Don't trust local HTML either

If we reallyreally want to include <img> or <script> or whatever then we have to do that after Notice::saveActivity sets ->rendered.
2016-01-30 00:00:37 +01:00 · 2016-01-30 00:00:37 +01:00 · 5167b1fa40
parent ef005987a1
commit 5167b1fa40
1 changed files with 2 additions and 3 deletions
--- a/classes/Notice.php
+++ b/classes/Notice.php
@ -821,13 +821,12 @@ class Notice extends Managed_DataObject
        $stored->url = $url;
        $stored->verb = $act->verb;

-        // Notice content. We trust local users to provide HTML we like, but of course not remote users.
-        // FIXME: What about local users importing feeds? Mirror functions must filter out bad HTML first...
        $content = $act->content ?: $act->summary;
        if (is_null($content) && !is_null($actobj)) {
            $content = $actobj->content ?: $actobj->summary;
        }
-        $stored->rendered = $actor->isLocal() ? $content : common_purify($content);
+        // Strip out any bad HTML
+        $stored->rendered = common_purify($content);
        // yeah, just don't use getRendered() here since it's not inserted yet ;)
        $stored->content = common_strip_html($stored->rendered);