From 59b93b23e23644a3eb3df1e3275a03f617c2f8e8 Mon Sep 17 00:00:00 2001
From: Mikael Nordfeldth <mmn@hethane.se>
Date: Fri, 2 Sep 2016 00:55:46 +0200
Subject: [PATCH] Split up source and source_link. Never trust HTML!

https://community.highlandarrow.com/notice/269667
or alternatively: https://social.umeahackerspace.se/conversation/495655
---
 actions/apisearchatom.php     | 16 +++++++--------
 classes/Notice.php            |  6 +-----
 lib/apiaction.php             | 16 +++++++--------
 lib/jsonsearchresultslist.php | 37 +++++++++++++++++++++++------------
 4 files changed, 41 insertions(+), 34 deletions(-)

diff --git a/actions/apisearchatom.php b/actions/apisearchatom.php
index 3a24b771ea..e82ea39f9f 100644
--- a/actions/apisearchatom.php
+++ b/actions/apisearchatom.php
@@ -337,21 +337,21 @@ class ApiSearchAtomAction extends ApiPrivateAuthAction
         // @todo: Here is where we'd put in a link to an atom feed for threads
 
         $source = null;
+        $source_link = null;
 
         $ns = $notice->getSource();
         if ($ns instanceof Notice_source) {
-            if (!empty($ns->name) && !empty($ns->url)) {
-                $source = '<a href="'
-                   . htmlspecialchars($ns->url)
-                   . '" rel="nofollow">'
-                   . htmlspecialchars($ns->name)
-                   . '</a>';
-            } else {
-                $source = $ns->code;
+            $source = $ns->code;
+            if (!empty($ns->url)) {
+                $source_link = $ns->url;
+                if (!empty($ns->name)) {
+                    $source = $ns->name;
+                }
             }
         }
 
         $this->element("twitter:source", null, $source);
+        $this->element("twitter:source_link", null, $source_link);
 
         $this->elementStart('author');
 
diff --git a/classes/Notice.php b/classes/Notice.php
index c7b12371e0..d5a0e5f6d2 100644
--- a/classes/Notice.php
+++ b/classes/Notice.php
@@ -2123,11 +2123,7 @@ class Notice extends Managed_DataObject
             if (!empty($ns->url)) {
                 $noticeInfoAttr['source_link'] = $ns->url;
                 if (!empty($ns->name)) {
-                    $noticeInfoAttr['source'] =  '<a href="'
-                        . htmlspecialchars($ns->url)
-                        . '" rel="nofollow">'
-                        . htmlspecialchars($ns->name)
-                        . '</a>';
+                    $noticeInfoAttr['source'] = $ns->name;
                 }
             }
         }
diff --git a/lib/apiaction.php b/lib/apiaction.php
index 6f2f43ab9c..723e589408 100644
--- a/lib/apiaction.php
+++ b/lib/apiaction.php
@@ -337,22 +337,22 @@ class ApiAction extends Action
         $twitter_status['in_reply_to_status_id'] = $in_reply_to;
 
         $source = null;
+        $source_link = null;
 
         $ns = $notice->getSource();
         if ($ns instanceof Notice_source) {
-            if (!empty($ns->name) && !empty($ns->url)) {
-                $source = '<a href="'
-		    . htmlspecialchars($ns->url)
-		    . '" rel="nofollow">'
-		    . htmlspecialchars($ns->name)
-		    . '</a>';
-            } else {
-                $source = $ns->code;
+            $source = $ns->code;
+            if (!empty($ns->url)) {
+                $source_link = $ns->url;
+                if (!empty($ns->name)) {
+                    $source = $ns->name;
+                }
             }
         }
 
         $twitter_status['uri'] = $notice->getUri();
         $twitter_status['source'] = $source;
+        $twitter_status['source_link'] = $source_link;
         $twitter_status['id'] = intval($notice->id);
 
         $replier_profile = null;
diff --git a/lib/jsonsearchresultslist.php b/lib/jsonsearchresultslist.php
index 0f764a72be..80dc33e323 100644
--- a/lib/jsonsearchresultslist.php
+++ b/lib/jsonsearchresultslist.php
@@ -184,7 +184,8 @@ class ResultItem
     var $id;
     var $from_user_id;
     var $iso_language_code;
-    var $source;
+    var $source = null;
+    var $source_link = null;
     var $profile_image_url;
     var $created_at;
 
@@ -234,7 +235,8 @@ class ResultItem
 
         $this->iso_language_code = Profile_prefs::getConfigData($this->profile, 'site', 'language');
         
-        $this->source = $this->getSourceLink($this->notice->source);
+        // set source and source_link
+        $this->setSourceData();
 
         $this->profile_image_url = $this->profile->avatarUrl(AVATAR_STREAM_SIZE);
 
@@ -242,34 +244,43 @@ class ResultItem
     }
 
     /**
-     * Show the source of the notice
+     * Set the notice's source data (api/app name and URL)
      *
      * Either the name (and link) of the API client that posted the notice,
-     * or one of other other channels.
+     * or one of other other channels. Uses the local notice object.
      *
-     * @param string $source the source of the Notice
-     *
-     * @return string a fully rendered source of the Notice
+     * @return void
      */
-    function getSourceLink($source)
+    function setSourceData()
     {
-        // Gettext translations for the below source types are available.
-        $source_name = _($source);
+        $source = null;
+        $source_link = null;
+
         switch ($source) {
         case 'web':
         case 'xmpp':
         case 'mail':
         case 'omb':
         case 'api':
+            // Gettext translations for the below source types are available.
+            $source = _($this->notice->source);
             break;
+
         default:
-            $ns = Notice_source::getKV($source);
+            $ns = Notice_source::getKV($this->notice->source);
             if ($ns instanceof Notice_source) {
-                $source_name = '<a href="' . $ns->url . '">' . $ns->name . '</a>';
+                $source = $ns->code;
+                if (!empty($ns->url)) {
+                    $source_link = $ns->url;
+                    if (!empty($ns->name)) {
+                        $source = $ns->name;
+                    }
+                }
             }
             break;
         }
 
-        return $source_name;
+        $this->source = $source;
+        $this->source_link = $source_link;
     }
 }