From 5e3b71d3cdccd7a4e6d4c4bb524b09b5055ad962 Mon Sep 17 00:00:00 2001
From: e107steved <steved@e107.org>
Date: Mon, 6 Sep 2010 21:35:04 +0000
Subject: [PATCH] Bugtracker #5013 - stop prefs getting sanitised on save

---
 class2.php                      |  2 +-
 e107_handlers/e_parse_class.php | 14 +++++++++-----
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/class2.php b/class2.php
index dbdc386c1..3b7299209 100644
--- a/class2.php
+++ b/class2.php
@@ -1493,7 +1493,7 @@ function save_prefs($table = 'core', $uid = USERID, $row_val = '')
 			break;
 
 		default:
-			$_user_pref = $tp->toDB($user_pref, true, true);
+			$_user_pref = $tp->toDB($user_pref, true, true, 'pReFs');
 			$tmp = $eArrayStorage->WriteArray($_user_pref);
 			$sql->db_Update('user', "user_prefs='$tmp' WHERE user_id=".intval($uid));
 			return $tmp;
diff --git a/e107_handlers/e_parse_class.php b/e107_handlers/e_parse_class.php
index 12ea1da56..64eff3714 100644
--- a/e107_handlers/e_parse_class.php
+++ b/e107_handlers/e_parse_class.php
@@ -456,6 +456,7 @@ class e_parse
 	 * @param boolean $no_encode [optional] This parameter should nearly always be FALSE. It is used by the save_prefs() function to preserve HTML content within prefs even when
 	 * 				the save_prefs() function has been called by a non admin user / user without html posting permissions.
 	 * @param boolean $mod [optional] The 'no_html' and 'no_php' modifiers blanket prevent HTML and PHP posting regardless of posting permissions. (used in logging)
+	 *		The 'pReFs' value is for internal use only, when saving prefs, to prevent sanitisation of HTML.
 	 * @param boolean $original_author [optional]
 	 * @return string
 	 * @todo complete the documentation of this essential method
@@ -478,10 +479,13 @@ class e_parse
 			$data = stripslashes($data);
 		}
 
-		$data = $this->preFilter($data);
-		if (!check_class(varset($pref['post_html'], e_UC_MAINADMIN)) || !check_class(varset($pref['post_script'], e_UC_MAINADMIN)))
+		if ($mod != 'pReFs')
 		{
-			$data = $this->dataFilter($data);
+			$data = $this->preFilter($data);
+			if (!check_class(varset($pref['post_html'], e_UC_MAINADMIN)) || !check_class(varset($pref['post_script'], e_UC_MAINADMIN)))
+			{
+				$data = $this->dataFilter($data);
+			}
 		}
 
 		if (isset($pref['post_html']) && check_class($pref['post_html']))
@@ -505,9 +509,9 @@ class e_parse
 
 			$ret = preg_replace("/&amp;#(\d*?);/", "&#\\1;", $data);
 		}
-		if (strpos($mod, 'no_php') !== FALSE)
+		if ((strpos($mod, 'no_php') !== FALSE) || !check_class($pref['php_bbcode']))
 		{
-			$ret = str_replace(array("[php]", "[/php]"), array("&#91;php&#93;", "&#91;/php&#93;"), $ret);
+			$ret = preg_replace("#\[(php)#i", "&#91;\\1", $ret);
 		}
 
 		return $ret;