harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Apply purify_html to page content before preview and save to prevent JavaScript code injection.

Browse Source
This commit is contained in:
Andrew Manning 2016-06-12 07:17:23 -04:00
parent 0cada39c8a
commit e109abbef7
2 changed files with 4 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Zotlabs/Module/Wiki.php
View File

@ -167,7 +167,7 @@ class Wiki extends \Zotlabs\Web\Controller {
if((argc() > 2) && (argv(2) === 'preview')) { if((argc() > 2) && (argv(2) === 'preview')) {
$content = $_POST['content']; $content = $_POST['content'];
require_once('library/markdown.php'); require_once('library/markdown.php');
$html = Markdown($content); $html = purify_html(Markdown($content));
json_return_and_die(array('html' => $html, 'success' => true)); json_return_and_die(array('html' => $html, 'success' => true));
} }
@ -182,18 +182,6 @@ class Wiki extends \Zotlabs\Web\Controller {
// more detail permissions framework // more detail permissions framework
if (local_channel() !== intval($channel['channel_id'])) { if (local_channel() !== intval($channel['channel_id'])) {
goaway('/'.argv(0).'/'.$nick.'/'); goaway('/'.argv(0).'/'.$nick.'/');
} else {
/*
$channel = get_channel_by_nick($nick);
// Figure out who the page owner is.
$perms = get_all_perms(intval($channel['channel_id']), $observer_hash);
// TODO: Create a new permission setting for wiki analogous to webpages. Until
// then, use webpage permissions
if (!$perms['write_pages']) {
notice(t('Permission denied.') . EOL);
goaway('/'.argv(0).'/'.argv(1).'/');
}
*/
} }
$wiki = array(); $wiki = array();
// Generate new wiki info from input name // Generate new wiki info from input name
@ -306,7 +294,7 @@ class Wiki extends \Zotlabs\Web\Controller {
$resource_id = $_POST['resource_id']; $resource_id = $_POST['resource_id'];
$pageUrlName = $_POST['name']; $pageUrlName = $_POST['name'];
$pageHtmlName = escape_tags($_POST['name']); $pageHtmlName = escape_tags($_POST['name']);
$content = escape_tags($_POST['content']); //Get new content $content = $_POST['content']; //Get new content
$commitMsg = $_POST['commitMsg']; $commitMsg = $_POST['commitMsg'];
if ($commitMsg === '') { if ($commitMsg === '') {
$commitMsg = 'Updated ' . $pageHtmlName; $commitMsg = 'Updated ' . $pageHtmlName;

2
include/wiki.php
View File

@ -279,7 +279,7 @@ function wiki_page_history($arr) {
function wiki_save_page($arr) { function wiki_save_page($arr) {
$pageUrlName = ((array_key_exists('pageUrlName',$arr)) ? $arr['pageUrlName'] : ''); $pageUrlName = ((array_key_exists('pageUrlName',$arr)) ? $arr['pageUrlName'] : '');
$content = ((array_key_exists('content',$arr)) ? $arr['content'] : ''); $content = ((array_key_exists('content',$arr)) ? purify_html($arr['content']) : '');
$resource_id = ((array_key_exists('resource_id',$arr)) ? $arr['resource_id'] : ''); $resource_id = ((array_key_exists('resource_id',$arr)) ? $arr['resource_id'] : '');
$w = wiki_get_wiki($resource_id); $w = wiki_get_wiki($resource_id);
if (!$w['path']) { if (!$w['path']) {