4117118e23
More specific exceptions for mimetype/extension issues.
2016-07-06 09:14:59 +02:00
b4a0bff740
Some mimetype madness!
2016-07-06 08:59:16 +02:00
c1537a1e82
Use noreferrer when linkifying attachments and allow this value in purifier
2016-06-09 19:56:36 +10:00
44ea8aa681
Make sure $_SERVER['HTTP_REFERER'] isset when testing value
2016-03-31 20:51:50 +02:00
5ca2a28246
Make oEmbed handle our http/https setting better.
2016-03-10 14:20:21 +01:00
bd75305560
Define-ify excluded end-characters of URL autolinking
2016-03-09 15:16:47 +01:00
d179afa303
Save allowed path/qstring/fragment characters in constants
2016-03-09 14:51:52 +01:00
dc1ceca86e
Some more Microformats2 data for notices and rendering
2016-03-02 13:29:54 +01:00
747c91210f
HTMLPurifier cache settings, put stuff in subdir of get_sys_temp_dir()
2016-02-28 13:30:47 +01:00
cd978fa153
Edited the list of allowed rel values
2016-02-28 13:16:52 +01:00
52a3764ae4
Resolve relative URLs (assuming URI.Base==notice URL)
...
The real way to do this would be to get the xml:base property from
the Atom feed but it's probably not there in any posts we see today.
2016-02-26 14:46:26 +01:00
29662eef5e
Mentioning matches (@this too) now.
2016-02-26 00:08:51 +01:00
5f7032dfee
Verify that authenticated API calls are made from our domain name.
...
Evil forms on other websites could otherwise potentially be configured
to have action="https://gnusocial.example/api/statuses/update.json " or
whatever. XHR is already blocked with CORS stuff.
Really, why do browsers allow cross domain POSTs at all? Sigh. The web.
2016-02-22 15:19:10 +01:00
ce803f6d06
WebFinger aliases with 'index.php/'
2016-02-21 20:00:07 +01:00
893d117309
throw new, not just throw
2016-02-21 19:01:37 +01:00
23e66bef64
common_fake_local_fancy_url to remove index.php/ from a local URL
2016-02-21 18:48:18 +01:00
ec257d940a
Either use or don't use HTTPS
...
The risk of injection attacks using HTTP is too great to allow a
site that allows both HTTP and HTTPS...
2016-02-10 00:57:39 +01:00
2686635f60
Keep the rel="tag" in HTML when purifying
2016-02-07 12:50:26 +01:00
9960714896
Disallow zero-length magnet URIs
...
magnet: would match, but now we have a zero-length lookahead which
requires the following character to be a question mark: magnet:?
2016-02-03 15:26:19 +01:00
349dba8be0
Only allow our specified URI schemes
2016-02-03 14:31:16 +01:00
e903bd0bc3
Hacky support for geo URI detection
...
Won't work with common_purify yet because there is no geo uri scheme for it
2016-02-03 14:19:08 +01:00
b1ed1f48ea
Configurable linkify for bare IPv4/IPv6
2016-02-03 12:55:00 +01:00
a2b914ce60
Get URL schemes by URL type
2016-02-03 00:18:37 +01:00
36f099958c
Don't match @nickname on @nickname@server.com
2016-01-29 15:53:58 +01:00
cb40f72c7e
Use the profile URI when linking instead of URL
...
since we'll then get to /user/$id instead of /$nickname which is
good for future archives if someone changes their nickname...
2016-01-29 15:21:01 +01:00
7e6783bb8f
Replace htmLawed with HTMLPurifier
2016-01-28 19:01:13 +01:00
42545c6625
Merge branch 'mention_branch' into 'nightly'
...
correct mentions if parent mentions multiple users with same nickname (don't use first one for all)
See merge request !82
2016-01-26 21:15:25 +00:00
a9d18a077e
Harmonize, clarify, categorize URL schemes
...
Regular expression + avoid-redirection list now match each other.
2016-01-24 12:47:31 +01:00
1cec627d72
Allow bitcoin scheme to URLs
2016-01-24 12:44:28 +01:00
de047f9727
correct mentions if parent mention multiple users with same nickname (don't use first one for all)
2016-01-19 13:41:25 +00:00
44c10bb2aa
Merge branch 'oembed_branch' into 'nightly'
...
purify oembed html and don't allow cdata
hopefully we never need stuff in cdata
reason for this is that this link serves javascript in its oembed data: https://www.maketecheasier.com/switch-windows-10-to-linux/
see:
https://www.maketecheasier.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.maketecheasier.com%2Fswitch-windows-10-to-linux%2F
i don't feel we want that in our database.
See merge request !79
2016-01-15 13:11:35 +00:00
29b45bb87a
Unnecessary call to User::getKV
2016-01-13 20:08:17 +01:00
818aaa0578
We didn't get profiles from the new-style attention system
2016-01-13 18:35:25 +01:00
3e7e3de554
don't allow cdata elements in purified html
2016-01-13 16:01:27 +00:00
8c28e54ccc
same as previous, but for mime_to_ext
2016-01-12 13:14:17 +01:00
dbe5d72e4c
If all file extensions are supported we have no list of comparisons
2016-01-12 13:08:54 +01:00
a1b509bb0b
forgot we need access to $html too
2016-01-11 20:58:34 +00:00
8d331b0f35
EndCommonPurify event
2016-01-11 20:54:19 +00:00
1a46d86ca6
lib/util.php quick function to do var_export($var,true)
...
Immensely useful when debugging and we want to put quotes around strings,
potentially stopping any "evil logging attacks" (where input data masks
as logging data).
2016-01-11 19:52:54 +01:00
5ef10a14ef
Get group attentions too for outbound notices
2016-01-09 15:06:44 +01:00
33194b3cff
Attention goes to the parent notice author too
2016-01-08 02:58:31 +01:00
801ca3531b
common_find_attentions to populate activities from content text
2016-01-07 23:23:37 +01:00
be58fd64f5
Use index for File url (urlhash)
2016-01-07 18:13:10 +01:00
0b4b0de412
longurl in href
2016-01-05 23:14:51 +00:00
8b78e01d4c
$longurl->url is just the same $canon we fed to File_redirection::where()
2016-01-05 23:06:02 +00:00
e02c10a589
common_render_content doesn't require a Profile now
2016-01-01 18:40:58 +01:00
10973dcf69
Don't require a notice object to common_linkify_mentions
2016-01-01 18:20:42 +01:00
ef4e61c91b
Merge branch 'master' into nightly
2015-12-14 22:03:04 +01:00
edd62e58fd
Merge branch 'at-mention-url' into 'master'
...
MentionURL Plugin
This plugin enables users to use the syntax `@twitter.com/singpolyma` to mention users the system does not know about, or to be more specific when a nickname is ambiguous.
See merge request !53
2015-12-14 21:01:42 +00:00
c498db147a
ircs URLs work fine in Firefox at least
2015-12-05 13:02:49 +01:00
Mikael Nordfeldth
Thomas Karpiniec
hannes