Merge pull request #228 from Deltik/master

[security] Protection for exposed emails, Message-Handler constants etc. Thank you Deltik

README.md

@@ -16,7 +16,7 @@ e107 is a free (open-source) content management system which allows you to easil
 ### Reporting Bugs
 
 Be sure you are using the most recent version prior to reporting an issue. 
-Your may report any bugs or feature requests on Github (https://github.com/e107inc/e107/issues)
+You may report any bugs or feature requests on GitHub (https://github.com/e107inc/e107/issues)
 
 ### Pull-Requests
 

e107_core/shortcodes/batch/user_shortcodes.php

@@ -226,7 +226,9 @@ class user_shortcodes extends e_shortcode
 	function sc_user_email_link($parm) 
 	{
 		$tp = e107::getParser();
-		return ($this->var['user_hideemail'] && !ADMIN) ? "<i>".LAN_USER_35."</i>" : $tp->parseTemplate("{email={$this->var['user_email']}-link}");
+		return /* Condition             */ ($this->var['user_hideemail'] && !ADMIN) ?
+		       /*  Hidden and Not Admin */ "<i>".LAN_USER_35."</i>" :
+		       /*  Not Hidden or Admin  */ $tp->parseTemplate("{email={$this->var['user_email']}-link}");
 	}
 
 
@@ -234,7 +236,30 @@ class user_shortcodes extends e_shortcode
 	function sc_user_email($parm) 
 	{
 		$tp = e107::getParser();
-		return ($this->var['user_hideemail'] && !ADMIN) ? "<i>".LAN_USER_35."</i>" : $tp->toHTML($this->var['user_email'],"no_replace");
+		return /* Condition             */ ($this->var['user_hideemail'] && !ADMIN) ?
+		       /*  Hidden and Not Admin */ "<i>".LAN_USER_35."</i>" :
+		       /*  Not Hidden or Admin  */ "<span style='unicode-bidi:bidi-override; direction: rtl;'>" . strrev($tp->toHTML($this->var['user_email'],"no_replace")) . "</span>";
+		       ########################################################
+		       # Security Note - 04 May 2013                          #
+		       ########################################################
+		       #                                                      #
+		       # The CSS code direction rtl is an effective way to    #
+		       # prevent spam bots from scraping emails that are      #
+		       # not hidden.                                          #
+		       #                                                      #
+		       # You can find empirical support for this method at    #
+		       # <http://superuser.com/a/235965>.                     #
+		       #                                                      #
+		       # {e_CORE}templates/user_template.php was modified to  #
+		       # support this code.  In $USER_FULL_TEMPLATE, the      #
+		       # LAN_USER_60 value {USER_EMAIL_LINK} was changed to   #
+		       # {USER_EMAIL}.  I couldn't figure out how the two     #
+		       # shortcodes were different, so I took precautions in  #
+		       # hopes that the CSS direction won't break actual HTML #
+		       # tags.                                                #
+		       #                                                      #
+		       #       -- Deltik                                      #
+		       ########################################################
 	}
 
 

e107_core/templates/user_template.php

@@ -142,7 +142,7 @@ $USER_FULL_TEMPLATE = "{SETIMAGE: w=250}
 <tr>
 	<td  {$main_colspan} class='forumheader3'>
 		<div class='f-left'>{USER_EMAIL_ICON} ".LAN_USER_60."</div>
-		<div class='f-right right'>{USER_EMAIL_LINK}</div>
+		<div class='f-right right'>{USER_EMAIL}</div>
 	</td>
 </tr>
 

e107_handlers/message_handler.php

@@ -18,6 +18,10 @@ if (!defined('e107_INIT')) { exit; }
 /*
  * Type defines
  * XXX - convert to eMessage class constants
+ * @note 07 May 2013: These have been converted to eMessage class constants!
+ *       Example: eMessage::E_MESSAGE_SUCCESS is 'success'
+ *             -- Deltik
+ *       P.S. Now somebody needs to get rid of these universal constants...
  */
 define('E_MESSAGE_INFO', 		'info');
 define('E_MESSAGE_SUCCESS', 	'success');
@@ -39,6 +43,17 @@ define('E_MESSAGE_NODISPLAY',	'nodisplay'); // Appears to be needed by update_ro
  */
 class eMessage
 {
+	/**
+	 * Type defines
+	 */
+	 const E_INFO       = 'info';
+	 const E_SUCCESS    = 'success';
+	 const E_WARNING    = 'warning';
+	 const E_ERROR      = 'error';
+	 const E_DEBUG      = 'debug';
+	 const E_NODISPLAY  = 'nodisplay';
+	
+	
 	/**
 	 * System Message Array
 	 * in format [type][message_stack] = array(message[, ...])
@@ -172,7 +187,7 @@ class eMessage
 	 * @param boolean $session
 	 * @return eMessage
 	 */
-	public function add($message, $type = E_MESSAGE_INFO, $session = false)
+	public function add($message, $type = eMessage::E_INFO, $session = false)
 	{
 		if(empty($message)) return $this;
 		

e107_handlers/model_class.php

@@ -3485,7 +3485,7 @@ class e_admin_tree_model extends e_front_tree_model
 		$idstr = implode(', ', $ids);
 
 		$sql = e107::getDb();
-		$res = $sql->db_Delete($this->getModelTable(), $this->getFieldIdName().' IN ('.$idstr.')');
+		$res = $sql->db_Delete($this->getModelTable(), $this->getFieldIdName().' IN (\''.$idstr.'\')');
 		$this->_db_errno = $sql->getLastErrorNumber();
 		$this->_db_errmsg = $sql->getLastErrorText();
 		$modelCacheCheck = $this->getParam('clearModelCache');
@@ -3493,7 +3493,7 @@ class e_admin_tree_model extends e_front_tree_model
 		{
 			if($sql->getLastErrorNumber())
 			{
-				$this->addMessageError('SQL Delete Error', $session_messages); //TODO - Lan
+				$this->addMessageError('SQL Delete Error: ' . $sql->getLastQuery(), $session_messages); //TODO - Lan
 				$this->addMessageDebug('SQL Error #'.$sql->getLastErrorNumber().': '.$sql->getLastErrorText());
 			}
 		}