Merge pull request #13990 from friendica/bug/profile-rss-xss

Escape HTML characters in profile RSS titles

src/Content/Post/Repository/PostMedia.php

@@ -27,6 +27,7 @@ use Friendica\Content\Post\Collection;
 use Friendica\Content\Post\Entity;
 use Friendica\Content\Post\Factory;
 use Friendica\Database\Database;
+use Friendica\Model\Post;
 use Friendica\Util\Strings;
 use Psr\Log\LoggerInterface;
 
@@ -62,7 +63,7 @@ class PostMedia extends BaseRepository
 
 	public function selectByUriId(int $uriId): Collection\PostMedias
 	{
-		return $this->_select(['uri-id' => $uriId]);
+		return $this->_select(["`uri-id` = ? AND `type` != ?", $uriId, Post\Media::UNKNOWN]);
 	}
 
 	public function save(Entity\PostMedia $PostMedia): Entity\PostMedia

src/Content/Text/BBCode.php

@@ -1245,6 +1245,42 @@ class BBCode
 		return $match[1] . '[url=' . $data['url'] . ']' . $data['nick'] . '[/url]';
 	}
 
+	/**
+	 * Replace mention links
+	 *
+	 * @param string $body HTML/BBCode
+	 * @return string Body with replaced mentions
+	 */
+	public static function setMentionsToAddr(string $body): string
+	{
+		DI::profiler()->startRecording('rendering');
+		$regexp = "/([@!])\[url\=([^\[\]]*)\].*?\[\/url\]/ism";
+		$body = preg_replace_callback($regexp, [self::class, 'mentionToAddrCallback'], $body);
+		DI::profiler()->stopRecording();
+		return $body;
+	}
+
+	/**
+	 * Callback function to replace a Friendica style mention in a mention with the addr
+	 *
+	 * @param array $match Matching values for the callback
+	 * @return string Replaced mention or empty string
+	 * @throws \Friendica\Network\HTTPException\InternalServerErrorException
+	 */
+	private static function mentionToAddrCallback(array $match): string
+	{
+		if (empty($match[2])) {
+			return '';
+		}
+
+		$data = Contact::getByURL($match[2], false, ['url', 'nick', 'addr']);
+		if (empty($data['nick'])) {
+			return $match[0];
+		}
+
+		return $match[1] . ($data['addr'] ?: $data['nick']);
+	}
+
 	/**
 	 * Normalize links to Youtube and Vimeo to a unified format.
 	 *

src/Content/Widget/VCard.php

@@ -104,7 +104,7 @@ class VCard
 					$mention_label  = DI::l10n()->t('Post to group');
 					$mention_link   = 'compose/0?body=!' . $contact['addr'];
 				}
-				$showgroup_link = 'network/group/' . $id;
+				$showgroup_link = 'contact/' . $id . '/conversations';
 			} elseif (!$hide_mention) {
 				$mention_label = DI::l10n()->t('Mention');
 				$mention_link  = 'compose/0?body=@' . $contact['addr'];

src/Factory/Api/Mastodon/StatusSource.php

@@ -38,10 +38,14 @@ class StatusSource extends BaseFactory
 	 */
 	public function createFromUriId(int $uriId, int $uid): \Friendica\Object\Api\Mastodon\StatusSource
 	{
-		$post = Post::selectOriginal(['uri-id', 'raw-body', 'body', 'title'], ['uri-id' => $uriId, 'uid' => [0, $uid]]);
+		$post = Post::selectOriginal(['uri-id', 'raw-body', 'body', 'title', 'content-warning'], ['uri-id' => $uriId, 'uid' => [0, $uid]]);
 
-		$spoiler_text = $post['title'] ?: BBCode::toPlaintext(BBCode::getAbstract($post['body'], Protocol::ACTIVITYPUB));
-		$body         = BBCode::toMarkdown(Post\Media::removeFromEndOfBody($post['body']));
+		$spoiler_text = $post['title'] ?: $post['content-warning'] ?: BBCode::toPlaintext(BBCode::getAbstract($post['body'], Protocol::ACTIVITYPUB));
+
+		$body = Post\Media::removeFromEndOfBody($post['body']);
+		$body = Post\Media::addHTMLLinkToBody($uriId, $body);
+		$body = BBCode::setMentionsToAddr($body);
+		$body = BBCode::toPlaintext($body);
 
 		return new \Friendica\Object\Api\Mastodon\StatusSource($post['uri-id'], $body, $spoiler_text);
 	}

src/Model/Contact.php

@@ -1205,13 +1205,12 @@ class Contact
 			$mention_label = DI::l10n()->t('Post to group');
 			$mention_url = 'compose/0?body=!' . $contact['addr'];
 			$network_label = DI::l10n()->t('View group');
-			$network_url = 'network/group/' . $contact['id'];
 		} else {
 			$mention_label = DI::l10n()->t('Mention');
 			$mention_url = 'compose/0?body=@' . $contact['addr'];
 			$network_label = DI::l10n()->t('Network Posts');
-			$network_url = 'contact/' . $contact['id'] . '/conversations';
 		}
+		$network_url = 'contact/' . $contact['id'] . '/conversations';
 
 		$follow_link   = '';
 		$unfollow_link = '';

src/Model/Post/Media.php

@@ -912,6 +912,8 @@ class Media
 				$body .= "\n[audio]" . $media['url'] . "[/audio]\n";
 			} elseif ($media['type'] == self::VIDEO) {
 				$body .= "\n[video]" . $media['url'] . "[/video]\n";
+			} else {
+				$body .= "\n[url]" . $media['url'] . "[/url]\n";
 			}
 		}
 

src/Model/Profile.php

@@ -461,13 +461,12 @@ class Profile
 			$mention_label = DI::l10n()->t('Post to group');
 			$mention_url   = 'compose/0?body=!' . $profile['addr'];
 			$network_label = DI::l10n()->t('View group');
-			$network_url   = 'network/group/' . $cid;
 		} else {
 			$mention_label = DI::l10n()->t('Mention');
 			$mention_url   = 'compose/0?body=@' . $profile['addr'];
 			$network_label = DI::l10n()->t('Network Posts');
-			$network_url   = 'contact/' . $cid . '/conversations';
 		}
+		$network_url   = 'contact/' . $cid . '/conversations';
 
 		$tpl = Renderer::getMarkupTemplate('profile/vcard.tpl');
 		$o .= Renderer::replaceMacros($tpl, [

src/Module/Api/Mastodon/Markers.php

@@ -82,7 +82,7 @@ class Markers extends BaseApi
 			$values->{$marker['timeline']} = [
 				'last_read_id' => $marker['last_read_id'],
 				'version'      => $marker['version'],
-				'updated_at'   => $marker['updated_at']
+				'updated_at'   => DateTimeFormat::utc($marker['updated_at'], DateTimeFormat::JSON)
 			];
 		}
 		return $values;

src/Module/Profile/Profile.php

@@ -348,10 +348,10 @@ class Profile extends BaseProfile
 			$htmlhead .= '<meta content="noindex, noarchive" name="robots" />' . "\n";
 		}
 
-		$htmlhead .= '<link rel="alternate" type="application/atom+xml" href="' . $this->baseUrl . '/dfrn_poll/' . $nickname . '" title="DFRN: ' . $this->t('%s\'s timeline', $profile['name']) . '"/>' . "\n";
-		$htmlhead .= '<link rel="alternate" type="application/atom+xml" href="' . $this->baseUrl . '/feed/' . $nickname . '/" title="' . $this->t('%s\'s posts', $profile['name']) . '"/>' . "\n";
-		$htmlhead .= '<link rel="alternate" type="application/atom+xml" href="' . $this->baseUrl . '/feed/' . $nickname . '/comments" title="' . $this->t('%s\'s comments', $profile['name']) . '"/>' . "\n";
-		$htmlhead .= '<link rel="alternate" type="application/atom+xml" href="' . $this->baseUrl . '/feed/' . $nickname . '/activity" title="' . $this->t('%s\'s timeline', $profile['name']) . '"/>' . "\n";
+		$htmlhead .= '<link rel="alternate" type="application/atom+xml" href="' . $this->baseUrl . '/dfrn_poll/' . $nickname . '" title="DFRN: ' . $this->t('%s\'s timeline', htmlspecialchars($profile['name'], ENT_COMPAT, 'UTF-8', true)) . '"/>' . "\n";
+		$htmlhead .= '<link rel="alternate" type="application/atom+xml" href="' . $this->baseUrl . '/feed/' . $nickname . '/" title="' . $this->t('%s\'s posts', htmlspecialchars($profile['name'], ENT_COMPAT, 'UTF-8', true)) . '"/>' . "\n";
+		$htmlhead .= '<link rel="alternate" type="application/atom+xml" href="' . $this->baseUrl . '/feed/' . $nickname . '/comments" title="' . $this->t('%s\'s comments', htmlspecialchars($profile['name'], ENT_COMPAT, 'UTF-8', true)) . '"/>' . "\n";
+		$htmlhead .= '<link rel="alternate" type="application/atom+xml" href="' . $this->baseUrl . '/feed/' . $nickname . '/activity" title="' . $this->t('%s\'s timeline', htmlspecialchars($profile['name'], ENT_COMPAT, 'UTF-8', true)) . '"/>' . "\n";
 		$uri      = urlencode('acct:' . $profile['nickname'] . '@' . $this->baseUrl->getHost() . ($this->baseUrl->getPath() ? '/' . $this->baseUrl->getPath() : ''));
 		$htmlhead .= '<link rel="lrdd" type="application/xrd+xml" href="' . $this->baseUrl . '/xrd/?uri=' . $uri . '" />' . "\n";
 		header('Link: <' . $this->baseUrl . '/xrd/?uri=' . $uri . '>; rel="lrdd"; type="application/xrd+xml"', false);

src/Protocol/ActivityPub/Processor.php

@@ -851,6 +851,7 @@ class Processor
 		}
 
 		$item['title'] = trim(BBCode::toPlaintext($item['title']));
+		$item['content-warning'] = HTML::toBBCode($activity['summary'] ?? '');
 
 		if (!empty($activity['languages'])) {
 			$item['language'] = self::processLanguages($activity['languages']);
@@ -897,7 +898,6 @@ class Processor
 				}
 				$content = self::removeImplicitMentionsFromBody($content, $parent);
 			}
-			$item['content-warning'] = HTML::toBBCode($activity['summary'] ?? '');
 			$item['raw-body'] = $item['body'] = $content;
 		}
 
@@ -1611,15 +1611,15 @@ class Processor
 
 		if (empty($object) || !is_array($object)) {
 			Logger::notice('Invalid JSON data', ['url' => $url, 'content-type' => $curlResult->getContentType()]);
-			return '';
+			return null;
 		}
 
 		if (!self::isValidObject($object, $url)) {
-			return '';
+			return null;
 		}
 
 		if (!HTTPSignature::isValidContentType($curlResult->getContentType(), $url)) {
-			return '';
+			return null;
 		}
 
 		$ldobject = JsonLD::compact($object);

src/Protocol/ActivityPub/Transmitter.php

@@ -1164,6 +1164,7 @@ class Transmitter
 		}
 
 		$mail['content-warning']  = '';
+		$mail['sensitive']        = false;
 		$mail['author-link']      = $mail['owner-link'] = $mail['from-url'];
 		$mail['owner-id']         = $mail['author-id'];
 		$mail['allow_cid']        = '<'.$mail['contact-id'].'>';

static/routes.config.php

@@ -662,7 +662,6 @@ return [
 	'/network' => [
 		'[/{content}]'                => [Module\Conversation\Network::class, [R::GET]],
 		'/archive/{from:\d\d\d\d-\d\d-\d\d}[/{to:\d\d\d\d-\d\d-\d\d}]' => [Module\Conversation\Network::class, [R::GET]],
-		'/group/{contact_id:\d+}'     => [Module\Conversation\Network::class, [R::GET]],
 		'/circle/{circle_id:\d+}'     => [Module\Conversation\Network::class, [R::GET]],
 	],