forked from GNUsocial/gnu-social
Don't trust local HTML either
If we reallyreally want to include <img> or <script> or whatever then we have to do that after Notice::saveActivity sets ->rendered.
This commit is contained in:
parent
a5c1b063fd
commit
c6ae883ad2
@ -848,13 +848,12 @@ class Notice extends Managed_DataObject
|
|||||||
$stored->url = $url;
|
$stored->url = $url;
|
||||||
$stored->verb = $act->verb;
|
$stored->verb = $act->verb;
|
||||||
|
|
||||||
// Notice content. We trust local users to provide HTML we like, but of course not remote users.
|
|
||||||
// FIXME: What about local users importing feeds? Mirror functions must filter out bad HTML first...
|
|
||||||
$content = $act->content ?: $act->summary;
|
$content = $act->content ?: $act->summary;
|
||||||
if (is_null($content) && !is_null($actobj)) {
|
if (is_null($content) && !is_null($actobj)) {
|
||||||
$content = $actobj->content ?: $actobj->summary;
|
$content = $actobj->content ?: $actobj->summary;
|
||||||
}
|
}
|
||||||
$stored->rendered = $actor->isLocal() ? $content : common_purify($content);
|
// Strip out any bad HTML
|
||||||
|
$stored->rendered = common_purify($content);
|
||||||
// yeah, just don't use getRendered() here since it's not inserted yet ;)
|
// yeah, just don't use getRendered() here since it's not inserted yet ;)
|
||||||
$stored->content = common_strip_html($stored->rendered);
|
$stored->content = common_strip_html($stored->rendered);
|
||||||
if (trim($stored->content) === '') {
|
if (trim($stored->content) === '') {
|
||||||
|
Loading…
Reference in New Issue
Block a user