From 336f3e5a628d9f915da7832651eeb516856a6ba0 Mon Sep 17 00:00:00 2001 From: Matthias Pfefferle Date: Mon, 2 Oct 2023 17:11:56 +0200 Subject: [PATCH 1/3] Fix various encoding issues (#477) * fix html-entity issue in username * remove kses let other platforms decide what to allow and what not * Remove html_entity_decode to prevent encoding issues (#454) I've tested this on content which includes MarkDown, HTML, encoded entities, unencoded entities, etc. Fixes #445 Co-authored-by: Matthias Pfefferle * remove allowed tags --------- Co-authored-by: Terence Eden --- includes/model/class-blog-user.php | 8 ++++- includes/transformer/class-post.php | 54 ----------------------------- 2 files changed, 7 insertions(+), 55 deletions(-) diff --git a/includes/model/class-blog-user.php b/includes/model/class-blog-user.php index 062b616..21a066e 100644 --- a/includes/model/class-blog-user.php +++ b/includes/model/class-blog-user.php @@ -67,7 +67,13 @@ class Blog_User extends User { * @return string The User-Name. */ public function get_name() { - return \esc_html( \get_bloginfo( 'name' ) ); + return \wp_strip_all_tags( + \html_entity_decode( + \get_bloginfo( 'name' ), + \ENT_QUOTES, + 'UTF-8' + ) + ); } /** diff --git a/includes/transformer/class-post.php b/includes/transformer/class-post.php index 286b91f..d22304f 100644 --- a/includes/transformer/class-post.php +++ b/includes/transformer/class-post.php @@ -30,58 +30,6 @@ class Post { */ protected $wp_post; - /** - * The Allowed Tags, used in the content. - * - * @var array - */ - protected $allowed_tags = array( - 'a' => array( - 'href' => array(), - 'title' => array(), - 'class' => array(), - 'rel' => array(), - ), - 'br' => array(), - 'p' => array( - 'class' => array(), - ), - 'span' => array( - 'class' => array(), - ), - 'div' => array( - 'class' => array(), - ), - 'ul' => array(), - 'ol' => array( - 'reversed' => array(), - 'start' => array(), - ), - 'li' => array( - 'value' => array(), - ), - 'strong' => array( - 'class' => array(), - ), - 'b' => array( - 'class' => array(), - ), - 'i' => array( - 'class' => array(), - ), - 'em' => array( - 'class' => array(), - ), - 'blockquote' => array(), - 'cite' => array(), - 'code' => array( - 'class' => array(), - ), - 'pre' => array( - 'class' => array(), - ), - ); - /** * Static function to Transform a WP_Post Object. * @@ -513,13 +461,11 @@ class Post { $content = do_shortcode( $content ); wp_reset_postdata(); - $content = \wp_kses( $content, $this->allowed_tags ); $content = \wpautop( $content ); $content = \preg_replace( '/[\n\r\t]/', '', $content ); $content = \trim( $content ); $content = \apply_filters( 'activitypub_the_content', $content, $post ); - $content = \html_entity_decode( $content, \ENT_QUOTES, 'UTF-8' ); return $content; } From b7c0e011de0f759a3dc07a6e876cd266d304b121 Mon Sep 17 00:00:00 2001 From: Matthias Pfefferle Date: Mon, 2 Oct 2023 17:12:23 +0200 Subject: [PATCH 2/3] Fix the health check (#481) * only test author urls if authors are enabled * if authors are disabled use the blog user to test webfinger --- includes/class-health-check.php | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/includes/class-health-check.php b/includes/class-health-check.php index a802e6f..74a6f9e 100644 --- a/includes/class-health-check.php +++ b/includes/class-health-check.php @@ -3,8 +3,10 @@ namespace Activitypub; use WP_Error; use Activitypub\Webfinger; +use Activitypub\Collection\Users; use function Activitypub\get_plugin_version; +use function Activitypub\is_user_type_disabled; use function Activitypub\get_webfinger_resource; /** @@ -25,10 +27,12 @@ class Health_Check { } public static function add_tests( $tests ) { - $tests['direct']['activitypub_test_author_url'] = array( - 'label' => \__( 'Author URL test', 'activitypub' ), - 'test' => array( self::class, 'test_author_url' ), - ); + if ( ! is_user_type_disabled( 'user' ) ) { + $tests['direct']['activitypub_test_author_url'] = array( + 'label' => \__( 'Author URL test', 'activitypub' ), + 'test' => array( self::class, 'test_author_url' ), + ); + } $tests['direct']['activitypub_test_webfinger'] = array( 'label' => __( 'WebFinger Test', 'activitypub' ), @@ -253,8 +257,15 @@ class Health_Check { * @return boolean|WP_Error */ public static function is_webfinger_endpoint_accessible() { - $user = \wp_get_current_user(); - $account = get_webfinger_resource( $user->ID ); + $user = \wp_get_current_user(); + + if ( ! is_user_type_disabled( 'blog' ) ) { + $account = get_webfinger_resource( $user->ID ); + } elseif ( ! is_user_type_disabled( 'user' ) ) { + $account = get_webfinger_resource( Users::BLOG_USER_ID ); + } else { + $account = ''; + } $url = Webfinger::resolve( $account ); if ( \is_wp_error( $url ) ) { From d268bd9aee3c912e56b484a2abe25fa6129831ed Mon Sep 17 00:00:00 2001 From: Matthias Pfefferle Date: Mon, 2 Oct 2023 17:32:27 +0200 Subject: [PATCH 3/3] version bump --- README.md | 14 +++++++++++++- activitypub.php | 2 +- readme.txt | 14 +++++++++++++- 3 files changed, 27 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index eef27a0..2ce432f 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ **Tags:** OStatus, fediverse, activitypub, activitystream **Requires at least:** 4.7 **Tested up to:** 6.3 -**Stable tag:** 1.0.1 +**Stable tag:** 1.0.2 **Requires PHP:** 5.6 **License:** MIT **License URI:** http://opensource.org/licenses/MIT @@ -105,6 +105,18 @@ Where 'blog' is the path to the subdirectory at which your blog resides. Project maintained on GitHub at [automattic/wordpress-activitypub](https://github.com/automattic/wordpress-activitypub). +### 1.0.2 ### + +* Updated: improved hashtag visibility in default template +* Updated: reduced number of followers to be checked/updated via Cron, when System Cron is not set up +* Updated: check if username of Blog-User collides with an Authors name +* Compatibility: improved Group meta informations +* Fixed: detection of single user mode +* Fixed: remote delete +* Fixed: styles in Follow-Me block +* Fixed: various encoding and formatting issues +* Fixed: (health) check Author URLs only if Authors are enabled + ### 1.0.1 ### * Update: improve image attachment detection using the block editor diff --git a/activitypub.php b/activitypub.php index 03f0743..266d630 100644 --- a/activitypub.php +++ b/activitypub.php @@ -3,7 +3,7 @@ * Plugin Name: ActivityPub * Plugin URI: https://github.com/pfefferle/wordpress-activitypub/ * Description: The ActivityPub protocol is a decentralized social networking protocol based upon the ActivityStreams 2.0 data format. - * Version: 1.0.1 + * Version: 1.0.2 * Author: Matthias Pfefferle & Automattic * Author URI: https://automattic.com/ * License: MIT diff --git a/readme.txt b/readme.txt index 90e0011..f9b5cb8 100644 --- a/readme.txt +++ b/readme.txt @@ -3,7 +3,7 @@ Contributors: automattic, pfefferle, mediaformat, mattwiebe, akirk, jeherve, nur Tags: OStatus, fediverse, activitypub, activitystream Requires at least: 4.7 Tested up to: 6.3 -Stable tag: 1.0.1 +Stable tag: 1.0.2 Requires PHP: 5.6 License: MIT License URI: http://opensource.org/licenses/MIT @@ -105,6 +105,18 @@ Where 'blog' is the path to the subdirectory at which your blog resides. Project maintained on GitHub at [automattic/wordpress-activitypub](https://github.com/automattic/wordpress-activitypub). += 1.0.2 = + +* Updated: improved hashtag visibility in default template +* Updated: reduced number of followers to be checked/updated via Cron, when System Cron is not set up +* Updated: check if username of Blog-User collides with an Authors name +* Compatibility: improved Group meta informations +* Fixed: detection of single user mode +* Fixed: remote delete +* Fixed: styles in Follow-Me block +* Fixed: various encoding and formatting issues +* Fixed: (health) check Author URLs only if Authors are enabled + = 1.0.1 = * Update: improve image attachment detection using the block editor