add basic input filtering to the simple activity posting

boot.php

@@ -590,6 +590,13 @@ class App {
 
 		startup();
 
+		set_include_path(
+			'include' . PATH_SEPARATOR
+			. 'library' . PATH_SEPARATOR
+			. 'library/phpsec' . PATH_SEPARATOR
+			. 'library/langdet' . PATH_SEPARATOR
+			. '.' );
+
 
 		$this->scheme = 'http';
 		if(x($_SERVER,'HTTPS') && $_SERVER['HTTPS'])
@@ -612,13 +619,7 @@ class App {
 				$this->path = $path;
 		}
 
-		set_include_path(
-			"include/$this->hostname" . PATH_SEPARATOR
-			. 'include' . PATH_SEPARATOR
-			. 'library' . PATH_SEPARATOR
-			. 'library/phpsec' . PATH_SEPARATOR
-			. 'library/langdet' . PATH_SEPARATOR
-			. '.' );
+		set_include_path("include/$this->hostname" . PATH_SEPARATOR . get_include_path());
 
 		if((x($_SERVER,'QUERY_STRING')) && substr($_SERVER['QUERY_STRING'],0,2) === "q=") {
 			$this->query_string = substr($_SERVER['QUERY_STRING'],2);

include/items.php

@@ -113,6 +113,12 @@ function post_activity_item($arr) {
 		return $ret;
 	}
 
+	if(array_key_exists('content_type',$arr) && $arr['content_type'] == 'text/html')
+		$arr['body'] = purify_html($arr['body']);
+	else
+		$arr['body'] = escape_tags($arr['body']);
+
+
 	$arr['mid']          = 	((x($arr,'mid')) ? $arr['mid'] : item_message_id());
 	$arr['parent_mid']   =  ((x($arr,'parent_mid')) ? $arr['parent_mid'] : $arr['mid']);
 	$arr['thr_parent']   =  ((x($arr,'thr_parent')) ? $arr['thr_parent'] : $arr['mid']);
@@ -160,6 +166,20 @@ function post_activity_item($arr) {
 }
 
 
+function purify_html($s) {
+	require_once('library/HTMLPurifier.auto.php');
+	require_once('include/html2bbcode.php');
+
+// FIXME this function has html output, not bbcode - so safely purify these
+//	$s = html2bb_video($s);
+//	$s = oembed_html2bbcode($s);
+
+	$config = HTMLPurifier_Config::createDefault();
+	$config->set('Cache.DefinitionImpl', null);
+
+	$purifier = new HTMLPurifier($config);
+	return $purifier->purify($s);
+}
 
 function get_public_feed($channel,$params) {
 

version.inc

@@ -1 +1 @@
-2013-05-21.320
+2013-05-22.321