mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-05 14:17:49 +02:00
Code Issues Releases Wiki Activity

Bugtracker #5013 - stop prefs getting sanitised on save

Browse Source
This commit is contained in:
e107steved
2010-09-06 21:35:04 +00:00
parent decaecf54d
commit 5e3b71d3cd
2 changed files with 10 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
class2.php
View File

@@ -1493,7 +1493,7 @@ function save_prefs($table = 'core', $uid = USERID, $row_val = '')
break; break;
default: default:
$_user_pref = $tp->toDB($user_pref, true, true); $_user_pref = $tp->toDB($user_pref, true, true, 'pReFs');
$tmp = $eArrayStorage->WriteArray($_user_pref); $tmp = $eArrayStorage->WriteArray($_user_pref);
$sql->db_Update('user', "user_prefs='$tmp' WHERE user_id=".intval($uid)); $sql->db_Update('user', "user_prefs='$tmp' WHERE user_id=".intval($uid));
return $tmp; return $tmp;

14
e107_handlers/e_parse_class.php
View File

@@ -456,6 +456,7 @@ class e_parse
* @param boolean $no_encode [optional] This parameter should nearly always be FALSE. It is used by the save_prefs() function to preserve HTML content within prefs even when * @param boolean $no_encode [optional] This parameter should nearly always be FALSE. It is used by the save_prefs() function to preserve HTML content within prefs even when
* the save_prefs() function has been called by a non admin user / user without html posting permissions. * the save_prefs() function has been called by a non admin user / user without html posting permissions.
* @param boolean $mod [optional] The 'no_html' and 'no_php' modifiers blanket prevent HTML and PHP posting regardless of posting permissions. (used in logging) * @param boolean $mod [optional] The 'no_html' and 'no_php' modifiers blanket prevent HTML and PHP posting regardless of posting permissions. (used in logging)
* The 'pReFs' value is for internal use only, when saving prefs, to prevent sanitisation of HTML.
* @param boolean $original_author [optional] * @param boolean $original_author [optional]
* @return string * @return string
* @todo complete the documentation of this essential method * @todo complete the documentation of this essential method
@@ -478,10 +479,13 @@ class e_parse
$data = stripslashes($data); $data = stripslashes($data);
} }
$data = $this->preFilter($data); if ($mod != 'pReFs')
if (!check_class(varset($pref['post_html'], e_UC_MAINADMIN)) || !check_class(varset($pref['post_script'], e_UC_MAINADMIN)))
{ {
$data = $this->dataFilter($data); $data = $this->preFilter($data);
if (!check_class(varset($pref['post_html'], e_UC_MAINADMIN)) || !check_class(varset($pref['post_script'], e_UC_MAINADMIN)))
{
$data = $this->dataFilter($data);
}
} }
if (isset($pref['post_html']) && check_class($pref['post_html'])) if (isset($pref['post_html']) && check_class($pref['post_html']))
@@ -505,9 +509,9 @@ class e_parse
$ret = preg_replace("/&#(\d*?);/", "&#\\1;", $data); $ret = preg_replace("/&#(\d*?);/", "&#\\1;", $data);
} }
if (strpos($mod, 'no_php') !== FALSE) if ((strpos($mod, 'no_php') !== FALSE) || !check_class($pref['php_bbcode']))
{ {
$ret = str_replace(array("[php]", "[/php]"), array("[php]", "[/php]"), $ret); $ret = preg_replace("#\[(php)#i", "[\\1", $ret);
} }
return $ret; return $ret;