Merge pull request #10960 from annando/escapeTags

"escapeTags" is finally removed
This commit is contained in:
Philipp 2021-11-07 14:39:22 +01:00 committed by GitHub
commit 42acc45772
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 11 additions and 34 deletions

View File

@ -204,7 +204,7 @@ function photos_post(App $a)
}
// RENAME photo album
$newalbum = Strings::escapeTags(trim($_POST['albumname']));
$newalbum = trim($_POST['albumname'] ?? '');
if ($newalbum != $album) {
Photo::update(['album' => $newalbum], ['album' => $album, 'uid' => $page_owner_uid]);
// Update the photo albums cache

View File

@ -32,7 +32,6 @@ use Friendica\Model\Item;
use Friendica\Model\Post;
use Friendica\Model\Tag;
use Friendica\Protocol\Activity;
use Friendica\Util\Strings;
use Friendica\Util\XML;
use Friendica\Worker\Delivery;
@ -42,15 +41,15 @@ function tagger_content(App $a) {
return;
}
$term = Strings::escapeTags(trim($_GET['term']));
$term = trim($_GET['term'] ?? '');
// no commas allowed
$term = str_replace([',',' '],['','_'],$term);
$term = str_replace([',',' ', '<', '>'],['','_', '', ''], $term);
if (!$term) {
return;
}
$item_id = ((DI::args()->getArgc() > 1) ? Strings::escapeTags(trim(DI::args()->getArgv()[1])) : 0);
$item_id = ((DI::args()->getArgc() > 1) ? trim(DI::args()->getArgv()[1]) : 0);
Logger::notice('tagger: tag ' . $term . ' item ' . $item_id);

View File

@ -48,7 +48,6 @@ class BaseSearch extends BaseModule
*/
public static function performContactSearch($search, $prefix = '')
{
$a = DI::app();
$config = DI::config();
$type = Search::TYPE_ALL;

View File

@ -58,7 +58,7 @@ class Invite extends BaseModule
$recipients = !empty($_POST['recipients']) ? explode("\n", $_POST['recipients']) : [];
$message = !empty($_POST['message']) ? Strings::escapeTags(trim($_POST['message'])) : '';
$message = !empty($_POST['message']) ? Strings::escapeHtml(trim($_POST['message'])) : '';
$total = 0;
$invitation_only = false;

View File

@ -25,7 +25,6 @@ use Friendica\Content\Widget;
use Friendica\DI;
use Friendica\Module\BaseSearch;
use Friendica\Module\Security\Login;
use Friendica\Util\Strings;
/**
* Directory search module
@ -39,7 +38,7 @@ class Directory extends BaseSearch
return Login::form();
}
$search = Strings::escapeTags(trim(rawurldecode($_REQUEST['search'] ?? '')));
$search = trim(rawurldecode($_REQUEST['search'] ?? ''));
if (empty(DI::page()['aside'])) {
DI::page()['aside'] = '';

View File

@ -38,13 +38,12 @@ use Friendica\Model\Post;
use Friendica\Model\Tag;
use Friendica\Module\BaseSearch;
use Friendica\Network\HTTPException;
use Friendica\Util\Strings;
class Index extends BaseSearch
{
public static function content(array $parameters = [])
{
$search = (!empty($_GET['q']) ? Strings::escapeTags(trim(rawurldecode($_GET['q']))) : '');
$search = (!empty($_GET['q']) ? trim(rawurldecode($_GET['q'])) : '');
if (DI::config()->get('system', 'block_public') && !Session::isAuthenticated()) {
throw new HTTPException\ForbiddenException(DI::l10n()->t('Public access denied.'));
@ -88,7 +87,7 @@ class Index extends BaseSearch
$tag = false;
if (!empty($_GET['tag'])) {
$tag = true;
$search = '#' . Strings::escapeTags(trim(rawurldecode($_GET['tag'])));
$search = '#' . trim(rawurldecode($_GET['tag']));
}
// contruct a wrapper for the search header

View File

@ -25,14 +25,13 @@ use Friendica\BaseModule;
use Friendica\Core\Search;
use Friendica\Database\DBA;
use Friendica\DI;
use Friendica\Util\Strings;
class Saved extends BaseModule
{
public static function init(array $parameters = [])
{
$action = DI::args()->get(2, 'none');
$search = Strings::escapeTags(trim(rawurldecode($_GET['term'] ?? '')));
$search = trim(rawurldecode($_GET['term'] ?? ''));
$return_url = $_GET['return_url'] ?? Search::getSearchPath($search);

View File

@ -59,22 +59,6 @@ class Strings
return !empty($hexCode) ? @preg_match("/^[a-f0-9]{2,}$/i", $hexCode) && !(strlen($hexCode) & 1) : false;
}
/**
* This is our primary input filter.
*
* Use this on any text input where angle chars are not valid or permitted
* They will be replaced with safer brackets. This may be filtered further
* if these are not allowed either.
*
* @param string $string Input string
* @return string Filtered string
* @deprecated since 2020.09 Please use Smarty default HTML escaping for templates or htmlspecialchars() otherwise
*/
public static function escapeTags($string)
{
return str_replace(["<", ">"], ['[', ']'], $string);
}
/**
* Use this on "body" or "content" input where angle chars shouldn't be removed,
* and allow them to be safely displayed.

View File

@ -90,10 +90,8 @@ class StringsTest extends TestCase
{
$invalidstring='<submit type="button" onclick="alert(\'failed!\');" />';
$validstring = Strings::escapeTags($invalidstring);
$escapedString = Strings::escapeHtml($invalidstring);
self::assertEquals('[submit type="button" onclick="alert(\'failed!\');" /]', $validstring);
self::assertEquals(
"&lt;submit type=&quot;button&quot; onclick=&quot;alert('failed!');&quot; /&gt;",
$escapedString

View File

@ -9,7 +9,7 @@
<div id="directory-search-wrapper">
<form id="directory-search-form" action="{{$search_mod}}" method="get">
<span class="dirsearch-desc">{{$desc nofilter}}</span>
<span class="dirsearch-desc">{{$desc}}</span>
<input type="text" name="search" id="directory-search" class="search-input" onfocus="this.select();" value="{{$search}}" />
<input type="submit" name="submit" id="directory-search-submit" value="{{$submit}}" class="button" />
</form>

View File

@ -15,7 +15,7 @@
<div class="col-md-2"></div>
<div class="col-md-8 ">
<div class="form-group form-group-search">
<input type="text" name="search" id="directory-search" class="search-input form-control form-search" onfocus="this.select();" value="{{$search}}" placeholder="{{$desc nofilter}}"/>
<input type="text" name="search" id="directory-search" class="search-input form-control form-search" onfocus="this.select();" value="{{$search}}" placeholder="{{$desc}}"/>
<button class="btn btn-default btn-sm form-button-search" type="submit" id="directory-search-submit">{{$submit}}</button>
</div>
</div>