More code cleanup

e107_admin/image.php

@@ -1864,6 +1864,7 @@ class media_admin_ui extends e_admin_ui
 
 		$sql = e107::getDb();
 		$mes = e107::getMessage();
+		$tp = e107::getParser();
 
 			if(!empty($_POST['multiaction']))
 			{
@@ -1887,7 +1888,7 @@ class media_admin_ui extends e_admin_ui
 					}
 
 					//delete it from server
-					$deletePath = e_AVATAR.$path;
+					$deletePath = e_AVATAR.$tp->filter($path);
 					if(@unlink($deletePath))
 					{
 						$mes->addDebug('Deleted: '.$deletePath);
@@ -2619,7 +2620,7 @@ class media_admin_ui extends e_admin_ui
 		foreach($_POST['batch_selected'] as $key=>$file)
 		{
 
-			$oldpath = e_IMPORT.$file;
+			$oldpath = e_IMPORT.$tp->filter($file, 'w');
 
 			if($_POST['batch_category'] == '_avatars_public' || $_POST['batch_category'] == '_avatars_private')
 			{

e107_plugins/forum/forum_uploads.php

@@ -33,7 +33,7 @@ if(is_array($_POST['delete']))
 		$f = explode("_", $fname);
 		if($f[1] == USERID)
 		{
-			$path = e_UPLOAD.$fname;
+			$path = e_UPLOAD.e107::getParser()->filter($fname,'w');
 			if(unlink($path) == TRUE)
 			{
 				$msg = LAN_FORUM_7002.": $path";

e107_web/js/plupload/upload.php

@@ -47,19 +47,21 @@ $chunks = isset($_REQUEST["chunks"]) ? intval($_REQUEST["chunks"]) : 0;
 	$fileName = isset($_REQUEST["name"]) ? $_REQUEST["name"] : '';
 
 
-
 // Clean the fileName for security reasons
 	$fileName = preg_replace('/[^\w\._]+/', '_', $fileName);
 
 // Make sure the fileName is unique but only if chunking is disabled
-if ($chunks < 2 && file_exists($targetDir . DIRECTORY_SEPARATOR . $fileName)) {
+	if($chunks < 2 && file_exists($targetDir . DIRECTORY_SEPARATOR . $fileName))
+	{
 		$ext = strrpos($fileName, '.');
 		$fileName_a = substr($fileName, 0, $ext);
 		$fileName_b = substr($fileName, $ext);
 
 		$count = 1;
 		while(file_exists($targetDir . DIRECTORY_SEPARATOR . $fileName_a . '_' . $count . $fileName_b))
+		{
 			$count++;
+		}
 
 		$fileName = $fileName_a . '_' . $count . $fileName_b;
 	}
@@ -68,80 +70,120 @@ $filePath = $targetDir . DIRECTORY_SEPARATOR . $fileName;
 
 // Create target dir
 	if(!file_exists($targetDir))
+	{
 		@mkdir($targetDir);
+	}
 
 // Remove old temp files	
-if ($cleanupTargetDir && is_dir($targetDir) && ($dir = opendir($targetDir))) {
+	if($cleanupTargetDir && is_dir($targetDir) && ($dir = opendir($targetDir)))
-	while (($file = readdir($dir)) !== false) {
+	{
+		while(($file = readdir($dir)) !== false)
+		{
 			$tmpfilePath = $targetDir . DIRECTORY_SEPARATOR . $file;
 
 			// Remove temp file if it is older than the max age and is not the current file
-		if (preg_match('/\.part$/', $file) && (filemtime($tmpfilePath) < time() - $maxFileAge) && ($tmpfilePath != "{$filePath}.part")) {
+			if(preg_match('/\.part$/', $file) && (filemtime($tmpfilePath) < time() - $maxFileAge) && ($tmpfilePath != "{$filePath}.part"))
+			{
 				@unlink($tmpfilePath);
 			}
 		}
 
 		closedir($dir);
-} else
+	}
+	else
+	{
 		die('{"jsonrpc" : "2.0", "error" : {"code": 100, "message": "Failed to open temp directory."}, "id" : "id"}');
+	}
 
 
 // Look for the content type header
 	if(isset($_SERVER["HTTP_CONTENT_TYPE"]))
+	{
 		$contentType = $_SERVER["HTTP_CONTENT_TYPE"];
+	}
 
 	if(isset($_SERVER["CONTENT_TYPE"]))
+	{
 		$contentType = $_SERVER["CONTENT_TYPE"];
+	}
 
 // Handle non multipart uploads older WebKit versions didn't support multipart in HTML5
-if (strpos($contentType, "multipart") !== false) {
+	if(strpos($contentType, "multipart") !== false)
-	if (isset($_FILES['file']['tmp_name']) && is_uploaded_file($_FILES['file']['tmp_name'])) {
+	{
+		if(isset($_FILES['file']['tmp_name']) && is_uploaded_file($_FILES['file']['tmp_name']))
+		{
 			// Open temp file
 			$out = fopen("{$filePath}.part", $chunk == 0 ? "wb" : "ab");
-		if ($out) {
-			// Read binary input stream and append it to temp file
-			$in = fopen($_FILES['file']['tmp_name'], "rb");
 
-			if ($in) {
+			if($out)
+			{
+				// Read binary input stream and append it to temp file
+				$tmpName = e107::getParser()->filter($_FILES['file']['tmp_name'],'w');
+				$in = fopen($tmpName, "rb");
+
+				if($in)
+				{
 					while($buff = fread($in, 4096))
+					{
 						fwrite($out, $buff);
-			} else
+					}
+				}
+				else
+				{
 					die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}');
+				}
 				fclose($in);
 				fclose($out);
-			@unlink($_FILES['file']['tmp_name']);
+				@unlink($tmpName);
-		} else
+			}
+			else
+			{
 				die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" : "id"}');
-	} else
+			}
+		}
+		else
+		{
 			die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."}, "id" : "id"}');
-} else {
+		}
+	}
+	else
+	{
 		// Open temp file
 		$out = fopen("{$filePath}.part", $chunk == 0 ? "wb" : "ab");
-	if ($out) {
+		if($out)
+		{
 			// Read binary input stream and append it to temp file
 			$in = fopen("php://input", "rb");
 
-		if ($in) {
+			if($in)
+			{
 				while($buff = fread($in, 4096))
+				{
 					fwrite($out, $buff);
-		} else
+				}
+			}
+			else
+			{
 				die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}');
+			}
 
 			fclose($in);
 			fclose($out);
-	} else
+		}
+		else
+		{
 			die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" : "id"}');
 		}
+	}
 
 // Check if file has been uploaded
-if (!$chunks || $chunk == $chunks - 1) {
+	if(!$chunks || $chunk == $chunks - 1)
+	{
 		// Strip the temp .part suffix off
 		rename("{$filePath}.part", $filePath);
 	}
 
 
-
-
 // rename($targetDir.$fileName,e_MEDIA."images/2012-05/",$fileName);
 	if($_GET['for'] != '') // leave in upload directory if no category given.
 	{