eliseuamaro/gnu-social
1
0
Fork 0
forked from GNUsocial/gnu-social
Code Issues Pull Requests Releases Wiki Activity

correctly purify input for Blog_entry

Browse Source
This commit is contained in:
Evan Prodromou 2011-06-20 11:28:46 -04:00
parent 4c5d583403
commit acd1c6287d
1 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
plugins/Blog/Blog_entry.php
View File

@ -114,18 +114,18 @@ class Blog_entry extends Managed_DataObject
if (is_null($options)) { if (is_null($options)) {
$options = array(); $options = array();
} }
$be = new Blog_entry(); $be = new Blog_entry();
$be->id = (string) new UUID(); $be->id = (string) new UUID();
$be->profile_id = $profile->id; $be->profile_id = $profile->id;
$be->title = $title; // Note: not HTML-protected $be->title = $title; // Note: not HTML-protected
$be->content = self::purify($content); $be->content = self::purify($content);
if (array_key_exists('summary', $options)) { if (array_key_exists('summary', $options)) {
$be->summary = self::purify($options['summary']); $be->summary = self::purify($options['summary']);
} else { } else {
// Already purified // Already purified
$be->summary = self::summarize($content); $be->summary = self::summarize($be->content);
} }
// Don't save an identical summary // Don't save an identical summary
@ -176,15 +176,15 @@ class Blog_entry extends Managed_DataObject
XMLStringer::estring('a', array('href' => $url, XMLStringer::estring('a', array('href' => $url,
'class' => 'blog-entry'), 'class' => 'blog-entry'),
_('More...')); _('More...'));
$content = html_entity_decode(strip_tags($be->summary), ENT_QUOTES, 'UTF-8'); $text = html_entity_decode(strip_tags($be->summary), ENT_QUOTES, 'UTF-8');
} else { } else {
$options['rendered'] = $be->content; $options['rendered'] = $be->content;
$content = html_entity_decode(strip_tags($be->content), ENT_QUOTES, 'UTF-8'); $text = html_entity_decode(strip_tags($be->content), ENT_QUOTES, 'UTF-8');
} }
if (Notice::contentTooLong($content)) { if (Notice::contentTooLong($text)) {
$content = substr($content, 0, Notice::maxContent() - mb_strlen($shortUrl) - 2) . $text = substr($text, 0, Notice::maxContent() - mb_strlen($shortUrl) - 2) .
'… ' . $shortUrl; '… ' . $shortUrl;
} }
@ -195,7 +195,7 @@ class Blog_entry extends Managed_DataObject
$source = array_key_exists('source', $options) ? $source = array_key_exists('source', $options) ?
$options['source'] : 'web'; $options['source'] : 'web';
$saved = Notice::saveNew($profile->id, $content, $source, $options); $saved = Notice::saveNew($profile->id, $text, $source, $options);
return $saved; return $saved;
} }
@ -249,8 +249,11 @@ class Blog_entry extends Managed_DataObject
static function purify($html) static function purify($html)
{ {
require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php'; require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
$config = array('safe' => 1, $config = array('safe' => 1,
'deny_attribute' => 'id,style,on*'); 'deny_attribute' => 'id,style,on*');
return htmLawed($html, $config); $pure = htmLawed($html, $config);
return $pure;
} }
} }