mirror of
https://codeberg.org/streams/streams.git
synced 2024-09-20 05:15:16 +00:00
xss issue from upstream, messagefilter enhancements
This commit is contained in:
parent
2df403c4ec
commit
7169bd1ebc
10 changed files with 30 additions and 20 deletions
|
@ -38,6 +38,11 @@ class MessageFilter {
|
|||
if((($t['ttype'] == TERM_HASHTAG) || ($t['ttype'] == TERM_COMMUNITYTAG)) && (($t['term'] === substr($word,1)) || (substr($word,1) === '*')))
|
||||
return false;
|
||||
}
|
||||
elseif(substr($word,0,1) === '$' && $tags) {
|
||||
foreach($tags as $t)
|
||||
if(($t['ttype'] == TERM_CATEGORY) && (($t['term'] === substr($word,1)) || (substr($word,1) === '*')))
|
||||
return false;
|
||||
}
|
||||
elseif((strpos($word,'/') === 0) && preg_match($word,$text))
|
||||
return false;
|
||||
elseif((strpos($word,'lang=') === 0) && ($lang) && (strcasecmp($lang,trim(substr($word,5))) == 0))
|
||||
|
@ -61,6 +66,11 @@ class MessageFilter {
|
|||
if((($t['ttype'] == TERM_HASHTAG) || ($t['ttype'] == TERM_COMMUNITYTAG)) && (($t['term'] === substr($word,1)) || (substr($word,1) === '*')))
|
||||
return true;
|
||||
}
|
||||
elseif(substr($word,0,1) === '$' && $tags) {
|
||||
foreach($tags as $t)
|
||||
if(($t['ttype'] == TERM_CATEGORY) && (($t['term'] === substr($word,1)) || (substr($word,1) === '*')))
|
||||
return true;
|
||||
}
|
||||
elseif((strpos($word,'/') === 0) && preg_match($word,$text))
|
||||
return true;
|
||||
elseif((strpos($word,'lang=') === 0) && ($lang) && (strcasecmp($lang,trim(substr($word,5))) == 0))
|
||||
|
|
|
@ -434,12 +434,12 @@ class Channel extends Controller {
|
|||
'$page' => ((App::$pager['page'] != 1) ? App::$pager['page'] : 1),
|
||||
'$search' => $search,
|
||||
'$xchan' => '',
|
||||
'$order' => $order,
|
||||
'$order' => (($order) ? urlencode($order) : ''),
|
||||
'$list' => ((x($_REQUEST,'list')) ? intval($_REQUEST['list']) : 0),
|
||||
'$file' => '',
|
||||
'$cats' => (($category) ? urlencode($category) : ''),
|
||||
'$tags' => (($hashtags) ? urlencode($hashtags) : ''),
|
||||
'$mid' => $mid,
|
||||
'$mid' => (($mid) ? urlencode($mid) : ''),
|
||||
'$verb' => '',
|
||||
'$net' => '',
|
||||
'$dend' => $datequery,
|
||||
|
|
|
@ -326,7 +326,7 @@ class Connections extends \Zotlabs\Web\Controller {
|
|||
killme();
|
||||
}
|
||||
else {
|
||||
$o .= "<script> var page_query = '" . escape_tags($_GET['req']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
|
||||
$o .= "<script> var page_query = '" . escape_tags(urlencode($_GET['req'])) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
|
||||
$o .= replace_macros(get_markup_template('connections.tpl'),array(
|
||||
'$header' => t('Connections') . (($head) ? ': ' . $head : ''),
|
||||
'$tabs' => $tabs,
|
||||
|
|
|
@ -400,7 +400,7 @@ class Directory extends \Zotlabs\Web\Controller {
|
|||
|
||||
$dirtitle = (($globaldir) ? t('Global Directory') : t('Local Directory'));
|
||||
|
||||
$o .= "<script> var page_query = '" . escape_tags($_GET['req']) . "'; var extra_args = '" . extra_query_args() . "' ; divmore_height = " . intval($maxheight) . "; </script>";
|
||||
$o .= "<script> var page_query = '" . escape_tags(urlencode($_GET['req'])) . "'; var extra_args = '" . extra_query_args() . "' ; divmore_height = " . intval($maxheight) . "; </script>";
|
||||
$o .= replace_macros($tpl, array(
|
||||
'$search' => $search,
|
||||
'$desc' => t('Find'),
|
||||
|
|
|
@ -239,7 +239,7 @@ class Display extends Controller {
|
|||
'$dbegin' => '',
|
||||
'$verb' => '',
|
||||
'$net' => '',
|
||||
'$mid' => $mid
|
||||
'$mid' => (($mid) ? urlencode($mid) : '')
|
||||
));
|
||||
|
||||
head_add_link([
|
||||
|
|
|
@ -193,7 +193,7 @@ class Hq extends \Zotlabs\Web\Controller {
|
|||
'$dbegin' => '',
|
||||
'$verb' => '',
|
||||
'$net' => '',
|
||||
'$mid' => $mid
|
||||
'$mid' => (($mid) ? urlencode($mid) : '')
|
||||
]);
|
||||
}
|
||||
|
||||
|
|
|
@ -345,18 +345,18 @@ class Network extends \Zotlabs\Web\Controller {
|
|||
'$static' => $static,
|
||||
'$list' => ((x($_REQUEST,'list')) ? intval($_REQUEST['list']) : 0),
|
||||
'$page' => ((App::$pager['page'] != 1) ? App::$pager['page'] : 1),
|
||||
'$search' => (($search) ? $search : ''),
|
||||
'$xchan' => $xchan,
|
||||
'$order' => $order,
|
||||
'$file' => $file,
|
||||
'$cats' => urlencode($category),
|
||||
'$tags' => urlencode($hashtags),
|
||||
'$search' => (($search) ? urlencode($search) : ''),
|
||||
'$xchan' => (($xchan) ? urlencode($xchan) : ''),
|
||||
'$order' => (($order) ? urlencode($order) : ''),
|
||||
'$file' => (($file) ? urlencode($file) : ''),
|
||||
'$cats' => (($category) ? urlencode($category) : ''),
|
||||
'$tags' => (($hashtags) ? urlencode($hashtags) : ''),
|
||||
'$dend' => $datequery,
|
||||
'$mid' => '',
|
||||
'$verb' => $verb,
|
||||
'$net' => $net,
|
||||
'$verb' => (($verb) ? urlencode($verb) : ''),
|
||||
'$net' => (($net) ? urlencode($net) : ''),
|
||||
'$dbegin' => $datequery2,
|
||||
'$pf' => (($pf) ? $pf : '0'),
|
||||
'$pf' => (($pf) ? intval($pf) : '0'),
|
||||
));
|
||||
}
|
||||
|
||||
|
|
|
@ -738,7 +738,7 @@ class Photos extends \Zotlabs\Web\Controller {
|
|||
killme();
|
||||
}
|
||||
else {
|
||||
$o .= "<script> var page_query = '" . escape_tags($_GET['req']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
|
||||
$o .= "<script> var page_query = '" . escape_tags(urlencode($_GET['req'])) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
|
||||
$tpl = get_markup_template('photo_album.tpl');
|
||||
$o .= replace_macros($tpl, array(
|
||||
'$photos' => $photos,
|
||||
|
|
|
@ -135,11 +135,11 @@ class Pubstream extends \Zotlabs\Web\Controller {
|
|||
'$order' => 'comment',
|
||||
'$file' => '',
|
||||
'$cats' => '',
|
||||
'$tags' => $hashtags,
|
||||
'$tags' => (($hashtags) ? urlencode($hashtags) : ''),
|
||||
'$dend' => '',
|
||||
'$mid' => $mid,
|
||||
'$mid' => (($mid) ? urlencode($mid) : ''),
|
||||
'$verb' => '',
|
||||
'$net' => $net,
|
||||
'$net' => (($net) ? urlencode($net) : ''),
|
||||
'$dbegin' => ''
|
||||
));
|
||||
}
|
||||
|
|
|
@ -107,7 +107,7 @@ class Viewconnections extends \Zotlabs\Web\Controller {
|
|||
killme();
|
||||
}
|
||||
else {
|
||||
$o .= "<script> var page_query = '" . escape_tags($_GET['req']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
|
||||
$o .= "<script> var page_query = '" . escape_tags(urlencode($_GET['req'])) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
|
||||
$tpl = get_markup_template("viewcontact_template.tpl");
|
||||
$o .= replace_macros($tpl, array(
|
||||
'$title' => t('View Connections'),
|
||||
|
|
Loading…
Reference in a new issue