Revorked "sanitize output"

This reverts commit 77873d12b3.
This commit is contained in:
Matthias Pfefferle 2023-05-23 11:10:05 +02:00
parent 77873d12b3
commit 677d507fe9
3 changed files with 49 additions and 26 deletions

View file

@ -43,7 +43,7 @@ class Shortcodes {
$hash_tags[] = \sprintf(
'<a rel="tag" class="u-tag u-category" href="%s">#%s</a>',
\esc_url( \get_tag_link( $tag ) ),
\esc_html( $tag->slug )
\wp_strip_all_tags( $tag->slug )
);
}
@ -66,7 +66,7 @@ class Shortcodes {
return '';
}
return \esc_html( \get_the_title( $post_id ) );
return \wp_strip_all_tags( \get_the_title( $post_id ), true );
}
@ -170,7 +170,7 @@ class Shortcodes {
}
}
return $excerpt;
return \apply_filters( 'the_excerpt', $excerpt );
}
/**
@ -183,23 +183,36 @@ class Shortcodes {
* @return string
*/
public static function content( $atts, $content, $tag ) {
// prevent inception
remove_shortcode( 'ap_content' );
$post = get_post();
if ( ! $post || \post_password_required( $post ) ) {
return '';
}
$atts = shortcode_atts(
array( 'apply_filters' => 'yes' ),
$atts,
$tag
);
$content = \get_post_field( 'post_content', $post );
$content = do_blocks( $content );
$content = wptexturize( $content );
$content = wp_filter_content_tags( $content );
// replace script and style elements
$content = \preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $content );
if ( 'yes' === $atts['apply_filters'] ) {
$content = \apply_filters( 'the_content', $content );
} else {
$content = do_blocks( $content );
$content = wptexturize( $content );
$content = wp_filter_content_tags( $content );
}
$content = strip_shortcodes( $content );
$content = \trim( \preg_replace( '/[\n\r\t]/', '', $content ) );
add_shortcode( 'ap_content', array( 'Activitypub\Shortcodes', 'content' ) );
return $content;
}
@ -231,7 +244,10 @@ class Shortcodes {
return \esc_url( \get_permalink( $post->ID ) );
}
return \sprintf( '<a href="%1$s">%1$s</a>', \esc_url( \get_permalink( $post->ID ) ) );
return \sprintf(
'<a href="%1$s">%1$s</a>',
\esc_url( \get_permalink( $post->ID ) )
);
}
/**
@ -262,7 +278,10 @@ class Shortcodes {
return \esc_url( \wp_get_shortlink( $post->ID ) );
}
return \sprintf( '<a href="%1$s">%1$s</a>', \esc_url( \wp_get_shortlink( $post->ID ) ) );
return \sprintf(
'<a href="%1$s">%1$s</a>',
\esc_url( \wp_get_shortlink( $post->ID ) )
);
}
/**
@ -336,7 +355,7 @@ class Shortcodes {
$hash_tags[] = \sprintf(
'<a rel="tag" class="u-tag u-category" href="%s">#%s</a>',
\esc_url( \get_category_link( $category ) ),
\esc_html( $category->slug )
\wp_strip_all_tags( $category->slug )
);
}
@ -359,13 +378,13 @@ class Shortcodes {
return '';
}
$name = \esc_html( \get_the_author_meta( 'display_name', $post->post_author ) );
$name = \get_the_author_meta( 'display_name', $post->post_author );
if ( ! $name ) {
return '';
}
return \esc_html( $name );
return wp_strip_all_tags( $name );
}
/**
@ -416,7 +435,7 @@ class Shortcodes {
* @return string
*/
public static function blogname( $atts, $content, $tag ) {
return \esc_html( \get_bloginfo( 'name' ) );
return \wp_strip_all_tags( \get_bloginfo( 'name' ) );
}
/**
@ -429,7 +448,7 @@ class Shortcodes {
* @return string
*/
public static function blogdesc( $atts, $content, $tag ) {
return \esc_html( \get_bloginfo( 'description' ) );
return \wp_strip_all_tags( \get_bloginfo( 'description' ) );
}
/**
@ -458,7 +477,7 @@ class Shortcodes {
return '';
}
return \esc_html( $date );
return $date;
}
/**
@ -487,15 +506,15 @@ class Shortcodes {
return '';
}
return \esc_html( $date );
return $date;
}
/**
* Generates output for the ap_datetime shortcode
*
* @param array $atts shortcode attributes
* @param string $content shortcode content
* @param string $tag shortcode tag name
* @param array $atts shortcode attributes
* @param string $content shortcode content
* @param string $tag shortcode tag name
*
* @return string
*/
@ -516,6 +535,6 @@ class Shortcodes {
return '';
}
return \esc_html( $date );
return $date;
}
}

View file

@ -51,7 +51,7 @@ class Webfinger {
}
// try to access author URL
$response = \wp_safe_remote_get(
$response = \wp_remote_get(
$url,
array(
'headers' => array( 'Accept' => 'application/activity+json' ),

View file

@ -508,8 +508,12 @@ class Post {
$content = do_shortcode( $content );
wp_reset_postdata();
$content = \wpautop( \wp_kses( $content, $this->allowed_tags ) );
$content = \trim( \preg_replace( '/[\n\r\t]/', '', $content ) );
// replace script and style elements
$content = \preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $content );
$content = \wp_kses( $content, $this->allowed_tags );
$content = \wpautop( $content );
$content = \preg_replace( '/[\n\r\t]/', '', $content );
$content = \trim( $content );
$content = \apply_filters( 'activitypub_the_content', $content, $post );
$content = \html_entity_decode( $content, \ENT_QUOTES, 'UTF-8' );
@ -537,6 +541,6 @@ class Post {
return "[ap_content]\n\n[ap_hashtags]\n\n[ap_permalink type=\"html\"]";
}
return $content;
return \get_option( 'activitypub_custom_post_content' );
}
}