1 files changed, 38 insertions, 2 deletions

diff --git a/lib/activityutils.php b/lib/activityutils.php
index c85a3db55..dd38d4e14 100644
--- a/lib/activityutils.php
+++ b/lib/activityutils.php
@@ -213,11 +213,19 @@ class ActivityUtils
         // slavishly following http://atompub.org/rfc4287.html#rfc.section.4.1.3.3
 
         if (empty($type) || $type == 'text') {
-            return $el->textContent;
+            // We have plaintext saved as the XML text content.
+            // Since we want HTML, we need to escape any special chars.
+            return htmlspecialchars($el->textContent);
         } else if ($type == 'html') {
+            // We have HTML saved as the XML text content.
+            // No additional processing required once we've got it.
             $text = $el->textContent;
-            return htmlspecialchars_decode($text, ENT_QUOTES);
+            return $text;
         } else if ($type == 'xhtml') {
+            // Per spec, the <content type="xhtml"> contains a single
+            // HTML <div> with XHTML namespace on it as a child node.
+            // We need to pull all of that <div>'s child nodes and
+            // serialize them back to an (X)HTML source fragment.
             $divEl = ActivityUtils::child($el, 'div', 'http://www.w3.org/1999/xhtml');
             if (empty($divEl)) {
                 return null;
@@ -240,4 +248,32 @@ class ActivityUtils
             throw new ClientException(_("Can't handle embedded Base64 content yet."));
         }
     }
+
+    /**
+     * Is this a valid URI for remote profile/notice identification?
+     * Does not have to be a resolvable URL.
+     * @param string $uri
+     * @return boolean
+     */
+    static function validateUri($uri)
+    {
+        // Check mailto: URIs first
+
+        if (preg_match('/^mailto:(.*)$/', $uri, $match)) {
+            return Validate::email($match[1], common_config('email', 'check_domain'));
+        }
+
+        if (Validate::uri($uri)) {
+            return true;
+        }
+
+        // Possibly an upstream bug; tag: URIs aren't validated properly
+        // unless you explicitly ask for them. All other schemes are accepted
+        // for basic URI validation without asking.
+        if (Validate::uri($uri, array('allowed_scheme' => array('tag')))) {
+            return true;
+        }
+
+        return false;
+    }
 }