 100644
--- a/include/text.php
+++ b/include/text.php
@@ -107,9 +107,7 @@ function escape_tags($string) {
 function z_input_filter($s,$type = 'text/bbcode',$allow_code = false) {
 
 	if($type === 'text/bbcode') {
-		return ($s);
-		// purify_html($s);
-		// return escape_tags($s);
+		return (multicode_purify($s));
 	}
 	if($type == 'text/plain')
 		return escape_tags($s);