wamo/gnu-social
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't trust local HTML either

Browse Source 
If we reallyreally want to include <img> or <script> or whatever then we
have to do that after Notice::saveActivity sets ->rendered.
This commit is contained in:
Mikael Nordfeldth 2016-01-30 00:00:37 +01:00
parent ef005987a1
commit 5167b1fa40
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
classes/Notice.php
View File

@ -821,13 +821,12 @@ class Notice extends Managed_DataObject
$stored->url = $url; $stored->url = $url;
$stored->verb = $act->verb; $stored->verb = $act->verb;
// Notice content. We trust local users to provide HTML we like, but of course not remote users.
// FIXME: What about local users importing feeds? Mirror functions must filter out bad HTML first...
$content = $act->content ?: $act->summary; $content = $act->content ?: $act->summary;
if (is_null($content) && !is_null($actobj)) { if (is_null($content) && !is_null($actobj)) {
$content = $actobj->content ?: $actobj->summary; $content = $actobj->content ?: $actobj->summary;
} }
$stored->rendered = $actor->isLocal() ? $content : common_purify($content); // Strip out any bad HTML
$stored->rendered = common_purify($content);
// yeah, just don't use getRendered() here since it's not inserted yet ;) // yeah, just don't use getRendered() here since it's not inserted yet ;)
$stored->content = common_strip_html($stored->rendered); $stored->content = common_strip_html($stored->rendered);