1
0
mirror of https://github.com/e107inc/e107.git synced 2025-08-01 20:30:39 +02:00

Bugtracker #4413 - check link fields for admin-entered links

This commit is contained in:
e107steved
2008-05-23 21:03:56 +00:00
parent c954aa4e1b
commit a7ad6e489d

View File

@@ -11,9 +11,9 @@
| GNU General Public License (http://gnu.org). | GNU General Public License (http://gnu.org).
| |
| $Source: /cvs_backup/e107_0.8/e107_plugins/links_page/link_class.php,v $ | $Source: /cvs_backup/e107_0.8/e107_plugins/links_page/link_class.php,v $
| $Revision: 1.6 $ | $Revision: 1.7 $
| $Date: 2008-02-24 00:04:19 $ | $Date: 2008-05-23 21:03:49 $
| $Author: secretr $ | $Author: e107steved $
+----------------------------------------------------------------------------+ +----------------------------------------------------------------------------+
*/ */
@@ -207,21 +207,16 @@ class linkclass {
function parse_link_append($rowl) function parse_link_append($rowl){
{
global $tp, $linkspage_pref; global $tp, $linkspage_pref;
if($linkspage_pref['link_open_all'] && $linkspage_pref['link_open_all'] == "5") if($linkspage_pref['link_open_all'] && $linkspage_pref['link_open_all'] == "5"){
{ $link_open_type = $rowl['link_open'];
$link_open_type = $rowl['link_open']; }else{
} $link_open_type = $linkspage_pref['link_open_all'];
else
{
$link_open_type = $linkspage_pref['link_open_all'];
} }
$rowl['link_url'] = htmlentities($rowl['link_url'],ENT_QUOTES,CHARSET); switch ($link_open_type) {
switch ($link_open_type)
{
case 1: case 1:
$lappend = "<a class='linkspage_url' href='".$rowl['link_url']."' onclick=\"open_window('".e_PLUGIN."links_page/links.php?view.".$rowl['link_id']."','full');return false;\" >"; // Googlebot won't see it any other way. $lappend = "<a class='linkspage_url' href='".$rowl['link_url']."' onclick=\"open_window('".e_PLUGIN."links_page/links.php?view.".$rowl['link_id']."','full');return false;\" >"; // Googlebot won't see it any other way.
break; break;
@@ -480,19 +475,10 @@ class linkclass {
$sql->db_Update("links_page_cat", "link_category_order=link_category_order+1 WHERE link_category_id='$linkid' "); $sql->db_Update("links_page_cat", "link_category_order=link_category_order+1 WHERE link_category_id='$linkid' ");
} }
} }
function verify_link_manage($id) {
global $sql;
if ($sql->db_Select("links_page", "link_author", "link_id='".intval($id)."' ")) {
$row = $sql->db_Fetch();
}
if(varset($row['link_author']) != USERID)
js_location(SITEURL);
}
function dbLinkCreate($mode='') { // Create a new link. If $mode == 'submit', link has to go through the approval process; else its admin entry
function dbLinkCreate($mode='')
{
global $ns, $tp, $qs, $sql, $e107cache, $e_event, $linkspage_pref; global $ns, $tp, $qs, $sql, $e107cache, $e_event, $linkspage_pref;
$link_name = $tp->toDB($_POST['link_name']); $link_name = $tp->toDB($_POST['link_name']);
@@ -500,26 +486,32 @@ class linkclass {
$link_description = $tp->toDB($_POST['link_description']); $link_description = $tp->toDB($_POST['link_description']);
$link_button = $tp->toDB($_POST['link_but']); $link_button = $tp->toDB($_POST['link_but']);
if (!strstr($link_url, "http")) { if (!$link_name || !$link_url || !$link_description)
$link_url = "http://".$link_url; {
message_handler("ALERT", 5);
return;
}
if ($link_url && !strstr($link_url, "http"))
{
$link_url = "http://".$link_url;
} }
//create link, submit area, tmp table //create link, submit area, tmp table
if(isset($mode) && $mode == "submit"){ if(isset($mode) && $mode == "submit")
if (!$_POST['link_name'] || !$_POST['link_url'] || !$_POST['link_description']) { {
message_handler("ALERT", 5); $username = (defined('USERNAME')) ? USERNAME : LAN_LINKS_3;
} else {
$username = (defined('USERNAME')) ? USERNAME : LAN_LINKS_3;
$submitted_link = intval($_POST['cat_id'])."^".$link_name."^".$link_url."^".$link_description."^".$link_button."^".$username; $submitted_link = intval($_POST['cat_id'])."^".$link_name."^".$link_url."^".$link_description."^".$link_button."^".$username;
$sql->db_Insert("tmp", "'submitted_link', '".time()."', '$submitted_link' "); $sql->db_Insert("tmp", "'submitted_link', '".time()."', '$submitted_link' ");
$edata_ls = array("link_category" => $_POST['cat_id'], "link_name" => $link_name, "link_url" => $link_url, "link_description" => $link_description, "link_button" => $link_button, "username" => $username, "submitted_link" => $submitted_link); $edata_ls = array("link_category" => $_POST['cat_id'], "link_name" => $link_name, "link_url" => $link_url, "link_description" => $link_description, "link_button" => $link_button, "username" => $username, "submitted_link" => $submitted_link);
$e_event->trigger("linksub", $edata_ls); $e_event->trigger("linksub", $edata_ls);
//header("location:".e_SELF."?s"); //header("location:".e_SELF."?s");
js_location(e_SELF."?s"); js_location(e_SELF."?s");
} }
}else{ else
{
$link_t = $sql->db_Count("links_page", "(*)", "WHERE link_category='".intval($_POST['cat_id'])."'"); $link_t = $sql->db_Count("links_page", "(*)", "WHERE link_category='".intval($_POST['cat_id'])."'");
$time = ($_POST['update_datestamp'] ? time() : ($_POST['link_datestamp'] != "0" ? $_POST['link_datestamp'] : time()) ); $time = ($_POST['update_datestamp'] ? time() : ($_POST['link_datestamp'] != "0" ? $_POST['link_datestamp'] : time()) );
@@ -564,11 +556,6 @@ class linkclass {
if (isset($qs[1]) && $qs[1] == 'edit' && !isset($_POST['submit'])) { if (isset($qs[1]) && $qs[1] == 'edit' && !isset($_POST['submit'])) {
if ($sql->db_Select("links_page", "*", "link_id='".intval($qs[2])."' ")) { if ($sql->db_Select("links_page", "*", "link_id='".intval($qs[2])."' ")) {
$row = $sql->db_Fetch(); $row = $sql->db_Fetch();
if($row['link_author'] != USERID) {
header('Location: '.SITEURL);
exit;
}
} }
} }