Merge pull request #9540 from MrPetovan/bug/9538-security-blind-attack-username
Escape contact names in several HTML snippets/jQuery insert contexts
This commit is contained in:
commit
c6d647b8df
14 changed files with 39 additions and 47 deletions
40
mod/ping.php
40
mod/ping.php
|
@ -133,7 +133,7 @@ function ping_init(App $a)
|
||||||
exit();
|
exit();
|
||||||
}
|
}
|
||||||
|
|
||||||
$notifs = ping_get_notifications(local_user());
|
$notifications = ping_get_notifications(local_user());
|
||||||
|
|
||||||
$condition = ["`unseen` AND `uid` = ? AND NOT `origin` AND (`vid` != ? OR `vid` IS NULL)",
|
$condition = ["`unseen` AND `uid` = ? AND NOT `origin` AND (`vid` != ? OR `vid` IS NULL)",
|
||||||
local_user(), Verb::getID(Activity::FOLLOW)];
|
local_user(), Verb::getID(Activity::FOLLOW)];
|
||||||
|
@ -263,8 +263,8 @@ function ping_init(App $a)
|
||||||
$data['birthdays'] = $birthdays;
|
$data['birthdays'] = $birthdays;
|
||||||
$data['birthdays-today'] = $birthdays_today;
|
$data['birthdays-today'] = $birthdays_today;
|
||||||
|
|
||||||
if (DBA::isResult($notifs)) {
|
if (DBA::isResult($notifications)) {
|
||||||
foreach ($notifs as $notif) {
|
foreach ($notifications as $notif) {
|
||||||
if ($notif['seen'] == 0) {
|
if ($notif['seen'] == 0) {
|
||||||
$sysnotify_count ++;
|
$sysnotify_count ++;
|
||||||
}
|
}
|
||||||
|
@ -277,14 +277,14 @@ function ping_init(App $a)
|
||||||
$notif = [
|
$notif = [
|
||||||
'id' => 0,
|
'id' => 0,
|
||||||
'href' => DI::baseUrl() . '/notifications/intros/' . $intro['id'],
|
'href' => DI::baseUrl() . '/notifications/intros/' . $intro['id'],
|
||||||
'name' => $intro['name'],
|
'name' => BBCode::convert($intro['name']),
|
||||||
'url' => $intro['url'],
|
'url' => $intro['url'],
|
||||||
'photo' => $intro['photo'],
|
'photo' => $intro['photo'],
|
||||||
'date' => $intro['datetime'],
|
'date' => $intro['datetime'],
|
||||||
'seen' => false,
|
'seen' => false,
|
||||||
'message' => DI::l10n()->t('{0} wants to be your friend'),
|
'message' => DI::l10n()->t('{0} wants to be your friend'),
|
||||||
];
|
];
|
||||||
$notifs[] = $notif;
|
$notifications[] = $notif;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -314,7 +314,7 @@ function ping_init(App $a)
|
||||||
'seen' => false,
|
'seen' => false,
|
||||||
'message' => DI::l10n()->t('{0} and %d others requested registration', count($regs) - 1),
|
'message' => DI::l10n()->t('{0} and %d others requested registration', count($regs) - 1),
|
||||||
];
|
];
|
||||||
$notifs[] = $notif;
|
$notifications[] = $notif;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -337,28 +337,16 @@ function ping_init(App $a)
|
||||||
}
|
}
|
||||||
return ($adate < $bdate) ? 1 : -1;
|
return ($adate < $bdate) ? 1 : -1;
|
||||||
};
|
};
|
||||||
usort($notifs, $sort_function);
|
usort($notifications, $sort_function);
|
||||||
|
|
||||||
if (DBA::isResult($notifs)) {
|
array_walk($notifications, function (&$notification) {
|
||||||
foreach ($notifs as $notif) {
|
if (empty($notification['photo'])) {
|
||||||
$contact = Contact::getByURL($notif['url'], false, ['micro', 'id', 'avatar']);
|
$contact = Contact::getByURL($notification['url'], false, ['micro', 'id', 'avatar']);
|
||||||
$notif['photo'] = Contact::getMicro($contact, $notif['photo']);
|
$notification['photo'] = Contact::getMicro($contact, $notif['photo']);
|
||||||
|
|
||||||
$local_time = DateTimeFormat::local($notif['date']);
|
|
||||||
|
|
||||||
$notifications[] = [
|
|
||||||
'id' => $notif['id'],
|
|
||||||
'href' => $notif['href'],
|
|
||||||
'name' => $notif['name'],
|
|
||||||
'url' => $notif['url'],
|
|
||||||
'photo' => $notif['photo'],
|
|
||||||
'date' => Temporal::getRelativeDate($notif['date']),
|
|
||||||
'message' => $notif['message'],
|
|
||||||
'seen' => $notif['seen'],
|
|
||||||
'timestamp' => strtotime($local_time)
|
|
||||||
];
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$notification['timestamp'] = DateTimeFormat::local($notification['date']);
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
$sysmsgs = [];
|
$sysmsgs = [];
|
||||||
|
|
|
@ -23,6 +23,7 @@ namespace Friendica\Module\Notifications;
|
||||||
|
|
||||||
use Friendica\Content\ContactSelector;
|
use Friendica\Content\ContactSelector;
|
||||||
use Friendica\Content\Nav;
|
use Friendica\Content\Nav;
|
||||||
|
use Friendica\Content\Text\BBCode;
|
||||||
use Friendica\Core\Protocol;
|
use Friendica\Core\Protocol;
|
||||||
use Friendica\Core\Renderer;
|
use Friendica\Core\Renderer;
|
||||||
use Friendica\Database\DBA;
|
use Friendica\Database\DBA;
|
||||||
|
@ -124,9 +125,11 @@ class Introductions extends BaseNotifications
|
||||||
$knowyou = '';
|
$knowyou = '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$convertedName = BBCode::convert($notification->getName());
|
||||||
|
|
||||||
$helptext = DI::l10n()->t('Shall your connection be bidirectional or not?');
|
$helptext = DI::l10n()->t('Shall your connection be bidirectional or not?');
|
||||||
$helptext2 = DI::l10n()->t('Accepting %s as a friend allows %s to subscribe to your posts, and you will also receive updates from them in your news feed.', $notification->getName(), $notification->getName());
|
$helptext2 = DI::l10n()->t('Accepting %s as a friend allows %s to subscribe to your posts, and you will also receive updates from them in your news feed.', $convertedName, $convertedName);
|
||||||
$helptext3 = DI::l10n()->t('Accepting %s as a subscriber allows them to subscribe to your posts, but you will not receive updates from them in your news feed.', $notification->getName());
|
$helptext3 = DI::l10n()->t('Accepting %s as a subscriber allows them to subscribe to your posts, but you will not receive updates from them in your news feed.', $convertedName);
|
||||||
|
|
||||||
$friend = ['duplex', DI::l10n()->t('Friend'), '1', $helptext2, true];
|
$friend = ['duplex', DI::l10n()->t('Friend'), '1', $helptext2, true];
|
||||||
$follower = ['duplex', DI::l10n()->t('Subscriber'), '0', $helptext3, false];
|
$follower = ['duplex', DI::l10n()->t('Subscriber'), '0', $helptext3, false];
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
|
|
||||||
$("nav").bind('nav-update', function(e,data){
|
$("nav").bind('nav-update', function(e,data){
|
||||||
var elm = $('#pending-update');
|
var elm = $('#pending-update');
|
||||||
var register = $(data).find('register').text();
|
var register = $(data).find('register').html();
|
||||||
if (register=="0") { register=""; elm.hide();} else { elm.show(); }
|
if (register=="0") { register=""; elm.hide();} else { elm.show(); }
|
||||||
elm.html(register);
|
elm.html(register);
|
||||||
});
|
});
|
||||||
|
|
|
@ -168,7 +168,7 @@
|
||||||
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
|
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
|
||||||
var selstr;
|
var selstr;
|
||||||
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
|
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
|
||||||
selstr = $(this).text();
|
selstr = $(this).html();
|
||||||
$('#jot-public').hide();
|
$('#jot-public').hide();
|
||||||
});
|
});
|
||||||
if(selstr == null) {
|
if(selstr == null) {
|
||||||
|
|
|
@ -10,7 +10,7 @@
|
||||||
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
|
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
|
||||||
var selstr;
|
var selstr;
|
||||||
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
|
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
|
||||||
selstr = $(this).text();
|
selstr = $(this).html();
|
||||||
$('#jot-perms-icon').removeClass('unlock').addClass('lock');
|
$('#jot-perms-icon').removeClass('unlock').addClass('lock');
|
||||||
$('#jot-public').hide();
|
$('#jot-public').hide();
|
||||||
});
|
});
|
||||||
|
|
|
@ -9,7 +9,7 @@
|
||||||
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
|
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
|
||||||
var selstr;
|
var selstr;
|
||||||
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
|
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
|
||||||
selstr = $(this).text();
|
selstr = $(this).html();
|
||||||
$('#jot-perms-icon').removeClass('unlock').addClass('lock');
|
$('#jot-perms-icon').removeClass('unlock').addClass('lock');
|
||||||
$('#jot-public').hide();
|
$('#jot-public').hide();
|
||||||
});
|
});
|
||||||
|
|
|
@ -23,7 +23,7 @@ $(document).ready(function() {
|
||||||
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
|
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
|
||||||
var selstr;
|
var selstr;
|
||||||
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
|
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
|
||||||
selstr = $(this).text();
|
selstr = $(this).html();
|
||||||
$('#jot-public').hide();
|
$('#jot-public').hide();
|
||||||
});
|
});
|
||||||
if (selstr == null) {
|
if (selstr == null) {
|
||||||
|
|
|
@ -5,7 +5,7 @@ $(document).ready(function() {
|
||||||
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
|
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
|
||||||
var selstr;
|
var selstr;
|
||||||
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
|
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
|
||||||
selstr = $(this).text();
|
selstr = $(this).html();
|
||||||
$('#jot-perms-icon').removeClass('unlock').addClass('lock');
|
$('#jot-perms-icon').removeClass('unlock').addClass('lock');
|
||||||
$('#jot-public').hide();
|
$('#jot-public').hide();
|
||||||
});
|
});
|
||||||
|
|
|
@ -192,12 +192,12 @@ function loadModalTitle() {
|
||||||
var title = "";
|
var title = "";
|
||||||
|
|
||||||
// Get the text of the first element with "heading" class.
|
// Get the text of the first element with "heading" class.
|
||||||
title = $("#modal-body .heading").first().text();
|
title = $("#modal-body .heading").first().html();
|
||||||
|
|
||||||
// for event modals we need some speacial handling
|
// for event modals we need some speacial handling
|
||||||
if($("#modal-body .event-wrapper .event-summary").length) {
|
if($("#modal-body .event-wrapper .event-summary").length) {
|
||||||
title = '<i class="fa fa-calendar" aria-hidden="true"></i> ';
|
title = '<i class="fa fa-calendar" aria-hidden="true"></i> ';
|
||||||
var eventsum = $("#modal-body .event-wrapper .event-summary").text();
|
var eventsum = $("#modal-body .event-wrapper .event-summary").html();
|
||||||
title = title + eventsum;
|
title = title + eventsum;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -146,7 +146,7 @@ $(document).ready(function(){
|
||||||
if( $(".search-content-wrapper").length ) {
|
if( $(".search-content-wrapper").length ) {
|
||||||
// get the text of the heading (we catch the plain text because we don't
|
// get the text of the heading (we catch the plain text because we don't
|
||||||
// want to have a h4 heading in the navbar
|
// want to have a h4 heading in the navbar
|
||||||
var searchText = $(".section-title-wrapper > h2").text();
|
var searchText = $(".section-title-wrapper > h2").html();
|
||||||
// insert the plain text in a <h4> heading and give it a class
|
// insert the plain text in a <h4> heading and give it a class
|
||||||
var newText = '<h4 class="search-heading">'+searchText+'</h4>';
|
var newText = '<h4 class="search-heading">'+searchText+'</h4>';
|
||||||
// append the new heading to the navbar
|
// append the new heading to the navbar
|
||||||
|
@ -208,7 +208,7 @@ $(document).ready(function(){
|
||||||
// get the heading element
|
// get the heading element
|
||||||
var heading = $(".network-content-wrapper > .section-title-wrapper > h2");
|
var heading = $(".network-content-wrapper > .section-title-wrapper > h2");
|
||||||
// get the text of the heading
|
// get the text of the heading
|
||||||
var headingContent = heading.text();
|
var headingContent = heading.html();
|
||||||
// create a new element with the content of the heading
|
// create a new element with the content of the heading
|
||||||
var newText = '<h4 class="heading" data-toggle="tooltip" title="'+headingContent+'">'+headingContent+'</h4>';
|
var newText = '<h4 class="heading" data-toggle="tooltip" title="'+headingContent+'">'+headingContent+'</h4>';
|
||||||
// remove the old heading element
|
// remove the old heading element
|
||||||
|
@ -221,7 +221,7 @@ $(document).ready(function(){
|
||||||
// get the heading element
|
// get the heading element
|
||||||
var heading = $(".community-content-wrapper > h3").first();
|
var heading = $(".community-content-wrapper > h3").first();
|
||||||
// get the text of the heading
|
// get the text of the heading
|
||||||
var headingContent = heading.text();
|
var headingContent = heading.html();
|
||||||
// create a new element with the content of the heading
|
// create a new element with the content of the heading
|
||||||
var newText = '<h4 class="heading">'+headingContent+'</h4>';
|
var newText = '<h4 class="heading">'+headingContent+'</h4>';
|
||||||
// remove the old heading element
|
// remove the old heading element
|
||||||
|
@ -790,7 +790,7 @@ function bin2hex (s) {
|
||||||
// Dropdown menus with the class "dropdown-head" will display the active tab
|
// Dropdown menus with the class "dropdown-head" will display the active tab
|
||||||
// as button text
|
// as button text
|
||||||
function toggleDropdownText(elm) {
|
function toggleDropdownText(elm) {
|
||||||
$(elm).closest(".dropdown").find('.btn').html($(elm).text() + ' <span class="caret"></span>');
|
$(elm).closest(".dropdown").find('.btn').html($(elm).html() + ' <span class="caret"></span>');
|
||||||
$(elm).closest(".dropdown").find('.btn').val($(elm).data('value'));
|
$(elm).closest(".dropdown").find('.btn').val($(elm).data('value'));
|
||||||
$(elm).closest("ul").children("li").show();
|
$(elm).closest("ul").children("li").show();
|
||||||
$(elm).parent("li").hide();
|
$(elm).parent("li").hide();
|
||||||
|
|
|
@ -3,9 +3,10 @@
|
||||||
$(function(){
|
$(function(){
|
||||||
$("nav").bind('nav-update', function(e,data){
|
$("nav").bind('nav-update', function(e,data){
|
||||||
var elm = $('#pending-update');
|
var elm = $('#pending-update');
|
||||||
var register = $(data).find('register').text();
|
var register = parseInt($(data).find('register').text());
|
||||||
if (register=="0") { register = ""; }
|
if (register > 0) {
|
||||||
elm.html(register);
|
elm.html(register);
|
||||||
|
}
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
</script>
|
</script>
|
||||||
|
|
|
@ -2,8 +2,8 @@
|
||||||
$(document).ready(function(){
|
$(document).ready(function(){
|
||||||
$('nav').bind('nav-update', function(e,data){
|
$('nav').bind('nav-update', function(e,data){
|
||||||
var notifCount = $(data).find('notif').attr('count');
|
var notifCount = $(data).find('notif').attr('count');
|
||||||
var intro = $(data).find('intro').text();
|
var intro = parseInt($(data).find('intro').text());
|
||||||
var mail = $(data).find('mail').text();
|
var mail = parseInt($(data).find('mail').text());
|
||||||
|
|
||||||
$(".tool .notify").removeClass("on");
|
$(".tool .notify").removeClass("on");
|
||||||
$(data).find("group").each(function() {
|
$(data).find("group").each(function() {
|
||||||
|
|
|
@ -86,7 +86,7 @@ function enableOnUser(){
|
||||||
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
|
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
|
||||||
var selstr;
|
var selstr;
|
||||||
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
|
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
|
||||||
selstr = $(this).text();
|
selstr = $(this).html();
|
||||||
$('#jot-perms-icon').removeClass('unlock').addClass('lock');
|
$('#jot-perms-icon').removeClass('unlock').addClass('lock');
|
||||||
$('#jot-public').hide();
|
$('#jot-public').hide();
|
||||||
$('.profile-jot-net input').attr('disabled', 'disabled');
|
$('.profile-jot-net input').attr('disabled', 'disabled');
|
||||||
|
|
|
@ -170,7 +170,7 @@
|
||||||
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
|
$('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() {
|
||||||
var selstr;
|
var selstr;
|
||||||
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
|
$('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() {
|
||||||
selstr = $(this).text();
|
selstr = $(this).html();
|
||||||
$('#jot-public').hide();
|
$('#jot-public').hide();
|
||||||
});
|
});
|
||||||
if(selstr == null) {
|
if(selstr == null) {
|
||||||
|
|
Loading…
Reference in a new issue