Merge remote-tracking branch red/master into patch-20181113a. Add Mike's fix to search xss and Superblock fix.

Zotlabs/Lib/Enotify.php

@@ -825,7 +825,7 @@ class Enotify {
 
 		// convert this logic into a json array just like the system notifications
 
-		return array(
+		$x = array(
 			'notify_link' => $item['llink'],
 			'name' => $item['author']['xchan_name'],
 			'url' => $item['author']['xchan_url'],
@@ -835,9 +835,19 @@ class Enotify {
 			'b64mid' => ((in_array($item['verb'], [ACTIVITY_LIKE, ACTIVITY_DISLIKE])) ? 'b64.' . base64url_encode($item['thr_parent']) : 'b64.' . base64url_encode($item['mid'])),
 			'notify_id' => 'undefined',
 			'thread_top' => (($item['item_thread_top']) ? true : false),
-			'message' => strip_tags(bbcode($itemem_text))
+			'message' => strip_tags(bbcode($itemem_text)),
+			// these are for the superblock addon
+			'hash' => $item['author']['xchan_hash'],
+			'uid' => local_channel(),
+			'display' => true
 		);
 
+		call_hooks('enotify_format',$x);
+		if(! $x['display']) {
+			return [];
+		}
+
+		return $x;
 	}
 
 }

Zotlabs/Module/Search.php

@@ -6,7 +6,7 @@ class Search extends \Zotlabs\Web\Controller {
 
 	function init() {
 		if(x($_REQUEST,'search'))
-			\App::$data['search'] = $_REQUEST['search'];
+			\App::$data['search'] = escape_tags($_REQUEST['search']);
 	}
 	
 	
@@ -46,12 +46,12 @@ class Search extends \Zotlabs\Web\Controller {
 		if(x(\App::$data,'search'))
 			$search = trim(\App::$data['search']);
 		else
-			$search = ((x($_GET,'search')) ? trim(rawurldecode($_GET['search'])) : '');
+			$search = ((x($_GET,'search')) ? trim(escape_tags(rawurldecode($_GET['search']))) : '');
 	
 		$tag = false;
 		if(x($_GET,'tag')) {
 			$tag = true;
-			$search = ((x($_GET,'tag')) ? trim(rawurldecode($_GET['tag'])) : '');
+			$search = ((x($_GET,'tag')) ? trim(escape_tags(rawurldecode($_GET['tag']))) : '');
 		}
 
 		$static = ((array_key_exists('static',$_REQUEST)) ? intval($_REQUEST['static']) : 0);