From 7169bd1ebc1a3680a885f11e5ee05fae37f12c98 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Mon, 18 Mar 2019 19:19:04 -0700 Subject: [PATCH] xss issue from upstream, messagefilter enhancements --- Zotlabs/Lib/MessageFilter.php | 10 ++++++++++ Zotlabs/Module/Channel.php | 4 ++-- Zotlabs/Module/Connections.php | 2 +- Zotlabs/Module/Directory.php | 2 +- Zotlabs/Module/Display.php | 2 +- Zotlabs/Module/Hq.php | 2 +- Zotlabs/Module/Network.php | 18 +++++++++--------- Zotlabs/Module/Photos.php | 2 +- Zotlabs/Module/Pubstream.php | 6 +++--- Zotlabs/Module/Viewconnections.php | 2 +- 10 files changed, 30 insertions(+), 20 deletions(-) diff --git a/Zotlabs/Lib/MessageFilter.php b/Zotlabs/Lib/MessageFilter.php index b45a1f229..5ca8b737b 100644 --- a/Zotlabs/Lib/MessageFilter.php +++ b/Zotlabs/Lib/MessageFilter.php @@ -38,6 +38,11 @@ class MessageFilter { if((($t['ttype'] == TERM_HASHTAG) || ($t['ttype'] == TERM_COMMUNITYTAG)) && (($t['term'] === substr($word,1)) || (substr($word,1) === '*'))) return false; } + elseif(substr($word,0,1) === '$' && $tags) { + foreach($tags as $t) + if(($t['ttype'] == TERM_CATEGORY) && (($t['term'] === substr($word,1)) || (substr($word,1) === '*'))) + return false; + } elseif((strpos($word,'/') === 0) && preg_match($word,$text)) return false; elseif((strpos($word,'lang=') === 0) && ($lang) && (strcasecmp($lang,trim(substr($word,5))) == 0)) @@ -61,6 +66,11 @@ class MessageFilter { if((($t['ttype'] == TERM_HASHTAG) || ($t['ttype'] == TERM_COMMUNITYTAG)) && (($t['term'] === substr($word,1)) || (substr($word,1) === '*'))) return true; } + elseif(substr($word,0,1) === '$' && $tags) { + foreach($tags as $t) + if(($t['ttype'] == TERM_CATEGORY) && (($t['term'] === substr($word,1)) || (substr($word,1) === '*'))) + return true; + } elseif((strpos($word,'/') === 0) && preg_match($word,$text)) return true; elseif((strpos($word,'lang=') === 0) && ($lang) && (strcasecmp($lang,trim(substr($word,5))) == 0)) diff --git a/Zotlabs/Module/Channel.php b/Zotlabs/Module/Channel.php index a4571941c..18f76d885 100644 --- a/Zotlabs/Module/Channel.php +++ b/Zotlabs/Module/Channel.php @@ -434,12 +434,12 @@ class Channel extends Controller { '$page' => ((App::$pager['page'] != 1) ? App::$pager['page'] : 1), '$search' => $search, '$xchan' => '', - '$order' => $order, + '$order' => (($order) ? urlencode($order) : ''), '$list' => ((x($_REQUEST,'list')) ? intval($_REQUEST['list']) : 0), '$file' => '', '$cats' => (($category) ? urlencode($category) : ''), '$tags' => (($hashtags) ? urlencode($hashtags) : ''), - '$mid' => $mid, + '$mid' => (($mid) ? urlencode($mid) : ''), '$verb' => '', '$net' => '', '$dend' => $datequery, diff --git a/Zotlabs/Module/Connections.php b/Zotlabs/Module/Connections.php index 1fda0c931..1d32560fa 100644 --- a/Zotlabs/Module/Connections.php +++ b/Zotlabs/Module/Connections.php @@ -326,7 +326,7 @@ class Connections extends \Zotlabs\Web\Controller { killme(); } else { - $o .= ""; + $o .= ""; $o .= replace_macros(get_markup_template('connections.tpl'),array( '$header' => t('Connections') . (($head) ? ': ' . $head : ''), '$tabs' => $tabs, diff --git a/Zotlabs/Module/Directory.php b/Zotlabs/Module/Directory.php index ff399cc7c..d92ebb223 100644 --- a/Zotlabs/Module/Directory.php +++ b/Zotlabs/Module/Directory.php @@ -400,7 +400,7 @@ class Directory extends \Zotlabs\Web\Controller { $dirtitle = (($globaldir) ? t('Global Directory') : t('Local Directory')); - $o .= ""; + $o .= ""; $o .= replace_macros($tpl, array( '$search' => $search, '$desc' => t('Find'), diff --git a/Zotlabs/Module/Display.php b/Zotlabs/Module/Display.php index c6215c734..120401952 100644 --- a/Zotlabs/Module/Display.php +++ b/Zotlabs/Module/Display.php @@ -239,7 +239,7 @@ class Display extends Controller { '$dbegin' => '', '$verb' => '', '$net' => '', - '$mid' => $mid + '$mid' => (($mid) ? urlencode($mid) : '') )); head_add_link([ diff --git a/Zotlabs/Module/Hq.php b/Zotlabs/Module/Hq.php index ae58a17b2..6c7c09383 100644 --- a/Zotlabs/Module/Hq.php +++ b/Zotlabs/Module/Hq.php @@ -193,7 +193,7 @@ class Hq extends \Zotlabs\Web\Controller { '$dbegin' => '', '$verb' => '', '$net' => '', - '$mid' => $mid + '$mid' => (($mid) ? urlencode($mid) : '') ]); } diff --git a/Zotlabs/Module/Network.php b/Zotlabs/Module/Network.php index 7024e8176..be2c83df4 100644 --- a/Zotlabs/Module/Network.php +++ b/Zotlabs/Module/Network.php @@ -345,18 +345,18 @@ class Network extends \Zotlabs\Web\Controller { '$static' => $static, '$list' => ((x($_REQUEST,'list')) ? intval($_REQUEST['list']) : 0), '$page' => ((App::$pager['page'] != 1) ? App::$pager['page'] : 1), - '$search' => (($search) ? $search : ''), - '$xchan' => $xchan, - '$order' => $order, - '$file' => $file, - '$cats' => urlencode($category), - '$tags' => urlencode($hashtags), + '$search' => (($search) ? urlencode($search) : ''), + '$xchan' => (($xchan) ? urlencode($xchan) : ''), + '$order' => (($order) ? urlencode($order) : ''), + '$file' => (($file) ? urlencode($file) : ''), + '$cats' => (($category) ? urlencode($category) : ''), + '$tags' => (($hashtags) ? urlencode($hashtags) : ''), '$dend' => $datequery, '$mid' => '', - '$verb' => $verb, - '$net' => $net, + '$verb' => (($verb) ? urlencode($verb) : ''), + '$net' => (($net) ? urlencode($net) : ''), '$dbegin' => $datequery2, - '$pf' => (($pf) ? $pf : '0'), + '$pf' => (($pf) ? intval($pf) : '0'), )); } diff --git a/Zotlabs/Module/Photos.php b/Zotlabs/Module/Photos.php index cb9cc436d..936332dfd 100644 --- a/Zotlabs/Module/Photos.php +++ b/Zotlabs/Module/Photos.php @@ -738,7 +738,7 @@ class Photos extends \Zotlabs\Web\Controller { killme(); } else { - $o .= ""; + $o .= ""; $tpl = get_markup_template('photo_album.tpl'); $o .= replace_macros($tpl, array( '$photos' => $photos, diff --git a/Zotlabs/Module/Pubstream.php b/Zotlabs/Module/Pubstream.php index 7b80a3978..761dd6a35 100644 --- a/Zotlabs/Module/Pubstream.php +++ b/Zotlabs/Module/Pubstream.php @@ -135,11 +135,11 @@ class Pubstream extends \Zotlabs\Web\Controller { '$order' => 'comment', '$file' => '', '$cats' => '', - '$tags' => $hashtags, + '$tags' => (($hashtags) ? urlencode($hashtags) : ''), '$dend' => '', - '$mid' => $mid, + '$mid' => (($mid) ? urlencode($mid) : ''), '$verb' => '', - '$net' => $net, + '$net' => (($net) ? urlencode($net) : ''), '$dbegin' => '' )); } diff --git a/Zotlabs/Module/Viewconnections.php b/Zotlabs/Module/Viewconnections.php index 791a696c6..67a15288d 100644 --- a/Zotlabs/Module/Viewconnections.php +++ b/Zotlabs/Module/Viewconnections.php @@ -107,7 +107,7 @@ class Viewconnections extends \Zotlabs\Web\Controller { killme(); } else { - $o .= ""; + $o .= ""; $tpl = get_markup_template("viewcontact_template.tpl"); $o .= replace_macros($tpl, array( '$title' => t('View Connections'),