webpage content-type -- needs cleaning up and a security check once all the important bits are in place.

2013-09-02 01:38:17 -07:00 · 2013-09-02 01:38:17 -07:00 · 8b7757e033
commit 8b7757e033
parent a35d440ff1
8 changed files with 206 additions and 126 deletions
--- a/include/conversation.php
+++ b/include/conversation.php
@ -1009,9 +1009,16 @@ function status_editor($a,$x,$popup=false) {
 	$geotag = (($x['allow_location']) ? replace_macros(get_markup_template('jot_geotag.tpl'), array()) : '');

 	$plaintext = true;
+
 	if(feature_enabled(local_user(),'richtext'))
 		$plaintext = false;

+	if(intval($x['plaintext']))
+		$plaintext = true;
+
+	if(intval($x['mimeselect']))
+		$mimeselect = mimetype_select($x['profile_uid']);
+
 	$tpl = get_markup_template('jot-header.tpl');
 	
 	$a->page['htmlhead'] .= replace_macros($tpl, array(
@ -1079,6 +1086,7 @@ function status_editor($a,$x,$popup=false) {
 		'$emtitle' => t('Example: bob@example.com, mary@example.com'),
 		'$lockstate' => $x['lockstate'],
 		'$acl' => $x['acl'],
+		'$mimeselect' => $mimeselect,
 		'$showacl' => ((array_key_exists('showacl',$x)) ? $x['showacl'] : 'yes'),
 		'$bang' => $x['bang'],
 		'$profile_uid' => $x['profile_uid'],
--- a/include/items.php
+++ b/include/items.php
@ -1397,14 +1397,10 @@ function item_store($arr,$allow_exec = false) {
 	$arr['item_private']  = ((x($arr,'item_private'))  ? intval($arr['item_private'])        : 0 );
 	$arr['item_flags']    = ((x($arr,'item_flags'))    ? intval($arr['item_flags'])          : 0 );
 	
-	// this is a bit messy - we really need an input filter chain that temporarily undoes obscuring

-	if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') {
-		if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false)) 
-			$arr['body'] = escape_tags($arr['body']);
-		if((strpos($arr['title'],'<') !== false) || (strpos($arr['title'],'>') !== false)) 
+	$arr['body'] = z_input_filter($arr['uid'],$arr['body'],$arr['mimetype']);
 	$arr['title'] = escape_tags($arr['title']);
-	}
+

 	// only detect language if we have text content, and if the post is private but not yet
 	// obscured, make it so.
--- a/include/text.php
+++ b/include/text.php
@ -81,6 +81,34 @@ function escape_tags($string) {
 }


+function z_input_filter($channel_id,$s,$type = 'text/bbcode') {
+
+	if($type === 'text/bbcode')
+		return escape_tags($s);
+	if($type === 'text/markdown')
+		return escape_tags($s);
+	if($type == 'text/plain')
+		return escape_tags($s);
+	$r = q("select account_id, account_roles from account left join channel on channel_account_id = account_id where channel_id = %d limit 1",
+		intval($channel_id)
+	);
+	if($r && ($r[0]['account_roles'] & ACCOUNT_ROLE_ALLOWEXEC)) {
+		if(local_user() && (get_account_id() == $r[0]['account_id'])) {
+			return $s;
+		}
+	}
+
+	if($type === 'text/html')
+		return purify_html($s);
+
+	return escape_tags($s);
+	
+}
+
+
+
+
+
 function purify_html($s) {
 	require_once('library/HTMLPurifier.auto.php');
 	require_once('include/html2bbcode.php');
@ -1127,6 +1155,7 @@ function prepare_body(&$item,$attach = false) {
 function prepare_text($text,$content_type = 'text/bbcode') {


+
 	switch($content_type) {

 		case 'text/plain':
@ -1291,6 +1320,37 @@ function unamp($s) {
 }


+function mimetype_select($channel_id, $current = 'text/bbcode') {
+
+	$x = array(
+		'text/bbcode',
+		'text/html',
+		'text/markdown',
+		'text/plain'
+	);
+
+	$r = q("select account_flags from account left join channel on account_id = channel_account_id where
+		channel_id = %d limit 1",
+		intval($channel_id)
+	);
+
+	if($r) {
+		if($r[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) {
+			$x[] = 'application/x-php';
+		}
+	}
+
+	$o = t('Page content type: ');
+	$o .= '<select name="mimetype" id="mimetype-select">';
+	foreach($x as $y) {
+		$select = (($y == $current)	? ' selected="selected" ' : '');
+		$o .= '<option name="' . $y . '"' . $select . '>' . $y . '</option>';
+	}
+	$o .= '</select>';
+
+	return $o;
+
+}



--- a/mod/blocks.php
+++ b/mod/blocks.php
@ -1,6 +1,6 @@
 <?php

-function webpages_content(&$a) {
+function blocks_content(&$a) {

 	if(argc() > 1)
 		$which = argv(1);
--- a/mod/item.php
+++ b/mod/item.php
@ -44,7 +44,7 @@ function item_post(&$a) {

 	call_hooks('post_local_start', $_REQUEST);

-//	logger('postvars ' . print_r($_REQUEST,true), LOGGER_DATA);
+	logger('postvars ' . print_r($_REQUEST,true), LOGGER_DATA);

 	$api_source = ((x($_REQUEST,'api_source') && $_REQUEST['api_source']) ? true : false);

@ -221,7 +221,7 @@ function item_post(&$a) {
 		$verb              = $orig_post['verb'];
 		$app			   = $orig_post['app'];
 		$title             = escape_tags(trim($_REQUEST['title']));
-		$body              = escape_tags(trim($_REQUEST['body']));
+		$body              = $_REQUEST['body'];
 		$private           = $orig_post['item_private'];

 	}
@ -255,7 +255,7 @@ function item_post(&$a) {
 		$coord             = notags(trim($_REQUEST['coord']));
 		$verb              = notags(trim($_REQUEST['verb']));
 		$title             = escape_tags(trim($_REQUEST['title']));
-		$body              = escape_tags(trim($_REQUEST['body']));
+		$body              = $_REQUEST['body'];

 		$private = ( 
 				(  strlen($str_group_allow) 
@ -310,14 +310,23 @@ function item_post(&$a) {

 	$post_type = notags(trim($_REQUEST['type']));

-	$content_type = notags(trim($_REQUEST['content_type']));
-	if(! $content_type)
-		$content_type = 'text/bbcode';
+	$mimetype = notags(trim($_REQUEST['mimetype']));
+	if(! $mimetype)
+		$mimetype = 'text/bbcode';

+	// Verify ability to use html or php!!!

-// BBCODE alert: the following functions assume bbcode input
-// and will require alternatives for alternative content-types (text/html, text/markdown, text/plain, etc.)
-// we may need virtual or template classes to implement the possible alternatives
+	if($preview) {
+		$body = z_input_filter($profile_uid,$body,$mimetype);
+	}
+
+logger('body: ' . $body);
+
+	if($mimetype === 'text/bbcode') {
+
+		// BBCODE alert: the following functions assume bbcode input
+		// and will require alternatives for alternative content-types (text/html, text/markdown, text/plain, etc.)
+		// we may need virtual or template classes to implement the possible alternatives

 		// Work around doubled linefeeds in Tinymce 3.5b2
 		// First figure out if it's a status post that would've been
@ -460,6 +469,7 @@ function item_post(&$a) {
 				$body = str_replace($match[1],'',$body);
 			}
 		}
+	}

 // BBCODE end alert

@ -530,7 +540,7 @@ function item_post(&$a) {
 	$datarray['changed']        = datetime_convert();
 	$datarray['mid']            = $mid;
 	$datarray['parent_mid']     = $parent_mid;
-	$datarray['mimetype']       = $content_type;
+	$datarray['mimetype']       = $mimetype;
 	$datarray['title']          = $title;
 	$datarray['body']           = $body;
 	$datarray['app']            = $app;
--- a/mod/webpages.php
+++ b/mod/webpages.php
@ -52,10 +52,13 @@ require_once ('include/conversation.php');
 			'bang' => (($group || $cid) ? '!' : ''),
 			'visitor' => 'block',
 			'profile_uid' => intval($owner),
+			'plaintext' => 1,
+			'mimeselect' => 1,
 		);

 		$o .= status_editor($a,$x);

+
 //Get a list of webpages.  We can't display all them because endless scroll makes that unusable, so just list titles and an edit link.
 //TODO - this should be replaced with pagelist_widget

--- a/version.inc
+++ b/version.inc
@ -1 +1 @@
-2013-09-01.423
+2013-09-02.424
--- a/view/tpl/jot.tpl
+++ b/view/tpl/jot.tpl
@ -9,6 +9,9 @@
 		<input type="hidden" name="post_id" value="{{$post_id}}" />
 		<input type="hidden" name="webpage" value="{{$webpage}}" />
 		<input type="hidden" name="preview" id="jot-preview" value="0" />
+
+		{{$mimeselect}}
+
 		<div id="jot-title-wrap"><input name="title" id="jot-title" type="text" placeholder="{{$placeholdertitle}}" value="{{$title}}" class="jothidden" style="display:none"></div>
 		{{if $catsenabled}}
 		<div id="jot-category-wrap"><input name="category" id="jot-category" type="text" placeholder="{{$placeholdercategory}}" value="{{$category}}" class="jothidden" style="display:none" /></div>