From 202de286393ead22b6cd2639460c8d25de0a0e16 Mon Sep 17 00:00:00 2001
From: CaMer0n <cameron@e107coders.org>
Date: Sun, 9 Sep 2007 07:05:06 +0000
Subject: [PATCH] bugfix: contact page - cleaned user input

---
 contact.php                     | 15 ++++++++++-----
 e107_handlers/e_parse_class.php | 34 ++++++++++++++++++++++-----------
 2 files changed, 33 insertions(+), 16 deletions(-)

diff --git a/contact.php b/contact.php
index 779c45983..4153b7043 100644
--- a/contact.php
+++ b/contact.php
@@ -11,9 +11,9 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/contact.php,v $
-|     $Revision: 1.3 $
-|     $Date: 2007-04-15 14:37:17 $
-|     $Author: e107steved $
+|     $Revision: 1.4 $
+|     $Date: 2007-09-09 07:05:06 $
+|     $Author: e107coders $
 +----------------------------------------------------------------------------+
 */
 require_once("class2.php");
@@ -40,7 +40,8 @@ if(isset($_POST['send-contactus'])){
 	$sender_name = $tp->toEmail($_POST['author_name'],TRUE,"rawtext");
 	$sender = check_email($_POST['email_send']);
 	$subject = $tp->toEmail($_POST['subject'],TRUE,"rawtext");
-	$body = $tp->toEmail($_POST['body'],TRUE);
+	$body = $tp->toEmail($_POST['body'],TRUE,"rawtext");
+
 
 // Check Image-Code
     if (isset($_POST['rand_num']) && !$sec_img->verify_code($_POST['rand_num'], $_POST['code_verify']))
@@ -66,6 +67,7 @@ if(isset($_POST['send-contactus'])){
     }
 
 
+
 // Check email address on remote server (if enabled).
 	if ($pref['signup_remote_emailcheck'] && $error == "")
 	{
@@ -88,7 +90,10 @@ if(isset($_POST['send-contactus'])){
     if(!$error)
 	{
 		$body .= "\n\nIP:\t".USERIP."\n";
+		if(USERID !== FALSE)
+		{
 		$body .= "User:\t#".USERID." ".USERNAME."\n";
+		}
 
 		if(!$_POST['contact_person'] && isset($pref['sitecontacts'])) // only 1 person, so contact_person not posted.
 		{
@@ -157,4 +162,4 @@ if(isset($pref['sitecontacts']) && $pref['sitecontacts'] != 255)
 }
 require_once(FOOTERF);
 exit;
-?>
+?>
\ No newline at end of file
diff --git a/e107_handlers/e_parse_class.php b/e107_handlers/e_parse_class.php
index 5e6a7e830..c68a188fa 100644
--- a/e107_handlers/e_parse_class.php
+++ b/e107_handlers/e_parse_class.php
@@ -11,9 +11,9 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_handlers/e_parse_class.php,v $
-|     $Revision: 1.14 $
-|     $Date: 2007-06-13 02:53:21 $
-|     $Author: mcfly_e107 $
+|     $Revision: 1.15 $
+|     $Date: 2007-09-09 07:05:06 $
+|     $Author: e107coders $
 +----------------------------------------------------------------------------+
 */
 if (!defined('e107_INIT')) { exit; }
@@ -55,7 +55,8 @@ class e_parse
 			// Disabled by Default
 			'defs' => FALSE,							// Convert defines(constants) within text.
 			'constants' => FALSE,					// replace all {e_XXX} constants with their e107 value
-			'parse_sc' => FALSE						// Parse shortcodes - TRUE enables parsing
+		'parse_sc' => FALSE,			   	// Parse shortcodes - TRUE enables parsing
+		'no_tags' => FALSE                  // remove HTML tags.
 		);
 		
 		// Super modifiers adjust default option values
@@ -97,9 +98,9 @@ class e_parse
 						'nobreak'=>TRUE, 'retain_nl'=>TRUE, 'no_make_clickable'=>TRUE,'emotes_off'=>TRUE,'no_hook'=>TRUE,
 						'defs'=>TRUE,'parse_sc'=>TRUE),
 
-				'rawtext' =>			// text is used (for admin edit) without fancy conversions
+				'rawtext' =>			// text is used (for admin edit) without fancy conversions or html.
 					array(
-						'nobreak'=>TRUE, 'retain_nl'=>TRUE, 'no_make_clickable'=>TRUE,'emotes_off'=>TRUE,'no_hook'=>TRUE,
+						'nobreak'=>TRUE, 'retain_nl'=>TRUE, 'no_make_clickable'=>TRUE,'emotes_off'=>TRUE,'no_hook'=>TRUE,'no_tags'=>TRUE
 						// leave opt-in options off
 						)
 		);
@@ -448,6 +449,7 @@ class e_parse
 			  	$opts[$mod] = TRUE;  // Change mods as spec'd
 				}
 			}
+
 			if (0) // php 5 code - not tested, and may not be faster anyway
 			{
 				$aMods = array_flip(
@@ -479,6 +481,11 @@ class e_parse
 			$text = $this->replaceConstants($text);
 		}
 
+		if ($opts['no_tags'])
+		{
+			$text = strip_tags($text);
+		}
+
 
        if(!$wrap && $pref['main_wordwrap']) $wrap = $pref['main_wordwrap'];
         $text = " ".$text;
@@ -502,11 +509,14 @@ class e_parse
                 $text = preg_replace("#(^|[\n ])([\w]+?://[^ \"\n\r\t<]*)#is", "\\1<a href=\"\\2\" {$_ext}>".$pref['link_text']."</a>", $text);
 //                $text = preg_replace("#(^|[\n ])((www|ftp)\.[^ \"\t\n\r<]*)#is", "\\1<a href=\"http://\\2\" {$_ext}>".$pref['link_text']."</a>", $text);
 			  $text = preg_replace("#(^|[\n ])((www|ftp)\.[\w+-]+?\.[\w+\-.]*(?(?=/)(/.+?(?=\s|,\s))|(?=\W)))#is", "\\1<a href=\"http://\\2\" {$_ext}>".$pref['link_text']."</a>", $text);
-                if(CHARSET != "utf-8" && CHARSET != "UTF-8"){
+              if(CHARSET != "utf-8" && CHARSET != "UTF-8")
+			  {
                     $email_text = ($pref['email_text']) ? $this->replaceConstants($pref['email_text']) : "\\1\\2&copy;\\3";
-                }else{
+              }
+			  else
+			  {
                     $email_text = ($pref['email_text']) ? $this->replaceConstants($pref['email_text']) : "\\1\\2©\\3";
-                }
+              }
                 $text = preg_replace("#([\n ])([a-z0-9\-_.]+?)@([\w\-]+\.([\w\-\.]+\.)*[\w]+)#i", "\\1<a rel='external' href='javascript:window.location=\"mai\"+\"lto:\"+\"\\2\"+\"@\"+\"\\3\";self.close();' onmouseover='window.status=\"mai\"+\"lto:\"+\"\\2\"+\"@\"+\"\\3\"; return true;' onmouseout='window.status=\"\";return true;'>".$email_text."</a>", $text);
             }
 			else 
@@ -790,9 +800,11 @@ class e_parse
 		return $text;
 	}
 
+
     function toEmail($text,$posted="",$mods="parse_sc, no_make_clickable")
 	{
-		if ($posted === TRUE && MAGIC_QUOTES_GPC) {
+		if ($posted === TRUE && MAGIC_QUOTES_GPC)
+		{
 			$text = stripslashes($text);
 		}
 
@@ -803,4 +815,4 @@ class e_parse
 
 }
 
-?>
+?>
\ No newline at end of file