Commit Graph

994 Commits

Author SHA1 Message Date
Mikael Nordfeldth
8dd06cd8d8 Harmonize webfinger formatting and enable variable pre-mention character 2017-08-10 11:25:04 +02:00
Mikael Nordfeldth
945920f24d Mimetype was not recognized if longer than bare mime 2017-08-05 09:50:42 +02:00
Mikael Nordfeldth
56e2b0007c Issue #279 raises the point of missing newlines 2017-07-11 21:58:24 +02:00
Mikael Nordfeldth
709f1bbd75 Return false immediately if $url is empty for common_valid_http_url 2017-05-06 12:25:27 +02:00
Mikael Nordfeldth
e6b3924a5d common_to_alphanumeric added, filtering Notice->source in classic layout 2016-09-02 00:08:17 +02:00
Mikael Nordfeldth
71afb5be75 If the file is text/plain, see if we accept the extension 2016-07-06 09:34:09 +02:00
Mikael Nordfeldth
4117118e23 More specific exceptions for mimetype/extension issues. 2016-07-06 09:14:59 +02:00
Mikael Nordfeldth
b4a0bff740 Some mimetype madness! 2016-07-06 08:59:16 +02:00
Thomas Karpiniec
c1537a1e82 Use noreferrer when linkifying attachments and allow this value in purifier 2016-06-09 19:56:36 +10:00
Mikael Nordfeldth
44ea8aa681 Make sure $_SERVER['HTTP_REFERER'] isset when testing value 2016-03-31 20:51:50 +02:00
Mikael Nordfeldth
5ca2a28246 Make oEmbed handle our http/https setting better. 2016-03-10 14:20:21 +01:00
Mikael Nordfeldth
bd75305560 Define-ify excluded end-characters of URL autolinking 2016-03-09 15:16:47 +01:00
Mikael Nordfeldth
d179afa303 Save allowed path/qstring/fragment characters in constants 2016-03-09 14:51:52 +01:00
Mikael Nordfeldth
dc1ceca86e Some more Microformats2 data for notices and rendering 2016-03-02 13:29:54 +01:00
Mikael Nordfeldth
747c91210f HTMLPurifier cache settings, put stuff in subdir of get_sys_temp_dir() 2016-02-28 13:30:47 +01:00
Mikael Nordfeldth
cd978fa153 Edited the list of allowed rel values 2016-02-28 13:16:52 +01:00
Mikael Nordfeldth
52a3764ae4 Resolve relative URLs (assuming URI.Base==notice URL)
The real way to do this would be to get the xml:base property from
the Atom feed but it's probably not there in any posts we see today.
2016-02-26 14:46:26 +01:00
Mikael Nordfeldth
29662eef5e Mentioning matches (@this too) now. 2016-02-26 00:08:51 +01:00
Mikael Nordfeldth
5f7032dfee Verify that authenticated API calls are made from our domain name.
Evil forms on other websites could otherwise potentially be configured
to have action="https://gnusocial.example/api/statuses/update.json" or
whatever. XHR is already blocked with CORS stuff.

Really, why do browsers allow cross domain POSTs at all? Sigh. The web.
2016-02-22 15:19:10 +01:00
Mikael Nordfeldth
ce803f6d06 WebFinger aliases with 'index.php/' 2016-02-21 20:00:07 +01:00
Mikael Nordfeldth
893d117309 throw new, not just throw 2016-02-21 19:01:37 +01:00
Mikael Nordfeldth
23e66bef64 common_fake_local_fancy_url to remove index.php/ from a local URL 2016-02-21 18:48:18 +01:00
Mikael Nordfeldth
ec257d940a Either use or don't use HTTPS
The risk of injection attacks using HTTP is too great to allow a
site that allows both HTTP and HTTPS...
2016-02-10 00:57:39 +01:00
Mikael Nordfeldth
2686635f60 Keep the rel="tag" in HTML when purifying 2016-02-07 12:50:26 +01:00
Mikael Nordfeldth
9960714896 Disallow zero-length magnet URIs
magnet: would match, but now we have a zero-length lookahead which
requires the following character to be a question mark: magnet:?
2016-02-03 15:26:19 +01:00
Mikael Nordfeldth
349dba8be0 Only allow our specified URI schemes 2016-02-03 14:31:16 +01:00
Mikael Nordfeldth
e903bd0bc3 Hacky support for geo URI detection
Won't work with common_purify yet because there is no geo uri scheme for it
2016-02-03 14:19:08 +01:00
Mikael Nordfeldth
b1ed1f48ea Configurable linkify for bare IPv4/IPv6 2016-02-03 12:55:00 +01:00
Mikael Nordfeldth
a2b914ce60 Get URL schemes by URL type 2016-02-03 00:18:37 +01:00
Mikael Nordfeldth
36f099958c Don't match @nickname on @nickname@server.com 2016-01-29 15:53:58 +01:00
Mikael Nordfeldth
cb40f72c7e Use the profile URI when linking instead of URL
since we'll then get to /user/$id instead of /$nickname which is
good for future archives if someone changes their nickname...
2016-01-29 15:21:01 +01:00
Mikael Nordfeldth
7e6783bb8f Replace htmLawed with HTMLPurifier 2016-01-28 19:01:13 +01:00
mmn
42545c6625 Merge branch 'mention_branch' into 'nightly'
correct mentions if parent mentions multiple users with same nickname (don't use first one for all)



See merge request !82
2016-01-26 21:15:25 +00:00
Mikael Nordfeldth
a9d18a077e Harmonize, clarify, categorize URL schemes
Regular expression + avoid-redirection list now match each other.
2016-01-24 12:47:31 +01:00
Mikael Nordfeldth
1cec627d72 Allow bitcoin scheme to URLs 2016-01-24 12:44:28 +01:00
hannes
de047f9727 correct mentions if parent mention multiple users with same nickname (don't use first one for all) 2016-01-19 13:41:25 +00:00
mmn
44c10bb2aa Merge branch 'oembed_branch' into 'nightly'
purify oembed html and don't allow cdata

hopefully we never need stuff in cdata

reason for this is that this link serves javascript in its oembed data: https://www.maketecheasier.com/switch-windows-10-to-linux/

see:
https://www.maketecheasier.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.maketecheasier.com%2Fswitch-windows-10-to-linux%2F

i don't feel we want that in our database.  

See merge request !79
2016-01-15 13:11:35 +00:00
Mikael Nordfeldth
29b45bb87a Unnecessary call to User::getKV 2016-01-13 20:08:17 +01:00
Mikael Nordfeldth
818aaa0578 We didn't get profiles from the new-style attention system 2016-01-13 18:35:25 +01:00
hannes
3e7e3de554 don't allow cdata elements in purified html 2016-01-13 16:01:27 +00:00
Mikael Nordfeldth
8c28e54ccc same as previous, but for mime_to_ext 2016-01-12 13:14:17 +01:00
Mikael Nordfeldth
dbe5d72e4c If all file extensions are supported we have no list of comparisons 2016-01-12 13:08:54 +01:00
hannes
a1b509bb0b forgot we need access to $html too 2016-01-11 20:58:34 +00:00
hannes
8d331b0f35 EndCommonPurify event 2016-01-11 20:54:19 +00:00
Mikael Nordfeldth
1a46d86ca6 lib/util.php quick function to do var_export($var,true)
Immensely useful when debugging and we want to put quotes around strings,
potentially stopping any "evil logging attacks" (where input data masks
as logging data).
2016-01-11 19:52:54 +01:00
Mikael Nordfeldth
5ef10a14ef Get group attentions too for outbound notices 2016-01-09 15:06:44 +01:00
Mikael Nordfeldth
33194b3cff Attention goes to the parent notice author too 2016-01-08 02:58:31 +01:00
Mikael Nordfeldth
801ca3531b common_find_attentions to populate activities from content text 2016-01-07 23:23:37 +01:00
Mikael Nordfeldth
be58fd64f5 Use index for File url (urlhash) 2016-01-07 18:13:10 +01:00
hannes
0b4b0de412 longurl in href 2016-01-05 23:14:51 +00:00