Streams/streams
Streams/streams
1
0
Fork 0
mirror of https://codeberg.org/streams/streams.git synced 2024-09-20 05:15:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

xss issue from upstream, messagefilter enhancements

Browse source
This commit is contained in:
zotlabs 2019-03-18 19:19:04 -07:00
parent 2df403c4ec
commit 7169bd1ebc
10 changed files with 30 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
Zotlabs/Lib/MessageFilter.php
View file

@ -38,6 +38,11 @@ class MessageFilter {
if((($t['ttype'] == TERM_HASHTAG) || ($t['ttype'] == TERM_COMMUNITYTAG)) && (($t['term'] === substr($word,1)) || (substr($word,1) === '*')))
return false;
}
elseif(substr($word,0,1) === '$' && $tags) {
foreach($tags as $t)
if(($t['ttype'] == TERM_CATEGORY) && (($t['term'] === substr($word,1)) || (substr($word,1) === '*')))
return false;
}
elseif((strpos($word,'/') === 0) && preg_match($word,$text))
return false;
elseif((strpos($word,'lang=') === 0) && ($lang) && (strcasecmp($lang,trim(substr($word,5))) == 0))
@ -61,6 +66,11 @@ class MessageFilter {
if((($t['ttype'] == TERM_HASHTAG) || ($t['ttype'] == TERM_COMMUNITYTAG)) && (($t['term'] === substr($word,1)) || (substr($word,1) === '*')))
return true;
}
elseif(substr($word,0,1) === '$' && $tags) {
foreach($tags as $t)
if(($t['ttype'] == TERM_CATEGORY) && (($t['term'] === substr($word,1)) || (substr($word,1) === '*')))
return true;
}
elseif((strpos($word,'/') === 0) && preg_match($word,$text))
return true;
elseif((strpos($word,'lang=') === 0) && ($lang) && (strcasecmp($lang,trim(substr($word,5))) == 0))

4
Zotlabs/Module/Channel.php
View file

@ -434,12 +434,12 @@ class Channel extends Controller {
'$page' => ((App::$pager['page'] != 1) ? App::$pager['page'] : 1),
'$search' => $search,
'$xchan' => '',
'$order' => $order,
'$order' => (($order) ? urlencode($order) : ''),
'$list' => ((x($_REQUEST,'list')) ? intval($_REQUEST['list']) : 0),
'$file' => '',
'$cats' => (($category) ? urlencode($category) : ''),
'$tags' => (($hashtags) ? urlencode($hashtags) : ''),
'$mid' => $mid,
'$mid' => (($mid) ? urlencode($mid) : ''),
'$verb' => '',
'$net' => '',
'$dend' => $datequery,

2
Zotlabs/Module/Connections.php
View file

@ -326,7 +326,7 @@ class Connections extends \Zotlabs\Web\Controller {
killme();
}
else {
$o .= "<script> var page_query = '" . escape_tags($_GET['req']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$o .= "<script> var page_query = '" . escape_tags(urlencode($_GET['req'])) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$o .= replace_macros(get_markup_template('connections.tpl'),array(
'$header' => t('Connections') . (($head) ? ': ' . $head : ''),
'$tabs' => $tabs,

2
Zotlabs/Module/Directory.php
View file

@ -400,7 +400,7 @@ class Directory extends \Zotlabs\Web\Controller {
$dirtitle = (($globaldir) ? t('Global Directory') : t('Local Directory'));
$o .= "<script> var page_query = '" . escape_tags($_GET['req']) . "'; var extra_args = '" . extra_query_args() . "' ; divmore_height = " . intval($maxheight) . "; </script>";
$o .= "<script> var page_query = '" . escape_tags(urlencode($_GET['req'])) . "'; var extra_args = '" . extra_query_args() . "' ; divmore_height = " . intval($maxheight) . "; </script>";
$o .= replace_macros($tpl, array(
'$search' => $search,
'$desc' => t('Find'),

2
Zotlabs/Module/Display.php
View file

@ -239,7 +239,7 @@ class Display extends Controller {
'$dbegin' => '',
'$verb' => '',
'$net' => '',
'$mid' => $mid
'$mid' => (($mid) ? urlencode($mid) : '')
));
head_add_link([

2
Zotlabs/Module/Hq.php
View file

@ -193,7 +193,7 @@ class Hq extends \Zotlabs\Web\Controller {
'$dbegin' => '',
'$verb' => '',
'$net' => '',
'$mid' => $mid
'$mid' => (($mid) ? urlencode($mid) : '')
]);
}

18
Zotlabs/Module/Network.php
View file

@ -345,18 +345,18 @@ class Network extends \Zotlabs\Web\Controller {
'$static' => $static,
'$list' => ((x($_REQUEST,'list')) ? intval($_REQUEST['list']) : 0),
'$page' => ((App::$pager['page'] != 1) ? App::$pager['page'] : 1),
'$search' => (($search) ? $search : ''),
'$xchan' => $xchan,
'$order' => $order,
'$file' => $file,
'$cats' => urlencode($category),
'$tags' => urlencode($hashtags),
'$search' => (($search) ? urlencode($search) : ''),
'$xchan' => (($xchan) ? urlencode($xchan) : ''),
'$order' => (($order) ? urlencode($order) : ''),
'$file' => (($file) ? urlencode($file) : ''),
'$cats' => (($category) ? urlencode($category) : ''),
'$tags' => (($hashtags) ? urlencode($hashtags) : ''),
'$dend' => $datequery,
'$mid' => '',
'$verb' => $verb,
'$net' => $net,
'$verb' => (($verb) ? urlencode($verb) : ''),
'$net' => (($net) ? urlencode($net) : ''),
'$dbegin' => $datequery2,
'$pf' => (($pf) ? $pf : '0'),
'$pf' => (($pf) ? intval($pf) : '0'),
));
}

2
Zotlabs/Module/Photos.php
View file

@ -738,7 +738,7 @@ class Photos extends \Zotlabs\Web\Controller {
killme();
}
else {
$o .= "<script> var page_query = '" . escape_tags($_GET['req']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$o .= "<script> var page_query = '" . escape_tags(urlencode($_GET['req'])) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$tpl = get_markup_template('photo_album.tpl');
$o .= replace_macros($tpl, array(
'$photos' => $photos,

6
Zotlabs/Module/Pubstream.php
View file

@ -135,11 +135,11 @@ class Pubstream extends \Zotlabs\Web\Controller {
'$order' => 'comment',
'$file' => '',
'$cats' => '',
'$tags' => $hashtags,
'$tags' => (($hashtags) ? urlencode($hashtags) : ''),
'$dend' => '',
'$mid' => $mid,
'$mid' => (($mid) ? urlencode($mid) : ''),
'$verb' => '',
'$net' => $net,
'$net' => (($net) ? urlencode($net) : ''),
'$dbegin' => ''
));
}

2
Zotlabs/Module/Viewconnections.php
View file

@ -107,7 +107,7 @@ class Viewconnections extends \Zotlabs\Web\Controller {
killme();
}
else {
$o .= "<script> var page_query = '" . escape_tags($_GET['req']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$o .= "<script> var page_query = '" . escape_tags(urlencode($_GET['req'])) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$tpl = get_markup_template("viewcontact_template.tpl");
$o .= replace_macros($tpl, array(
'$title' => t('View Connections'),