diff options
| -rw-r--r-- | lib/activityobject.php | 2 | ||||
| -rw-r--r-- | plugins/NoticeTitle/NoticeTitlePlugin.php | 48 | ||||
| -rw-r--r-- | plugins/OStatus/classes/Ostatus_profile.php | 4 | ||||
| -rw-r--r-- | plugins/OpenID/OpenIDPlugin.php | 11 | ||||
| -rw-r--r-- | plugins/TinyMCE/TinyMCEPlugin.php | 34 | ||||
| -rwxr-xr-x | plugins/TwitterBridge/daemons/twitterstatusfetcher.php | 2 | ||||
| -rw-r--r-- | scripts/importtwitteratom.php | 2 | ||||
| -rwxr-xr-x | scripts/install_cli.php | 2 | ||||
| -rw-r--r-- | scripts/restoreuser.php | 2 |
9 files changed, 83 insertions, 24 deletions
diff --git a/lib/activityobject.php b/lib/activityobject.php index 52733c47a..e89c8db4e 100644 --- a/lib/activityobject.php +++ b/lib/activityobject.php @@ -201,7 +201,7 @@ class ActivityObject $title = ActivityUtils::childHtmlContent($element, self::TITLE); - $this->title = html_entity_decode(strip_tags($title)); + $this->title = html_entity_decode(strip_tags($title), ENT_QUOTES, 'UTF-8'); $this->source = $this->_getSource($element); diff --git a/plugins/NoticeTitle/NoticeTitlePlugin.php b/plugins/NoticeTitle/NoticeTitlePlugin.php index dea0417f5..269f06189 100644 --- a/plugins/NoticeTitle/NoticeTitlePlugin.php +++ b/plugins/NoticeTitle/NoticeTitlePlugin.php @@ -51,6 +51,12 @@ define('NOTICE_TITLE_PLUGIN_VERSION', '0.1'); class NoticeTitlePlugin extends Plugin { + + // By default, notice-title widget will be available to all users. + // With restricted on, only users who have been granted the + // "richedit" role get it. + public $restricted = false; + /** * Database schema setup * @@ -137,14 +143,16 @@ class NoticeTitlePlugin extends Plugin function onStartShowNoticeFormData($form) { - $form->out->element('style', - null, - 'label#notice_data-text-label { display: none }'); - $form->out->element('input', array('type' => 'text', - 'id' => 'notice_title', - 'name' => 'notice_title', - 'size' => 40, - 'maxlength' => Notice_title::MAXCHARS)); + if ($this->isAllowedRichEdit()) { + $form->out->element('style', + null, + 'label#notice_data-text-label { display: none }'); + $form->out->element('input', array('type' => 'text', + 'id' => 'notice_title', + 'name' => 'notice_title', + 'size' => 40, + 'maxlength' => Notice_title::MAXCHARS)); + } return true; } @@ -162,7 +170,7 @@ class NoticeTitlePlugin extends Plugin function onStartNoticeSaveWeb($action, &$authorId, &$text, &$options) { $title = $action->trimmed('notice_title'); - if (!empty($title)) { + if (!empty($title) && $this->isAllowedRichEdit()) { if (mb_strlen($title) > Notice_title::MAXCHARS) { throw new Exception(sprintf(_m("The notice title is too long (max %d characters).", Notice_title::MAXCHARS))); @@ -186,7 +194,7 @@ class NoticeTitlePlugin extends Plugin $title = $action->trimmed('notice_title'); - if (!empty($title)) { + if (!empty($title) && $this->isAllowedRichEdit()) { $nt = new Notice_title(); @@ -327,4 +335,24 @@ class NoticeTitlePlugin extends Plugin return true; } + + /** + * Does the current user have permission to use the notice-title widget? + * Always true unless the plugin's "restricted" setting is on, in which + * case it's limited to users with the "richedit" role. + * + * @fixme make that more sanely configurable :) + * + * @return boolean + */ + private function isAllowedRichEdit() + { + if ($this->restricted) { + $user = common_current_user(); + return !empty($user) && $user->hasRole('richedit'); + } else { + return true; + } + } + } diff --git a/plugins/OStatus/classes/Ostatus_profile.php b/plugins/OStatus/classes/Ostatus_profile.php index 047435f66..10cee917e 100644 --- a/plugins/OStatus/classes/Ostatus_profile.php +++ b/plugins/OStatus/classes/Ostatus_profile.php @@ -558,7 +558,7 @@ class Ostatus_profile extends Memcached_DataObject // Get (safe!) HTML and text versions of the content $rendered = $this->purify($sourceContent); - $content = html_entity_decode(strip_tags($rendered)); + $content = html_entity_decode(strip_tags($rendered), ENT_QUOTES, 'UTF-8'); $shortened = common_shorten_links($content); @@ -569,7 +569,7 @@ class Ostatus_profile extends Memcached_DataObject if (Notice::contentTooLong($shortened)) { $attachment = $this->saveHTMLFile($note->title, $rendered); - $summary = html_entity_decode(strip_tags($note->summary)); + $summary = html_entity_decode(strip_tags($note->summary), ENT_QUOTES, 'UTF-8'); if (empty($summary)) { $summary = $content; } diff --git a/plugins/OpenID/OpenIDPlugin.php b/plugins/OpenID/OpenIDPlugin.php index 7d6a5dc00..a033a5010 100644 --- a/plugins/OpenID/OpenIDPlugin.php +++ b/plugins/OpenID/OpenIDPlugin.php @@ -102,9 +102,14 @@ class OpenIDPlugin extends Plugin function onStartConnectPath(&$path, &$defaults, &$rules, &$result) { if (common_config('site', 'openidonly')) { - static $block = array('main/login', - 'main/register', - 'main/recoverpassword', + // Note that we should not remove the login and register + // actions. Lots of auth-related things link to them, + // such as when visiting a private site without a session + // or revalidating a remembered login for admin work. + // + // We take those two over with redirects to ourselves + // over in onArgsInitialize(). + static $block = array('main/recoverpassword', 'settings/password'); if (in_array($path, $block)) { diff --git a/plugins/TinyMCE/TinyMCEPlugin.php b/plugins/TinyMCE/TinyMCEPlugin.php index 2ec4b7160..e0640ebdf 100644 --- a/plugins/TinyMCE/TinyMCEPlugin.php +++ b/plugins/TinyMCE/TinyMCEPlugin.php @@ -50,9 +50,14 @@ class TinyMCEPlugin extends Plugin { var $html; + // By default, TinyMCE editor will be available to all users. + // With restricted on, only users who have been granted the + // "richedit" role get it. + public $restricted = false; + function onEndShowScripts($action) { - if (common_logged_in ()) { + if (common_logged_in() && $this->isAllowedRichEdit()) { $action->script(common_path('plugins/TinyMCE/js/jquery.tinymce.js')); $action->inlineScript($this->_inlineScript()); } @@ -62,7 +67,9 @@ class TinyMCEPlugin extends Plugin function onEndShowStyles($action) { - $action->style('span#notice_data-text_container, span#notice_data-text_parent { float: left }'); + if ($this->isAllowedRichEdit()) { + $action->style('span#notice_data-text_container, span#notice_data-text_parent { float: left }'); + } return true; } @@ -116,7 +123,7 @@ class TinyMCEPlugin extends Plugin */ function onStartSaveNewNoticeWeb($action, $user, &$content, &$options) { - if ($action->arg('richedit')) { + if ($action->arg('richedit') && $this->isAllowedRichEdit()) { $html = $this->sanitizeHtml($content); $options['rendered'] = $html; $content = $this->stripHtml($html); @@ -135,7 +142,7 @@ class TinyMCEPlugin extends Plugin */ function onStartSaveNewNoticeAppendAttachment($action, $media, &$content, &$options) { - if ($action->arg('richedit')) { + if ($action->arg('richedit') && $this->isAllowedRichEdit()) { // See if we've got a placeholder inline image; if so, fill it! $dom = new DOMDocument(); @@ -320,4 +327,23 @@ END_OF_SCRIPT; return $scr; } + + /** + * Does the current user have permission to use the rich-text editor? + * Always true unless the plugin's "restricted" setting is on, in which + * case it's limited to users with the "richedit" role. + * + * @fixme make that more sanely configurable :) + * + * @return boolean + */ + private function isAllowedRichEdit() + { + if ($this->restricted) { + $user = common_current_user(); + return !empty($user) && $user->hasRole('richedit'); + } else { + return true; + } + } } diff --git a/plugins/TwitterBridge/daemons/twitterstatusfetcher.php b/plugins/TwitterBridge/daemons/twitterstatusfetcher.php index 590fa2954..cef67b180 100755 --- a/plugins/TwitterBridge/daemons/twitterstatusfetcher.php +++ b/plugins/TwitterBridge/daemons/twitterstatusfetcher.php @@ -321,7 +321,7 @@ class TwitterStatusFetcher extends ParallelizingDaemon $notice->is_local = Notice::GATEWAY; - $notice->content = html_entity_decode($status->text); + $notice->content = html_entity_decode($status->text, ENT_QUOTES, 'UTF-8'); $notice->rendered = $this->linkify($status); if (Event::handle('StartNoticeSave', array(&$notice))) { diff --git a/scripts/importtwitteratom.php b/scripts/importtwitteratom.php index 261dfb1d0..a29526f27 100644 --- a/scripts/importtwitteratom.php +++ b/scripts/importtwitteratom.php @@ -89,7 +89,7 @@ function importActivityStream($user, $doc) $html = htmLawed($html, $config); - $content = html_entity_decode(strip_tags($html)); + $content = html_entity_decode(strip_tags($html), ENT_QUOTES, 'UTF-8'); $notice = Notice::saveNew($user->id, $content, diff --git a/scripts/install_cli.php b/scripts/install_cli.php index 61fbe18ef..dadbcf66f 100755 --- a/scripts/install_cli.php +++ b/scripts/install_cli.php @@ -208,7 +208,7 @@ END_HELP; $breakout = preg_replace('/<a[^>+]\bhref="(.*)"[^>]*>(.*)<\/a>/', '\2 <\1>', $html); - return html_entity_decode(strip_tags($breakout)); + return html_entity_decode(strip_tags($breakout), ENT_QUOTES, 'UTF-8'); } } diff --git a/scripts/restoreuser.php b/scripts/restoreuser.php index de3816dd5..82eb9bbaa 100644 --- a/scripts/restoreuser.php +++ b/scripts/restoreuser.php @@ -213,7 +213,7 @@ function postNote($user, $activity) // Get (safe!) HTML and text versions of the content $rendered = purify($sourceContent); - $content = html_entity_decode(strip_tags($rendered)); + $content = html_entity_decode(strip_tags($rendered), ENT_QUOTES, 'UTF-8'); $shortened = common_shorten_links($content); |