mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-07-25 00:41:52 +02:00
Code Issues Releases Wiki Activity

Add in security code, youtube bbcode from 0.7

Browse Source
This commit is contained in:
e107steved
2010-09-06 12:34:06 +00:00
parent bd4d34d933
commit decaecf54d
14 changed files with 559 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
e107_admin/cpage.php
View File

@@ -487,6 +487,7 @@ class page
$page_text = $tp->toDB($_POST['data']);
// $pauthor = ($_POST['page_display_authordate_flag'] ? USERID : 0); // this check should be done in the front-end.
$pauthor = USERID;
$update = 0; // Make sure some updates happen
if($mode)
@@ -495,6 +496,7 @@ class page
$menuname = ($type && vartrue($_POST['menu_name']) ? ", page_theme = '".$tp -> toDB($_POST['menu_name'])."'" : "");
$status = $sql -> db_Update("page", "page_title='{$page_title}', page_text='{$page_text}', page_datestamp='".time()."', page_author='{$pauthor}', page_rating_flag='".intval($_POST['page_rating_flag'])."', page_comment_flag='".intval($_POST['page_comment_flag'])."', page_password='".$_POST['page_password']."', page_class='".$_POST['page_class']."', page_ip_restrict='".varset($_POST['page_ip_restrict'],'')."', page_template='".$_POST['page_template']."' {$menuname} WHERE page_id='{$mode}'") ? E_MESSAGE_SUCCESS : E_MESSAGE_ERROR;
if ($status == E_MESSAGE_SUCCESS) $update++;
$mes = e107::getMessage();
$mes->add($message, $status);
@@ -541,7 +543,7 @@ class page
$e107cache->clear("sitelinks");
}
}
admin_update($update, 'update', LAN_UPDATED, false, false);
admin_update($update, 'update', LAN_UPDATED, false, false); // Display result of update
}
else
{ // New page/menu

3
e107_admin/newspost.php
View File

@@ -1379,7 +1379,8 @@ class admin_newspost
$_POST['news_body'] .= "\n[[b]".NWSLAN_49." {$row['submitnews_name']}[/b]]";
$_POST['news_body'] .= ($row['submitnews_file'])?"\n\n[img]{e_NEWSIMAGE}{$row['submitnews_file']}[/img]": "";
}
$_POST['data'] = $tp->dataFilter($_POST['data']); // Filter any nasties
$_POST['news_title'] = $tp->dataFilter($_POST['news_title']);
}
}

20
e107_admin/prefs.php
View File

@@ -9,9 +9,10 @@
* Administration - Site Preferences
*
* $URL$
* $Revision$
* $Id$
*
*/
* $Author$
*/
require_once ("../class2.php");
if(isset($_POST['newver']))
@@ -765,6 +766,21 @@ $text .= "
<div class='smalltext field-help'>".PRFLAN_117."</div>
</td>
</tr>
<tr>
<td class='label'>".PRFLAN_215.":</td>
<td class='control'>
".r_userclass('post_script',$pref['post_script'],'off','nobody,member,admin,main,classes')."
<div class='smalltext field-help'>".PRFLAN_216."</div>
</td>
</tr>
<tr>
<td class='label'>".PRFLAN_217.":</td>
<td class='control'>
".$frm->radio_switch('filter_script', varset($pref['filter_script'], 1))."
<div class='smalltext field-help'>".PRFLAN_218."</div>
</td>
</tr>
<tr>
<td class='label'>".PRFLAN_122.":</td>
<td class='control'>

7
e107_core/bbcodes/sanitised.bb Normal file
View File

@@ -0,0 +1,7 @@
/* $Id: sanitised.bb 11660 2010-08-16 16:41:35Z secretr $ */
// decode (just in case) and re-code sanitised string if debug and ADMIN
if(defsettrue('ADMIN') && defsettrue('E107_DEBUG_LEVEL'))
{
return '<span class="sanitised"> SANITISED: '.htmlentities(html_entity_decode(rawurldecode($code_text), ENT_QUOTES, CHARSET), ENT_QUOTES, CHARSET).' SANITISED END</span>';
}
return '<span class="sanitised">##'.LAN_SANITISED.'##</span>';

235
e107_core/bbcodes/youtube.php Normal file
View File

@@ -0,0 +1,235 @@
<?php
/*
+ ----------------------------------------------------------------------------+
| e107 website system
|
| Copyright (C) 2001-2002 Steve Dunstan (jalist@e107.org)
| Copyright (C) 2008-2010 e107 Inc (e107.org)
|
|
| Released under the terms and conditions of the
| GNU General Public License (http://gnu.org).
|
| $URL: https://e107.svn.sourceforge.net/svnroot/e107/trunk/e107_0.7/e107_handlers/emote.php $
| $Revision: 11678 $
| $Id: emote.php 11678 2010-08-22 00:43:45Z e107coders $
| $Author: e107coders $
+----------------------------------------------------------------------------+
*/
if (!defined('e107_INIT')) { exit; }
/**
* Youtube handling
*
* [youtube=tiny|small|medium|big|huge or width,height|nofull&norel&border&privacy&hd]ID[/youtube]
* Youtube ID is the only required data!
* BBcode 'pre-save' processes youtube's 'copy and paste' HTML code to generate an appropriate bbcode
* TODO - more: http://code.google.com/apis/youtube/player_parameters.html
* TODO - use swfobject JS - XHTML validation
*/
/**
* Class-based bbcode validation
*
* Class name must be 'bb_'.bbname - where bbname is the name of the bbcode. (Note some bbcodes begin '_', and this is retained)
*
* This class must contain exactly two public methods:
* toDB($code_text, $parm) - called prior to text being saved
* toHTML($code_text, $parm) - called prior to text being displayed
*/
class bb_youtube extends e_bb_base
{
/**
* Called prior to save
*
* If user has posted the complete youtube 'copy and paste' text between the tags, parse it and generate the relevant bbcode
*/
protected function toDB($code_text, $parm)
{
$bbpars = array();
$widthString = '';
$parm = trim($parm);
if ($parm)
{
if (strpos($parm, '|') !== FALSE)
{
list($widthString, $parm) = explode('|', $parm);
}
elseif (in_array($parm, array('tiny', 'small', 'medium', 'big', 'huge')) || (strpos($parm, ',') !== FALSE))
{ // Assume we're just setting a width
$widthString = $parm;
$parm = '';
}
if ($parm)
{
$bbpars = explode('&', $parm);
}
}
$params = array(); // Accumulator for parameters from youtube code
$ok = 0;
if (strpos($code_text, '<') === FALSE)
{ // 'Properly defined' bbcode (we hope)
$picRef = $code_text;
}
else
{
//libxml_use_internal_errors(TRUE);
if (FALSE === ($info = simplexml_load_string($code_text)))
{
//print_a($matches);
//$xmlErrs = libxml_get_errors();
//print_a($xmlErrs);
$ok = 1;
}
else
{
$info1 = (array)$info;
if (!isset($info1['embed']))
{
$ok = 2;
}
else
{
$info2 = (array)$info1['embed'];
if (!isset($info2['@attributes']))
{
$ok = 3;
}
}
}
if ($ok != 0)
{
print_a($info);
return '[sanitised]'.$ok.'B'.htmlspecialchars($matches[0]).'B[/sanitised]';
}
$target = $info2['@attributes'];
unset($info);
$ws = varset($target['width'], 0);
$hs = varset($target['height'], 0);
if (($ws == 0) || ($hs == 0) || !isset($target['src'])) return '[sanitised]A'.htmlspecialchars($matches[0]).'A[/sanitised]';
if (!$widthString)
{
$widthString = $ws.','.$hs; // Set size of window
}
list($url, $query) = explode('?', $target['src']);
if (strpos($url, 'youtube-nocookie.com') !== FALSE)
{
$params[] = 'privacy';
}
parse_str($query, $vals); // Various options set here
if (varset($vals['allowfullscreen'], 'true') != 'true')
{
$params[] = 'nofull';
}
if (varset($vals['border'], 0) != 0)
{
$params[] = 'border';
}
if (varset($vals['rel'], 1) == 0)
{
$params[] = 'norel';
}
$picRef = substr($url, strrpos($url, '/') + 1);
}
$yID = preg_replace('/[^0-9a-z]/i', '', $picRef);
if (($yID != $picRef) || (strlen($yID) > 20))
{ // Possible hack attempt
}
$params = array_merge($params, $bbpars); // Any parameters set in bbcode override those in HTML
// Could check for valid array indices here
$paramString = implode('&', $params);
if ($paramString) $widthString .= '|'.$paramString;
$ans = '[youtube='.$widthString.']'.$picRef.'[/youtube]';
return $ans;
}
/**
* Translate youtube bbcode into the appropriate <EMBED> object
*/
protected function toHTML($code_text, $parm)
{
if(empty($code_text)) return '';
$parms = explode('|', $parm, 2);
parse_str(varset($parms[1], ''), $params);
if(empty($parms[0])) $parms[0] = 'small';
switch ($parms[0])
{
case 'tiny':
$params['w'] = 200;
$params['h'] = 180;
break;
case 'small':
$params['w'] = 445;
$params['h'] = 364;
break;
case 'medium':
$params['w'] = 500;
$params['h'] = 405;
break;
case 'big':
$params['w'] = 660;
$params['h'] = 525;
break;
case 'huge':
$params['w'] = 980;
$params['h'] = 765;
break;
default:
$dim = explode(',', $parms[0], 2);
$params['w'] = (integer) varset($dim[0], 445);
if($params['w'] > 980 || $params['w'] < 200) $params['w'] = 445;
$params['h'] = (integer) varset($dim[1], 364);
if($params['h'] > 765 || $params['h'] < 180) $params['h'] = 364;
break;
}
$yID = preg_replace('/[^0-9a-z\-_\&]/i', '', $code_text);
$url = isset($params['privacy']) ? 'http://www.youtube-nocookie.com/v/' : 'http://www.youtube.com/v/';
$url .= $yID.'?';
if(isset($params['nofull']))
{
$fscr = 'false';
$url = $url.'fs=0';
}
else
{
$fscr = 'true';
$url = $url.'fs=1';
}
if(isset($params['border'])) $url = $url.'&amp;border=1';
if(isset($params['norel'])) $url = $url.'&amp;rel=0';
if(isset($params['hd'])) $url = $url.'&amp;hd=1';
$ret = '
<object width="'.$params['w'].'" height="'.$params['h'].'">
<param name="movie" value="'.$url.'"></param>
<param name="allowFullScreen" value="'.$fscr.'"></param>
<param name="allowscriptaccess" value="always"></param>
<param name="wmode" value="transparent"></param>
<embed src="'.$url.'" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="'.$fscr.'" wmode="transparent" width="'.$params['w'].'" height="'.$params['h'].'"></embed>
</object>
';
return $ret;
}
}
?>

2
e107_core/shortcodes/batch/bbcode_shortcodes.php
View File

@@ -65,6 +65,8 @@ class bbcode_shortcodes
$bbcode['list'] = array($bbcode_func,"[list][/list]", LANHELP_36,"list.png");
$bbcode['img'] = array($bbcode_func,"[img][/img]", LANHELP_27,"image.png");
$bbcode['flash'] = array($bbcode_func,"[flash=width,height][/flash]", LANHELP_47,"flash.png");
$bbcode['youtube'] = array($bbcode_func,"[youtube][/youtube]", LANHELP_48,"youtube.png");
$bbcode['sanitised'] = array('', '', '');
$bbcode['fontsize'] = array("expandit","size_selector_".$rand, LANHELP_22,"fontsize.png","Size_Select",'size_selector_'.$rand);
$bbcode['fontcol'] = array("expandit","col_selector_".$rand, LANHELP_21,"fontcol.png","Color_Select",'col_selector_'.$rand);

2
e107_core/xml/default_install.xml
View File

@@ -134,6 +134,8 @@
<core name="password_CHAP">0</core>
<core name="php_bbcode">255</core>
<core name="post_html">254</core>
<core name="post_script">250</core>
<core name="filter_script">1</core>
<core name="predefinedLoginName"></core>
<core name="profanity_filter">0</core>
<core name="profanity_replace">[censored]</core>

196
e107_handlers/bbcode_handler.php
View File

@@ -2,26 +2,40 @@
/*
* e107 website system
*
* Copyright (C) 2008-2009 e107 Inc (e107.org)
* Copyright (C) 2008-2010 e107 Inc (e107.org)
* Released under the terms and conditions of the
* GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
*
*
*
* $Source: /cvs_backup/e107_0.8/e107_handlers/bbcode_handler.php,v $
* $URL$
* $Revision$
* $Date$
* $Id$
* $Author$
*/
/**
*
* @package e107
* @category e107_handlers
* @version $Id$
* @author e107inc
*
* bbcode_handler - processes bbcodes within strings.
*
* Separate processing (via class-based bbcodes) for pre-save and pre-display
*/
if (!defined('e107_INIT')) { exit; }
class e_bbcode
{
var $bbList; // Caches the file contents for each bbcode processed
var $bbLocation; // Location for each file - 'core' or a plugin name
var $preProcess = FALSE; // Set when processing bbcodes prior to saving
function e_bbcode()
function __construct()
{
global $pref;
$core_bb = array(
@@ -31,7 +45,7 @@ class e_bbcode
'url', 'quote', 'left', 'right',
'b', 'justify', 'file', 'stream',
'textarea', 'list', 'php', 'time',
'spoiler', 'hide'
'spoiler', 'hide', 'youtube', 'sanitised'
);
foreach($core_bb as $c)
@@ -56,26 +70,60 @@ class e_bbcode
krsort($this->bbLocation);
}
// If $bb_strip is TRUE, all bbcodes are stripped. If FALSE, none are stripped.
// If a comma separated (lower case) list is passed, only the listed codes are stripped (and the rest are processed)
function parseBBCodes($value, $p_ID, $force_lower = 'default', $bb_strip = FALSE)
/**
* Parse a string for bbcodes.
* Process using the 'pre-save' or 'display' routines as appropriate
*
* @var string $value - the string to be processed
* @var int $p_ID - ID of a user (the 'post ID') needed by some bbcodes in display mode
* @var string|boolean $force_lower - determines whether bbcode detection is case-insensitive
* TRUE - case-insensitive
* 'default' - case-insensitive
* FALSE - case-sensitive (only lower case bbcodes processed)
* @var string|boolean $bbStrip - determines action when a bbcode is encountered.
* TRUE (boolean or word), all bbcodes are stripped.
* FALSE - normal display processing of all bbcodes
* comma separated (lower case) list - only the listed codes are stripped (and the rest are processed)
* If the first word is 'PRE', sets pre-save mode. Any other parameters follow, comma separated
*
* @return string processed data
*
* Code uses a crude stack-based syntax analyser to handle nested bbcodes (including nested 'size' bbcodes, for example)
*/
function parseBBCodes($value, $p_ID, $force_lower = 'default', $bbStrip = FALSE)
{
global $postID;
$postID = $p_ID;
if (strlen($value) <= 6) return $value; // Don't waste time on trivia!
if (strlen($value) <= 6) return $value; // Don't waste time on trivia!
if ($force_lower == 'default') $force_lower = TRUE; // Set the default behaviour if not overridden
$code_stack = array(); // Stack for unprocessed bbcodes and text
$unmatch_stack = array(); // Stack for unmatched bbcodes
$result = ''; // Accumulates fully processed text
$stacktext = ''; // Accumulates text which might be subject to one or more bbcodes
$nopro = FALSE; // Blocks processing within [code]...[/code] tags
$code_stack = array(); // Stack for unprocessed bbcodes and text
$unmatch_stack = array(); // Stack for unmatched bbcodes
$result = ''; // Accumulates fully processed text
$stacktext = ''; // Accumulates text which might be subject to one or more bbcodes
$nopro = FALSE; // Blocks processing within [code]...[/code] tags
$this->preProcess = FALSE;
$strip_array = array();
if (!is_bool($bb_strip))
if (!is_bool($bbStrip))
{
$strip_array = explode(',',$bb_strip);
$strip_array = explode(',',$bbStrip);
if ($strip_array[0] == 'PRE')
{
$this->preProcess = TRUE;
unset($strip_array[0]);
if (count($strip_array) == 0)
{
$bbStrip = FALSE;
}
elseif (in_array('TRUE', $strip_array))
{
$bbStrip = TRUE;
}
}
}
$pattern = '#^\[(/?)([A-Za-z_]+)(\d*)([=:]?)(.*?)]$#i'; // Pattern to split up bbcodes
// $matches[0] - same as the input text
@@ -100,14 +148,13 @@ class e_bbcode
$bbword = (isset($matches[2])) ? $matches[2] : '';
if($cont[1] != '/')
{
$bbstart = $cont;
$bbsep = varset($matches[4]);
}
if ($force_lower) $bbword = strtolower($bbword);
if ($nopro && ($bbword == 'code') && ($matches[1] == '/')) $nopro = FALSE; // End of code block
if (($bbword) && ($bbword == trim($bbword)) && !$nopro)
{ // Got a code to process here
if (($bb_strip === TRUE) || in_array($bbword,$strip_array))
if (($bbStrip === TRUE) || in_array($bbword,$strip_array))
{
$is_proc = TRUE; // Just discard this bbcode
}
@@ -146,7 +193,7 @@ class e_bbcode
case 'bbcode' :
if (($code_stack[0]['code'] == $bbword) && ($code_stack[0]['numbers'] == $matches[3]))
{
$stacktext = $this->proc_bbcode($bbword,$code_stack[0]['param'],$stacktext,$bbparam, $bbsep, $bbstart.$stacktext.$cont);
$stacktext = $this->proc_bbcode($bbword, $code_stack[0]['param'], $stacktext, $bbparam, $code_stack[0]['bbsep'], $code_stack[0]['block'].$stacktext.$cont);
array_shift($code_stack);
// Intentionally don't terminate here - may be some text we can clean up
$bbword=''; // Necessary to make sure we don't double process if several instances on stack
@@ -175,11 +222,11 @@ class e_bbcode
{ // Single code to process
if (count($code_stack) == 0)
{
$result .= $this->proc_bbcode('_'.$bbword,$bbparam);
$result .= $this->proc_bbcode('_'.$bbword,$bbparam,'','','',$cont);
}
else
{
$stacktext .= $this->proc_bbcode('_'.$bbword,$bbparam);
$stacktext .= $this->proc_bbcode('_'.$bbword,$bbparam,'','','',$cont);
}
$is_proc = TRUE;
}
@@ -190,12 +237,11 @@ class e_bbcode
array_unshift($code_stack,array('type' => 'text','code' => $stacktext));
$stacktext = '';
}
array_unshift($code_stack,array('type' => 'bbcode','code' => $bbword, 'numbers'=> $matches[3], 'param'=>$bbparam));
array_unshift($code_stack,array('type' => 'bbcode','code' => $bbword, 'numbers'=> $matches[3], 'param'=>$bbparam, 'bbsep' => $bbsep, 'block' => $cont));
if ($bbword == 'code') $nopro = TRUE;
$is_proc = TRUE;
}
}
}
}
// Next lines could be deleted - but gives better rejection of 'stray' opening brackets
@@ -243,14 +289,21 @@ class e_bbcode
function proc_bbcode($code, $param1='',$code_text_par='', $param2='', $sep='', $full_text='')
// Invoke an actual bbcode handler
// $code - textual value of the bbcode (already begins with '_' if a single code)
// $param1 - any text after '=' in the opening code
// $code_text_par - text between the opening and closing codes
// $param2 - any text after '=' for the closing code
/**
* Process a bbcode
*
* @var string $code - textual value of the bbcode (already begins with '_' if a single code)
* @var string $param1 - any text after '=' in the opening code
* @var string $code_text_par - text between the opening and closing codes
* @var string $param2 - any text after '=' for the closing code
* @var char $sep - character separating bbcode name and any parameters
* @var string $full_text - the 'raw' text between, and including, the opening and closing bbcode tags
*/
private function proc_bbcode($code, $param1='', $code_text_par='', $param2='', $sep='', $full_text='')
{
global $tp, $postID, $code_text, $parm;
$parm = $param1;
$code_text = $code_text_par;
@@ -269,26 +322,47 @@ class e_bbcode
{ // Find the file
if ($this->bbLocation[$code] == 'core')
{
$bbFile = e_CORE.'bbcodes/'.strtolower(str_replace('_', '', $code)).'.bb';
$bbFile = e_CORE.'bbcodes/'.strtolower(str_replace('_', '', $code));
}
else
{ // Add code to check for plugin bbcode addition
$bbFile = e_PLUGIN.$this->bbLocation[$code].'/'.strtolower($code).'.bb';
$bbFile = e_PLUGIN.$this->bbLocation[$code].'/'.strtolower($code);
}
if (file_exists($bbFile))
if (file_exists($bbFile.'.php'))
{ // Its a bbcode class file
require_once($bbFile.'.php');
//echo "Load: {$bbFile}.php -->".$code_text.'<br />';
$className = 'bb_'.$code;
$this->bbList[$code] = new $className();
}
elseif (file_exists($bbFile.'.bb'))
{
$bbcode = file_get_contents($bbFile);
$bbcode = file_get_contents($bbFile.'.bb');
$this->bbList[$code] = $bbcode;
}
else
{
$this->bbList[$code] = '';
//echo "<br />File not found: {$bbFile}.php<br />";
return false;
}
}
global $e107_debug;
if (is_object($this->bbList[$code]))
{
if ($this->preProcess)
{
//echo "Preprocess: ".htmlspecialchars($code_text).", params: {$param1}<br />";
return $this->bbList[$code]->bbPreSave($code_text, $param1);
}
return $this->bbList[$code]->bbPreDisplay($code_text, $param1);
}
if ($this->preProcess) return $full_text; // No change
/**
* @todo - capturing output deprecated
*/
ob_start();
$bbcode_return = eval($bbcode);
$bbcode_output = ob_get_contents();
@@ -305,4 +379,60 @@ class e_bbcode
}
}
/**
* Base class for bbcode handlers
*
* Contains core routines for entry, security, logging....
*
* @todo add security
*/
class e_bb_base
{
/**
* Constructor
*/
public function __construct()
{
}
/**
* Called prior to save of user-entered text
*
* Allows initial parsing of bbcode, including the possibility of removing or transforming the enclosed text (as is done by the youtube processing)
* Parameters passed by reference to minimise memory use
*
* @param string $code_text - text between the bbcode tags
* @param string $parm - any parameters specified for the bbcode
*
* @return string for insertion into DB. (If a bbcode is to be inserted, the bbcode 'tags' must be included in the return string.)
*/
final public function bbPreSave(&$code_text, &$parm)
{
// Could add logging, security in here
return $this->toDB($code_text, $parm);
}
/**
* Process bbcode prior to display
* Functionally this routine does exactly the same as the existing bbcodes
* Parameters passed by reference to minimise memory use
*
* @param string $code_text - text between the bbcode tags
* @param string $parm - any parameters specified for the bbcode
*
* @return string with $code_text transformed into displayable XHTML as necessary
*/
final public function bbPreDisplay(&$code_text, &$parm)
{
// Could add logging, security in here
return $this->toHTML($code_text, $parm);
}
}
?>

96
e107_handlers/e_parse_class.php
View File

@@ -477,6 +477,13 @@ class e_parse
{
$data = stripslashes($data);
}
$data = $this->preFilter($data);
if (!check_class(varset($pref['post_html'], e_UC_MAINADMIN)) || !check_class(varset($pref['post_script'], e_UC_MAINADMIN)))
{
$data = $this->dataFilter($data);
}
if (isset($pref['post_html']) && check_class($pref['post_html']))
{
$no_encode = TRUE;
@@ -507,6 +514,94 @@ class e_parse
}
/**
* Checks a string for potentially dangerous HTML tags, including malformed tags
*
*/
public function dataFilter($data)
{
$ans = '';
$vetWords = array('<applet', '<body', '<embed', '<frame', '<script', '<frameset', '<html', '<iframe',
'<style', '<layer', '<link', '<ilayer', '<meta', '<object', 'javascript:', 'vbscript:');
$ret = preg_split('#(\[code.*?\[/code.*?])#mis', $data, -1, PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE );
foreach ($ret as $s)
{
if (substr($s, 0, 5) != '[code')
{
$vl = array();
$t = html_entity_decode(rawurldecode($s), ENT_QUOTES, CHARSET);
$t = str_replace(array("\r", "\n", "\t", "\v", "\f", "\0"), '', $t);
$t1 = strtolower($t);
foreach ($vetWords as $vw)
{
if (strpos($t1, $vw) !== FALSE)
{
$vl[] = $vw; // Add to list of words found
}
if (substr($vw, 0, 1) == '<')
{
$vw = '</'.substr($vw, 1);
if (strpos($t1, $vw) !== FALSE)
{
$vl[] = $vw; // Add to list of words found
}
}
}
// More checks here
if (count($vl))
{ // Do something
$s = preg_replace_callback('#('.implode('|', $vl).')#mis', array($this, 'modtag'), $t);
}
}
$ans .= $s;
}
return $ans;
}
private function modTag($match)
{
$ans = '';
if (isset($match[1]))
{
$chop = intval(strlen($match[1]) / 2);
$ans = substr($match[1], 0, $chop).'##xss##'.substr($match[1], $chop);
}
else
{
$ans = '?????';
}
return '[sanitised]'.$ans.'[/sanitised]';
}
/**
* Processes data as needed before its written to the DB.
* Currently gives bbcodes the opportunity to do something
*
* @param $data string - data about to be written to DB
* @return string - modified data
*/
public function preFilter($data)
{
if (!is_object($this->e_bb))
{
require_once(e_HANDLER.'bbcode_handler.php');
$this->e_bb = new e_bbcode;
}
$ret = $this->e_bb->parseBBCodes($data, USERID, 'default', 'PRE'); // $postID = logged in user here
return $ret;
}
function toForm($text)
{
if($text == '')
@@ -1244,6 +1339,7 @@ class e_parse
default : // Most bbcodes will just execute their normal file
// Just read in the code file and execute it
/// @todo Handle class-based bbcodes
$bbcode = file_get_contents($bbFile);
} // end - switch ($matches[2])

2
e107_handlers/online_class.php
View File

@@ -91,7 +91,7 @@ class e_online
$page = (strpos(e_SELF, 'forum_') !== FALSE) ? e_SELF.'.'.e_QUERY : e_SELF;
$page = (strpos(e_SELF, 'comment') !== FALSE) ? e_SELF.'.'.e_QUERY : $page;
$page = (strpos(e_SELF, 'content') !== FALSE) ? e_SELF.'.'.e_QUERY : $page;
$page = $e107->tp->toDB($page, true);
$page = $e107->tp->toDB($page, true); /// @todo - try not to use toDB() - triggers prefilter
$ip = $e107->getip();
$udata = ($user->isUser() ? $user->getId().'.'.$user->getName() : '0');
$agent = $_SERVER['HTTP_USER_AGENT'];

42
e107_languages/English/admin/lan_prefs.php
View File

@@ -1,22 +1,19 @@
<?php
/*
+ ----------------------------------------------------------------------------+
| e107 website system
|
| Copyright (C) 2008-2009 e107 Inc (e107.org)
| http://e107.org
|
|
| Released under the terms and conditions of the
| GNU General Public License (http://gnu.org).
|
| $Source: /cvs_backup/e107_0.8/e107_languages/English/admin/lan_prefs.php,v $
| $Revision$
| $Date$
| $Author$
+----------------------------------------------------------------------------+
*/
* e107 website system
*
* Copyright (C) 2008-2010 e107 Inc (e107.org)
* Released under the terms and conditions of the
* GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
*
* Administration - Language file for Site Preferences
*
* $URL$
* $Revision$
* $Id$
* $Author$
*/
define("PRFLAN_1", "Site Information");
define("PRFLAN_2", "Site Name");
@@ -72,11 +69,11 @@ define("PRFLAN_58", "Restrict website to members only");
define("PRFLAN_59", "ticking will restrict all areas apart from the front page and signup page to members only");
define("PRFLAN_60", "Enable SSL");
define("PRFLAN_61", "Only enable SSL if <span class='error'>you are sure you know what you are doing!</span>");
define("PRFLAN_76", "Enable Image-code verification during signup");
define("PRFLAN_76", "Enable Image-code verification during signup.");
define("PRFLAN_77", "Admin Display Options ");
define("PRFLAN_78", "Leave blank to disable");
define("PRFLAN_80", "Click here to view");
define("PRFLAN_81", "Enable Image-code verification during login");
define("PRFLAN_81", "Enable Image-code verification during login.");
define("PRFLAN_83", "example");
define("PRFLAN_87", "Comments/Posting");
define("PRFLAN_88", "Turn on nested comments");
@@ -122,8 +119,8 @@ define("PRFLAN_110", "words longer than the length entered will be wrapped onto
define("PRFLAN_111", "Wrap long words in menu text");
define("PRFLAN_112", "On");
define("PRFLAN_113", "Off");
define("PRFLAN_116", "Allow HTML posting");
define("PRFLAN_117", "This will allow users to post HTML code anywhere on the site, select the userclass to allow this.");
define("PRFLAN_116", "Class which can post HTML");
define("PRFLAN_117", "This will allow users to post most HTML code anywhere on the site, select the userclass to allow this.");
define("PRFLAN_118", "Use Geshi for syntax highlighting");
define("PRFLAN_119", "Geshi is an open source multi-language syntax highlighter, see http://qbnz.com/highlighter/ for more information");
define("PRFLAN_120", "Default Geshi syntax language");
@@ -229,5 +226,10 @@ define('PRFLAN_211', 'Cannot make email address optional if required for validat
define('PRFLAN_212', 'Value for --FIELD-- too high - changed to --VALUE--');
define('PRFLAN_213', 'Value for --FIELD-- too low - changed to --VALUE--');
define('PRFLAN_214', "Site Logo");
define('PRFLAN_215', 'Class which can post &lt;script&gt; and similar tags');
define('PRFLAN_216', '(Requires HTML posting rights as well)');
define('PRFLAN_217', 'Filter HTML content');
define('PRFLAN_218', 'If \'off\', puts users at increased risk of XSS exploits posted by members of the above class, or prior to 0.7.24');
?>

2
e107_languages/English/lan_ren_help.php
View File

@@ -63,4 +63,6 @@ define("LANHELP_45", "Insert image from directory: ");
define("LANHELP_46", "* No files found in: ");
define("LANHELP_47", "Insert flash: [flash=width,height]http://www.example.com/file.swf[/flash]");
define("LANHELP_48", "YouTube video: [youtube=tiny|small|medium|big|huge|width,height]6kYjxJmk0wc[/youtube]");
?>

10
e107_themes/templates/bbcode_template.php
View File

@@ -21,7 +21,7 @@
$BBCODE_TEMPLATE = "
{BB=link}{BB=b}{BB=i}{BB=u}{BB=img}{BB=center}{BB=left}{BB=right}
{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}
{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}{BB=youtube}
<div class='field-spacer'><!-- --></div>
";
@@ -36,7 +36,7 @@ $BBCODE_TEMPLATE_SUBMITNEWS = "
{BB_HELP}
<div class='field-spacer'><!-- --></div>
{BB=link}{BB=b}{BB=i}{BB=u}{BB=img}{BB=center}{BB=left}{BB=right}
{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}{BB=flash}
{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}{BB=flash}{BB=youtube}
<div class='field-spacer'><!-- --></div>
";
@@ -49,7 +49,7 @@ $BBCODE_TEMPLATE_ADMIN = "
{BB=link}{BB=b}{BB=i}{BB=u}{BB=img}{BB=center}{BB=left}
{BB=right}{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}
{BB_PREIMAGEDIR=".e_IMAGE."}
{BB=preimage}{BB=prefile}{BB=flash}
{BB=preimage}{BB=prefile}{BB=flash}{BB=youtube}
<div class='field-spacer'><!-- --></div>
";
@@ -71,7 +71,7 @@ $BBCODE_TEMPLATE_NEWSPOST = "
{BB=link}{BB=b}{BB=i}{BB=u}{BB=img}{BB=center}{BB=left}
{BB=right}{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}
{BB_PREIMAGEDIR=".e_IMAGE."newspost_images/}
{BB=preimage}{BB=prefile}{BB=flash}
{BB=preimage}{BB=prefile}{BB=flash}{BB=youtube}
<div class='field-spacer'><!-- --></div>
";
@@ -82,7 +82,7 @@ $BBCODE_TEMPLATE_CPAGE = "
{BB=link}{BB=b}{BB=i}{BB=u}{BB=img}{BB=center}{BB=left}{BB=right}
{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}
{BB_PREIMAGEDIR=".e_IMAGE."custom/}
{BB=preimage}{BB=prefile}{BB=flash}
{BB=preimage}{BB=prefile}{BB=flash}{BB=youtube}
<div class='field-spacer'><!-- --></div>
";
?>

2
news.php
View File

@@ -375,7 +375,7 @@ if (empty($order))
{
$order = 'news_datestamp';
}
$order = $tp -> toDB($order, true);
$order = $tp -> toDB($order, true); /// @todo - try not to use toDB() - triggers prefilter
$interval = $pref['newsposts'];