From 7ba6beb745e583f5abbfb5b38eaefeb98c762e9a Mon Sep 17 00:00:00 2001
From: Maxence Lange <maxence@artificial-owl.com>
Date: Thu, 20 Dec 2018 23:59:38 -0100
Subject: [PATCH 1/2] htmlentities encode/decode

Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
---
 lib/Model/ActivityPub/ACore.php | 1 +
 lib/Service/PostService.php     | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/Model/ActivityPub/ACore.php b/lib/Model/ActivityPub/ACore.php
index 0a1771268..94b49a095 100644
--- a/lib/Model/ActivityPub/ACore.php
+++ b/lib/Model/ActivityPub/ACore.php
@@ -468,6 +468,7 @@ public function validateEntryString(int $as, string $value): string {
 
 			case self::AS_STRING:
 				$value = strip_tags($value);
+				$value = html_entity_decode($value, ENT_QUOTES);
 
 				return $value;
 
diff --git a/lib/Service/PostService.php b/lib/Service/PostService.php
index 46cb17948..b2f39ac84 100644
--- a/lib/Service/PostService.php
+++ b/lib/Service/PostService.php
@@ -85,9 +85,9 @@ public function __construct(
 	public function createPost(Post $post, ACore &$activity = null): string {
 		$note =
 			$this->noteService->generateNote(
-				$post->getUserId(), $post->getContent(), $post->getType()
+				$post->getUserId(), htmlentities($post->getContent(), ENT_QUOTES), $post->getType()
 			);
-
+		
 		$this->noteService->replyTo($note, $post->getReplyTo());
 		$this->noteService->addRecipients($note, $post->getType(), $post->getTo());
 

From 1570d9cd3d6976f1d9312ed1c6db8083e0ffc62c Mon Sep 17 00:00:00 2001
From: Maxence Lange <maxence@artificial-owl.com>
Date: Fri, 21 Dec 2018 12:50:03 -0100
Subject: [PATCH 2/2] content of note is validated only when imported from
 database

Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
---
 lib/Db/NotesRequestBuilder.php         | 15 +--------------
 lib/Model/ActivityPub/ACore.php        | 24 +++++++++++++-----------
 lib/Model/ActivityPub/Actor/Person.php | 19 +++++++++----------
 lib/Model/ActivityPub/Object/Note.php  | 25 ++++++++++++++++++++-----
 4 files changed, 43 insertions(+), 40 deletions(-)

diff --git a/lib/Db/NotesRequestBuilder.php b/lib/Db/NotesRequestBuilder.php
index 443deb8ea..5995560c7 100644
--- a/lib/Db/NotesRequestBuilder.php
+++ b/lib/Db/NotesRequestBuilder.php
@@ -325,21 +325,8 @@ protected function filterToRecipient(IQueryBuilder &$qb, string $recipient) {
 	 * @return Note
 	 */
 	protected function parseNotesSelectSql($data): Note {
-		$dTime = new DateTime($this->get('published_time', $data, 'yesterday'));
-
-		// TODO - use $note->importFromDatabase() ?
 		$note = new Note();
-		$note->setId($data['id'])
-			 ->setTo($data['to'])
-			 ->setToArray(json_decode($data['to_array'], true))
-			 ->setCcArray(json_decode($data['cc'], true))
-			 ->setBccArray(json_decode($data['bcc']))
-			 ->setLocal(($data['local'] === '1') ? true : false)
-			 ->setPublished($data['published']);
-		$note->setContent($data['content'])
-			 ->setPublishedTime($dTime->getTimestamp())
-			 ->setAttributedTo($data['attributed_to'])
-			 ->setInReplyTo($data['in_reply_to']);
+		$note->importFromDatabase($data);
 
 		$instances = json_decode($data['instances'], true);
 		if (is_array($instances)) {
diff --git a/lib/Model/ActivityPub/ACore.php b/lib/Model/ActivityPub/ACore.php
index 94b49a095..da3c92a8e 100644
--- a/lib/Model/ActivityPub/ACore.php
+++ b/lib/Model/ActivityPub/ACore.php
@@ -468,7 +468,7 @@ public function validateEntryString(int $as, string $value): string {
 
 			case self::AS_STRING:
 				$value = strip_tags($value);
-				$value = html_entity_decode($value, ENT_QUOTES);
+				$value = html_entity_decode($value, ENT_QUOTES | ENT_HTML5);
 
 				return $value;
 
@@ -497,7 +497,7 @@ public function import(array $data) {
 		$this->setId($this->validate(self::AS_ID, 'id', $data, ''));
 		$this->setType($this->validate(self::AS_TYPE, 'type', $data, ''));
 		$this->setUrl($this->validate(self::AS_URL, 'url', $data, ''));
-		$this->setSummary($this->validate(self::AS_STRING, 'summary', $data, ''));
+		$this->setSummary($this->get('summary', $data, ''));
 		$this->setToArray($this->validateArray(self::AS_ID, 'to', $data, []));
 		$this->setCcArray($this->validateArray(self::AS_ID, 'cc', $data, []));
 		$this->setPublished($this->validate(self::AS_DATE, 'published', $data, ''));
@@ -510,15 +510,17 @@ public function import(array $data) {
 	 * @param array $data
 	 */
 	public function importFromDatabase(array $data) {
-		$this->setId($this->get('id', $data, ''));
-		$this->setType($this->get('type', $data, ''));
-		$this->setUrl($this->get('url', $data, ''));
-		$this->setSummary($this->get('summary', $data, ''));
-		$this->setToArray($this->getArray('to', $data, []));
-		$this->setCcArray($this->getArray('cc', $data, []));
-		$this->setPublished($this->get('published', $data, ''));
-		$this->setActorId($this->get('actor_id', $data, ''));
-		$this->setObjectId($this->get('object_id', $data, ''));
+		$this->setId($this->validate(self::AS_ID, 'id', $data, ''));
+		$this->setType($this->validate(self::AS_TYPE, 'type', $data, ''));
+		$this->setUrl($this->validate(self::AS_URL, 'url', $data, ''));
+		$this->setSummary($this->validate(self::AS_STRING, 'summary', $data, ''));
+		$this->setTo($this->validate(self::AS_ID, 'to', $data, ''));
+		$this->setToArray($this->validateArray(self::AS_ID, 'to_array', $data, []));
+		$this->setCcArray($this->validateArray(self::AS_ID, 'cc', $data, []));
+		$this->setBccArray($this->validateArray(self::AS_ID, 'bcc', $data, []));
+		$this->setPublished($this->validate(self::AS_DATE, 'published', $data, ''));
+		$this->setActorId($this->validate(self::AS_ID, 'actor_id', $data, ''));
+		$this->setObjectId($this->validate(self::AS_ID, 'object_id', $data, ''));
 		$this->setSource($this->get('source', $data, ''));
 		$this->setLocal(($this->getInt('local', $data, 0) === 1));
 	}
diff --git a/lib/Model/ActivityPub/Actor/Person.php b/lib/Model/ActivityPub/Actor/Person.php
index adb0ce2fc..522c1fb78 100644
--- a/lib/Model/ActivityPub/Actor/Person.php
+++ b/lib/Model/ActivityPub/Actor/Person.php
@@ -443,7 +443,6 @@ public function setAvatarVersion(int $avatarVersion): Person {
 	 * @param array $data
 	 *
 	 * @throws UrlCloudException
-	 * @throws InvalidResourceEntryException
 	 */
 	public function import(array $data) {
 		parent::import($data);
@@ -476,17 +475,17 @@ public function import(array $data) {
 	 */
 	public function importFromDatabase(array $data) {
 		parent::importFromDatabase($data);
-		$this->setPreferredUsername($this->get('preferred_username', $data, ''))
-			 ->setName($this->get('name', $data, ''))
-			 ->setAccount($this->get('account', $data, ''))
+		$this->setPreferredUsername($this->validate(self::AS_USERNAME, 'preferred_username', $data, ''))
+			 ->setName($this->validate(self::AS_USERNAME, 'name', $data, ''))
+			 ->setAccount($this->validate(self::AS_ACCOUNT, 'account', $data, ''))
 			 ->setPublicKey($this->get('public_key', $data, ''))
 			 ->setPrivateKey($this->get('private_key', $data, ''))
-			 ->setInbox($this->get('inbox', $data, ''))
-			 ->setOutbox($this->get('outbox', $data, ''))
-			 ->setFollowers($this->get('followers', $data, ''))
-			 ->setFollowing($this->get('following', $data, ''))
-			 ->setSharedInbox($this->get('shared_inbox', $data, ''))
-			 ->setFeatured($this->get('featured', $data, ''))
+			 ->setInbox($this->validate(self::AS_URL, 'inbox', $data, ''))
+			 ->setOutbox($this->validate(self::AS_URL, 'outbox', $data, ''))
+			 ->setFollowers($this->validate(self::AS_URL, 'followers', $data, ''))
+			 ->setFollowing($this->validate(self::AS_URL, 'following', $data, ''))
+			 ->setSharedInbox($this->validate(self::AS_URL, 'shared_inbox', $data, ''))
+			 ->setFeatured($this->validate(self::AS_URL, 'featured', $data, ''))
 			 ->setDetails($this->getArray('details', $data, []))
 			 ->setCreation($this->getInt('creation', $data, 0));
 	}
diff --git a/lib/Model/ActivityPub/Object/Note.php b/lib/Model/ActivityPub/Object/Note.php
index dfdc3a118..361ed8728 100644
--- a/lib/Model/ActivityPub/Object/Note.php
+++ b/lib/Model/ActivityPub/Object/Note.php
@@ -33,7 +33,6 @@
 use DateTime;
 use JsonSerializable;
 use OCA\Social\Model\ActivityPub\ACore;
-use OCA\Social\Service\ActivityService;
 use OCA\Social\Service\SignatureService;
 
 
@@ -211,11 +210,27 @@ public function import(array $data) {
 		$this->setAttributedTo($this->validate(ACore::AS_ID, 'attributedTo', $data, ''));
 		$this->setSensitive($this->getBool('sensitive', $data, false));
 		$this->setConversation($this->validate(ACore::AS_ID, 'conversation', $data, ''));
-		$this->setContent($this->validate(ACore::AS_STRING, 'content', $data, ''));
+		$this->setContent($this->get('content', $data, ''));
 		$this->convertPublished();
 	}
 
 
+	/**
+	 * @param array $data
+	 */
+	public function importFromDatabase(array $data) {
+		parent::importFromDatabase($data);
+
+		$dTime = new DateTime($this->get('published_time', $data, 'yesterday'));
+
+		$this->setContent($this->validate(self::AS_STRING, 'content', $data, ''));;
+
+		$this->setPublishedTime($dTime->getTimestamp());
+		$this->setAttributedTo($this->validate(self::AS_ID, 'attributed_to', $data, ''));
+		$this->setInReplyTo($this->validate(self::AS_ID, 'in_reply_to', $data));
+	}
+
+
 	/**
 	 * @return array
 	 */
@@ -225,10 +240,10 @@ public function jsonSerialize(): array {
 		return array_merge(
 			parent::jsonSerialize(),
 			[
-				'content'      => $this->getContent(),
+				'content' => $this->getContent(),
 				'attributedTo' => $this->getUrlSocial() . $this->getAttributedTo(),
-				'inReplyTo'    => $this->getInReplyTo(),
-				'sensitive'    => $this->isSensitive(),
+				'inReplyTo' => $this->getInReplyTo(),
+				'sensitive' => $this->isSensitive(),
 				'conversation' => $this->getConversation()
 			]
 		);