mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-04-20 04:32:01 +02:00
Code Issues Releases Wiki Activity

Bugtracker #5013 - stop prefs getting sanitised on save

Browse Source
This commit is contained in:
e107steved 2010-09-06 21:35:04 +00:00
parent decaecf54d
commit 5e3b71d3cd
2 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
class2.php
View File

@ -1493,7 +1493,7 @@ function save_prefs($table = 'core', $uid = USERID, $row_val = '')
break;
default:
$_user_pref = $tp->toDB($user_pref, true, true);
$_user_pref = $tp->toDB($user_pref, true, true, 'pReFs');
$tmp = $eArrayStorage->WriteArray($_user_pref);
$sql->db_Update('user', "user_prefs='$tmp' WHERE user_id=".intval($uid));
return $tmp;

14
e107_handlers/e_parse_class.php
View File

@ -456,6 +456,7 @@ class e_parse
* @param boolean $no_encode [optional] This parameter should nearly always be FALSE. It is used by the save_prefs() function to preserve HTML content within prefs even when
* the save_prefs() function has been called by a non admin user / user without html posting permissions.
* @param boolean $mod [optional] The 'no_html' and 'no_php' modifiers blanket prevent HTML and PHP posting regardless of posting permissions. (used in logging)
* The 'pReFs' value is for internal use only, when saving prefs, to prevent sanitisation of HTML.
* @param boolean $original_author [optional]
* @return string
* @todo complete the documentation of this essential method
@ -478,10 +479,13 @@ class e_parse
$data = stripslashes($data);
}
$data = $this->preFilter($data);
if (!check_class(varset($pref['post_html'], e_UC_MAINADMIN)) || !check_class(varset($pref['post_script'], e_UC_MAINADMIN)))
if ($mod != 'pReFs')
{
$data = $this->dataFilter($data);
$data = $this->preFilter($data);
if (!check_class(varset($pref['post_html'], e_UC_MAINADMIN)) || !check_class(varset($pref['post_script'], e_UC_MAINADMIN)))
{
$data = $this->dataFilter($data);
}
}
if (isset($pref['post_html']) && check_class($pref['post_html']))
@ -505,9 +509,9 @@ class e_parse
$ret = preg_replace("/&#(\d*?);/", "&#\\1;", $data);
}
if (strpos($mod, 'no_php') !== FALSE)
if ((strpos($mod, 'no_php') !== FALSE) || !check_class($pref['php_bbcode']))
{
$ret = str_replace(array("[php]", "[/php]"), array("[php]", "[/php]"), $ret);
$ret = preg_replace("#\[(php)#i", "[\\1", $ret);
}
return $ret;