From 15ab9ff9e3303255ff14166ee86ffdf3bc4f52ce Mon Sep 17 00:00:00 2001
From: Mikael Nordfeldth <mmn@hethane.se>
Date: Fri, 2 Sep 2016 00:08:17 +0200
Subject: [PATCH 1/2] common_to_alphanumeric added, filtering Notice->source in
 classic layout

---
 lib/activityhandlerplugin.php | 5 +++++
 lib/noticelistitem.php        | 6 ++++--
 lib/util.php                  | 9 +++++++++
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/lib/activityhandlerplugin.php b/lib/activityhandlerplugin.php
index 8f28da85d6..b22096be0e 100644
--- a/lib/activityhandlerplugin.php
+++ b/lib/activityhandlerplugin.php
@@ -552,6 +552,11 @@ abstract class ActivityHandlerPlugin extends Plugin
         if ($nli->notice->scope != 0 && $nli->notice->scope != 1) {
             $class .= ' limited-scope';
         }
+        try {
+            $class .= ' notice-source-'.common_to_alphanumeric($this->notice->source);
+        } catch (Exception $e) {
+            // either source or what we filtered out was a zero-length string
+        }
         $nli->out->elementStart('li', array('class' => $class,
                                             'id' => 'notice-' . $id));
     }
diff --git a/lib/noticelistitem.php b/lib/noticelistitem.php
index 4c4bde34a1..387d2f3762 100644
--- a/lib/noticelistitem.php
+++ b/lib/noticelistitem.php
@@ -227,8 +227,10 @@ class NoticeListItem extends Widget
             if ($this->notice->scope != 0 && $this->notice->scope != 1) {
                 $class .= ' limited-scope';
             }
-            if (!empty($this->notice->source)) {
-                $class .= ' notice-source-'.$this->notice->source;
+            try {
+                $class .= ' notice-source-'.common_to_alphanumeric($this->notice->source);
+            } catch (Exception $e) {
+                // either source or what we filtered out was a zero-length string
             }
             $id_prefix = (strlen($this->id_prefix) ? $this->id_prefix . '-' : '');
             $this->out->elementStart($this->item_tag, array('class' => $class,
diff --git a/lib/util.php b/lib/util.php
index c87b0f1bf6..a177c92a25 100644
--- a/lib/util.php
+++ b/lib/util.php
@@ -580,6 +580,15 @@ function common_canonical_email($email)
     return $email;
 }
 
+function common_to_alphanumeric($str)
+{
+    $filtered = preg_replace('/[^A-Za-z0-9]\s*/', '', $str);
+    if (strlen($filtered) < 1) {
+        throw new Exception('Filtered string was zero-length.');
+    }
+    return $filtered;
+}
+
 function common_purify($html)
 {
     require_once INSTALLDIR.'/extlib/HTMLPurifier/HTMLPurifier.auto.php';

From a7043bf7cc6956abd344149332290564eda5d1f4 Mon Sep 17 00:00:00 2001
From: Mikael Nordfeldth <mmn@hethane.se>
Date: Fri, 2 Sep 2016 00:55:46 +0200
Subject: [PATCH 2/2] Split up source and source_link. Never trust HTML!

https://community.highlandarrow.com/notice/269667
or alternatively: https://social.umeahackerspace.se/conversation/495655
---
 actions/apisearchatom.php     | 16 +++++++--------
 classes/Notice.php            |  6 +-----
 lib/apiaction.php             | 16 +++++++--------
 lib/jsonsearchresultslist.php | 37 +++++++++++++++++++++++------------
 4 files changed, 41 insertions(+), 34 deletions(-)

diff --git a/actions/apisearchatom.php b/actions/apisearchatom.php
index 7e79808a96..def999e632 100644
--- a/actions/apisearchatom.php
+++ b/actions/apisearchatom.php
@@ -337,21 +337,21 @@ class ApiSearchAtomAction extends ApiPrivateAuthAction
         // @todo: Here is where we'd put in a link to an atom feed for threads
 
         $source = null;
+        $source_link = null;
 
         $ns = $notice->getSource();
         if ($ns instanceof Notice_source) {
-            if (!empty($ns->name) && !empty($ns->url)) {
-                $source = '<a href="'
-                   . htmlspecialchars($ns->url)
-                   . '" rel="nofollow">'
-                   . htmlspecialchars($ns->name)
-                   . '</a>';
-            } else {
-                $source = $ns->code;
+            $source = $ns->code;
+            if (!empty($ns->url)) {
+                $source_link = $ns->url;
+                if (!empty($ns->name)) {
+                    $source = $ns->name;
+                }
             }
         }
 
         $this->element("twitter:source", null, $source);
+        $this->element("twitter:source_link", null, $source_link);
 
         $this->elementStart('author');
 
diff --git a/classes/Notice.php b/classes/Notice.php
index 07406cc2fd..a7effe4d5b 100644
--- a/classes/Notice.php
+++ b/classes/Notice.php
@@ -2101,11 +2101,7 @@ class Notice extends Managed_DataObject
             if (!empty($ns->url)) {
                 $noticeInfoAttr['source_link'] = $ns->url;
                 if (!empty($ns->name)) {
-                    $noticeInfoAttr['source'] =  '<a href="'
-                        . htmlspecialchars($ns->url)
-                        . '" rel="nofollow">'
-                        . htmlspecialchars($ns->name)
-                        . '</a>';
+                    $noticeInfoAttr['source'] = $ns->name;
                 }
             }
         }
diff --git a/lib/apiaction.php b/lib/apiaction.php
index 6f2f43ab9c..723e589408 100644
--- a/lib/apiaction.php
+++ b/lib/apiaction.php
@@ -337,22 +337,22 @@ class ApiAction extends Action
         $twitter_status['in_reply_to_status_id'] = $in_reply_to;
 
         $source = null;
+        $source_link = null;
 
         $ns = $notice->getSource();
         if ($ns instanceof Notice_source) {
-            if (!empty($ns->name) && !empty($ns->url)) {
-                $source = '<a href="'
-		    . htmlspecialchars($ns->url)
-		    . '" rel="nofollow">'
-		    . htmlspecialchars($ns->name)
-		    . '</a>';
-            } else {
-                $source = $ns->code;
+            $source = $ns->code;
+            if (!empty($ns->url)) {
+                $source_link = $ns->url;
+                if (!empty($ns->name)) {
+                    $source = $ns->name;
+                }
             }
         }
 
         $twitter_status['uri'] = $notice->getUri();
         $twitter_status['source'] = $source;
+        $twitter_status['source_link'] = $source_link;
         $twitter_status['id'] = intval($notice->id);
 
         $replier_profile = null;
diff --git a/lib/jsonsearchresultslist.php b/lib/jsonsearchresultslist.php
index 0f764a72be..80dc33e323 100644
--- a/lib/jsonsearchresultslist.php
+++ b/lib/jsonsearchresultslist.php
@@ -184,7 +184,8 @@ class ResultItem
     var $id;
     var $from_user_id;
     var $iso_language_code;
-    var $source;
+    var $source = null;
+    var $source_link = null;
     var $profile_image_url;
     var $created_at;
 
@@ -234,7 +235,8 @@ class ResultItem
 
         $this->iso_language_code = Profile_prefs::getConfigData($this->profile, 'site', 'language');
         
-        $this->source = $this->getSourceLink($this->notice->source);
+        // set source and source_link
+        $this->setSourceData();
 
         $this->profile_image_url = $this->profile->avatarUrl(AVATAR_STREAM_SIZE);
 
@@ -242,34 +244,43 @@ class ResultItem
     }
 
     /**
-     * Show the source of the notice
+     * Set the notice's source data (api/app name and URL)
      *
      * Either the name (and link) of the API client that posted the notice,
-     * or one of other other channels.
+     * or one of other other channels. Uses the local notice object.
      *
-     * @param string $source the source of the Notice
-     *
-     * @return string a fully rendered source of the Notice
+     * @return void
      */
-    function getSourceLink($source)
+    function setSourceData()
     {
-        // Gettext translations for the below source types are available.
-        $source_name = _($source);
+        $source = null;
+        $source_link = null;
+
         switch ($source) {
         case 'web':
         case 'xmpp':
         case 'mail':
         case 'omb':
         case 'api':
+            // Gettext translations for the below source types are available.
+            $source = _($this->notice->source);
             break;
+
         default:
-            $ns = Notice_source::getKV($source);
+            $ns = Notice_source::getKV($this->notice->source);
             if ($ns instanceof Notice_source) {
-                $source_name = '<a href="' . $ns->url . '">' . $ns->name . '</a>';
+                $source = $ns->code;
+                if (!empty($ns->url)) {
+                    $source_link = $ns->url;
+                    if (!empty($ns->name)) {
+                        $source = $ns->name;
+                    }
+                }
             }
             break;
         }
 
-        return $source_name;
+        $this->source = $source;
+        $this->source_link = $source_link;
     }
 }