mirror of
https://github.com/e107inc/e107.git
synced 2025-07-25 00:41:52 +02:00
Add in security code, youtube bbcode from 0.7
This commit is contained in:
@@ -487,6 +487,7 @@ class page
|
||||
$page_text = $tp->toDB($_POST['data']);
|
||||
// $pauthor = ($_POST['page_display_authordate_flag'] ? USERID : 0); // this check should be done in the front-end.
|
||||
$pauthor = USERID;
|
||||
$update = 0; // Make sure some updates happen
|
||||
|
||||
|
||||
if($mode)
|
||||
@@ -495,6 +496,7 @@ class page
|
||||
|
||||
$menuname = ($type && vartrue($_POST['menu_name']) ? ", page_theme = '".$tp -> toDB($_POST['menu_name'])."'" : "");
|
||||
$status = $sql -> db_Update("page", "page_title='{$page_title}', page_text='{$page_text}', page_datestamp='".time()."', page_author='{$pauthor}', page_rating_flag='".intval($_POST['page_rating_flag'])."', page_comment_flag='".intval($_POST['page_comment_flag'])."', page_password='".$_POST['page_password']."', page_class='".$_POST['page_class']."', page_ip_restrict='".varset($_POST['page_ip_restrict'],'')."', page_template='".$_POST['page_template']."' {$menuname} WHERE page_id='{$mode}'") ? E_MESSAGE_SUCCESS : E_MESSAGE_ERROR;
|
||||
if ($status == E_MESSAGE_SUCCESS) $update++;
|
||||
|
||||
$mes = e107::getMessage();
|
||||
$mes->add($message, $status);
|
||||
@@ -541,7 +543,7 @@ class page
|
||||
$e107cache->clear("sitelinks");
|
||||
}
|
||||
}
|
||||
admin_update($update, 'update', LAN_UPDATED, false, false);
|
||||
admin_update($update, 'update', LAN_UPDATED, false, false); // Display result of update
|
||||
}
|
||||
else
|
||||
{ // New page/menu
|
||||
|
@@ -1379,7 +1379,8 @@ class admin_newspost
|
||||
$_POST['news_body'] .= "\n[[b]".NWSLAN_49." {$row['submitnews_name']}[/b]]";
|
||||
$_POST['news_body'] .= ($row['submitnews_file'])?"\n\n[img]{e_NEWSIMAGE}{$row['submitnews_file']}[/img]": "";
|
||||
}
|
||||
|
||||
$_POST['data'] = $tp->dataFilter($_POST['data']); // Filter any nasties
|
||||
$_POST['news_title'] = $tp->dataFilter($_POST['news_title']);
|
||||
}
|
||||
}
|
||||
|
||||
|
@@ -9,9 +9,10 @@
|
||||
* Administration - Site Preferences
|
||||
*
|
||||
* $URL$
|
||||
* $Revision$
|
||||
* $Id$
|
||||
*
|
||||
*/
|
||||
* $Author$
|
||||
*/
|
||||
require_once ("../class2.php");
|
||||
|
||||
if(isset($_POST['newver']))
|
||||
@@ -765,6 +766,21 @@ $text .= "
|
||||
<div class='smalltext field-help'>".PRFLAN_117."</div>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<td class='label'>".PRFLAN_215.":</td>
|
||||
<td class='control'>
|
||||
".r_userclass('post_script',$pref['post_script'],'off','nobody,member,admin,main,classes')."
|
||||
<div class='smalltext field-help'>".PRFLAN_216."</div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class='label'>".PRFLAN_217.":</td>
|
||||
<td class='control'>
|
||||
".$frm->radio_switch('filter_script', varset($pref['filter_script'], 1))."
|
||||
<div class='smalltext field-help'>".PRFLAN_218."</div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class='label'>".PRFLAN_122.":</td>
|
||||
<td class='control'>
|
||||
|
7
e107_core/bbcodes/sanitised.bb
Normal file
7
e107_core/bbcodes/sanitised.bb
Normal file
@@ -0,0 +1,7 @@
|
||||
/* $Id: sanitised.bb 11660 2010-08-16 16:41:35Z secretr $ */
|
||||
// decode (just in case) and re-code sanitised string if debug and ADMIN
|
||||
if(defsettrue('ADMIN') && defsettrue('E107_DEBUG_LEVEL'))
|
||||
{
|
||||
return '<span class="sanitised"> SANITISED: '.htmlentities(html_entity_decode(rawurldecode($code_text), ENT_QUOTES, CHARSET), ENT_QUOTES, CHARSET).' SANITISED END</span>';
|
||||
}
|
||||
return '<span class="sanitised">##'.LAN_SANITISED.'##</span>';
|
235
e107_core/bbcodes/youtube.php
Normal file
235
e107_core/bbcodes/youtube.php
Normal file
@@ -0,0 +1,235 @@
|
||||
<?php
|
||||
/*
|
||||
+ ----------------------------------------------------------------------------+
|
||||
| e107 website system
|
||||
|
|
||||
| Copyright (C) 2001-2002 Steve Dunstan (jalist@e107.org)
|
||||
| Copyright (C) 2008-2010 e107 Inc (e107.org)
|
||||
|
|
||||
|
|
||||
| Released under the terms and conditions of the
|
||||
| GNU General Public License (http://gnu.org).
|
||||
|
|
||||
| $URL: https://e107.svn.sourceforge.net/svnroot/e107/trunk/e107_0.7/e107_handlers/emote.php $
|
||||
| $Revision: 11678 $
|
||||
| $Id: emote.php 11678 2010-08-22 00:43:45Z e107coders $
|
||||
| $Author: e107coders $
|
||||
+----------------------------------------------------------------------------+
|
||||
*/
|
||||
|
||||
if (!defined('e107_INIT')) { exit; }
|
||||
|
||||
/**
|
||||
* Youtube handling
|
||||
*
|
||||
* [youtube=tiny|small|medium|big|huge or width,height|nofull&norel&border&privacy&hd]ID[/youtube]
|
||||
* Youtube ID is the only required data!
|
||||
* BBcode 'pre-save' processes youtube's 'copy and paste' HTML code to generate an appropriate bbcode
|
||||
* TODO - more: http://code.google.com/apis/youtube/player_parameters.html
|
||||
* TODO - use swfobject JS - XHTML validation
|
||||
*/
|
||||
|
||||
/**
|
||||
* Class-based bbcode validation
|
||||
*
|
||||
* Class name must be 'bb_'.bbname - where bbname is the name of the bbcode. (Note some bbcodes begin '_', and this is retained)
|
||||
*
|
||||
* This class must contain exactly two public methods:
|
||||
* toDB($code_text, $parm) - called prior to text being saved
|
||||
* toHTML($code_text, $parm) - called prior to text being displayed
|
||||
*/
|
||||
|
||||
class bb_youtube extends e_bb_base
|
||||
{
|
||||
|
||||
/**
|
||||
* Called prior to save
|
||||
*
|
||||
* If user has posted the complete youtube 'copy and paste' text between the tags, parse it and generate the relevant bbcode
|
||||
*/
|
||||
protected function toDB($code_text, $parm)
|
||||
{
|
||||
$bbpars = array();
|
||||
$widthString = '';
|
||||
$parm = trim($parm);
|
||||
if ($parm)
|
||||
{
|
||||
if (strpos($parm, '|') !== FALSE)
|
||||
{
|
||||
list($widthString, $parm) = explode('|', $parm);
|
||||
}
|
||||
elseif (in_array($parm, array('tiny', 'small', 'medium', 'big', 'huge')) || (strpos($parm, ',') !== FALSE))
|
||||
{ // Assume we're just setting a width
|
||||
$widthString = $parm;
|
||||
$parm = '';
|
||||
}
|
||||
if ($parm)
|
||||
{
|
||||
$bbpars = explode('&', $parm);
|
||||
}
|
||||
}
|
||||
$params = array(); // Accumulator for parameters from youtube code
|
||||
$ok = 0;
|
||||
if (strpos($code_text, '<') === FALSE)
|
||||
{ // 'Properly defined' bbcode (we hope)
|
||||
$picRef = $code_text;
|
||||
}
|
||||
else
|
||||
{
|
||||
//libxml_use_internal_errors(TRUE);
|
||||
if (FALSE === ($info = simplexml_load_string($code_text)))
|
||||
{
|
||||
//print_a($matches);
|
||||
//$xmlErrs = libxml_get_errors();
|
||||
//print_a($xmlErrs);
|
||||
$ok = 1;
|
||||
}
|
||||
else
|
||||
{
|
||||
$info1 = (array)$info;
|
||||
if (!isset($info1['embed']))
|
||||
{
|
||||
$ok = 2;
|
||||
}
|
||||
else
|
||||
{
|
||||
$info2 = (array)$info1['embed'];
|
||||
if (!isset($info2['@attributes']))
|
||||
{
|
||||
$ok = 3;
|
||||
}
|
||||
}
|
||||
}
|
||||
if ($ok != 0)
|
||||
{
|
||||
print_a($info);
|
||||
return '[sanitised]'.$ok.'B'.htmlspecialchars($matches[0]).'B[/sanitised]';
|
||||
}
|
||||
$target = $info2['@attributes'];
|
||||
unset($info);
|
||||
$ws = varset($target['width'], 0);
|
||||
$hs = varset($target['height'], 0);
|
||||
if (($ws == 0) || ($hs == 0) || !isset($target['src'])) return '[sanitised]A'.htmlspecialchars($matches[0]).'A[/sanitised]';
|
||||
if (!$widthString)
|
||||
{
|
||||
$widthString = $ws.','.$hs; // Set size of window
|
||||
}
|
||||
list($url, $query) = explode('?', $target['src']);
|
||||
if (strpos($url, 'youtube-nocookie.com') !== FALSE)
|
||||
{
|
||||
$params[] = 'privacy';
|
||||
}
|
||||
parse_str($query, $vals); // Various options set here
|
||||
if (varset($vals['allowfullscreen'], 'true') != 'true')
|
||||
{
|
||||
$params[] = 'nofull';
|
||||
}
|
||||
if (varset($vals['border'], 0) != 0)
|
||||
{
|
||||
$params[] = 'border';
|
||||
}
|
||||
if (varset($vals['rel'], 1) == 0)
|
||||
{
|
||||
$params[] = 'norel';
|
||||
}
|
||||
$picRef = substr($url, strrpos($url, '/') + 1);
|
||||
}
|
||||
|
||||
|
||||
$yID = preg_replace('/[^0-9a-z]/i', '', $picRef);
|
||||
if (($yID != $picRef) || (strlen($yID) > 20))
|
||||
{ // Possible hack attempt
|
||||
}
|
||||
$params = array_merge($params, $bbpars); // Any parameters set in bbcode override those in HTML
|
||||
// Could check for valid array indices here
|
||||
$paramString = implode('&', $params);
|
||||
if ($paramString) $widthString .= '|'.$paramString;
|
||||
$ans = '[youtube='.$widthString.']'.$picRef.'[/youtube]';
|
||||
return $ans;
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Translate youtube bbcode into the appropriate <EMBED> object
|
||||
*/
|
||||
protected function toHTML($code_text, $parm)
|
||||
{
|
||||
if(empty($code_text)) return '';
|
||||
|
||||
$parms = explode('|', $parm, 2);
|
||||
parse_str(varset($parms[1], ''), $params);
|
||||
|
||||
if(empty($parms[0])) $parms[0] = 'small';
|
||||
|
||||
switch ($parms[0])
|
||||
{
|
||||
case 'tiny':
|
||||
$params['w'] = 200;
|
||||
$params['h'] = 180;
|
||||
break;
|
||||
|
||||
case 'small':
|
||||
$params['w'] = 445;
|
||||
$params['h'] = 364;
|
||||
break;
|
||||
|
||||
case 'medium':
|
||||
$params['w'] = 500;
|
||||
$params['h'] = 405;
|
||||
break;
|
||||
|
||||
case 'big':
|
||||
$params['w'] = 660;
|
||||
$params['h'] = 525;
|
||||
break;
|
||||
|
||||
case 'huge':
|
||||
$params['w'] = 980;
|
||||
$params['h'] = 765;
|
||||
break;
|
||||
|
||||
default:
|
||||
$dim = explode(',', $parms[0], 2);
|
||||
$params['w'] = (integer) varset($dim[0], 445);
|
||||
if($params['w'] > 980 || $params['w'] < 200) $params['w'] = 445;
|
||||
|
||||
$params['h'] = (integer) varset($dim[1], 364);
|
||||
if($params['h'] > 765 || $params['h'] < 180) $params['h'] = 364;
|
||||
break;
|
||||
}
|
||||
|
||||
$yID = preg_replace('/[^0-9a-z\-_\&]/i', '', $code_text);
|
||||
|
||||
$url = isset($params['privacy']) ? 'http://www.youtube-nocookie.com/v/' : 'http://www.youtube.com/v/';
|
||||
$url .= $yID.'?';
|
||||
|
||||
if(isset($params['nofull']))
|
||||
{
|
||||
$fscr = 'false';
|
||||
$url = $url.'fs=0';
|
||||
}
|
||||
else
|
||||
{
|
||||
$fscr = 'true';
|
||||
$url = $url.'fs=1';
|
||||
}
|
||||
if(isset($params['border'])) $url = $url.'&border=1';
|
||||
if(isset($params['norel'])) $url = $url.'&rel=0';
|
||||
if(isset($params['hd'])) $url = $url.'&hd=1';
|
||||
|
||||
$ret = '
|
||||
<object width="'.$params['w'].'" height="'.$params['h'].'">
|
||||
<param name="movie" value="'.$url.'"></param>
|
||||
<param name="allowFullScreen" value="'.$fscr.'"></param>
|
||||
<param name="allowscriptaccess" value="always"></param>
|
||||
<param name="wmode" value="transparent"></param>
|
||||
<embed src="'.$url.'" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="'.$fscr.'" wmode="transparent" width="'.$params['w'].'" height="'.$params['h'].'"></embed>
|
||||
</object>
|
||||
';
|
||||
|
||||
return $ret;
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
@@ -65,6 +65,8 @@ class bbcode_shortcodes
|
||||
$bbcode['list'] = array($bbcode_func,"[list][/list]", LANHELP_36,"list.png");
|
||||
$bbcode['img'] = array($bbcode_func,"[img][/img]", LANHELP_27,"image.png");
|
||||
$bbcode['flash'] = array($bbcode_func,"[flash=width,height][/flash]", LANHELP_47,"flash.png");
|
||||
$bbcode['youtube'] = array($bbcode_func,"[youtube][/youtube]", LANHELP_48,"youtube.png");
|
||||
$bbcode['sanitised'] = array('', '', '');
|
||||
|
||||
$bbcode['fontsize'] = array("expandit","size_selector_".$rand, LANHELP_22,"fontsize.png","Size_Select",'size_selector_'.$rand);
|
||||
$bbcode['fontcol'] = array("expandit","col_selector_".$rand, LANHELP_21,"fontcol.png","Color_Select",'col_selector_'.$rand);
|
||||
|
@@ -134,6 +134,8 @@
|
||||
<core name="password_CHAP">0</core>
|
||||
<core name="php_bbcode">255</core>
|
||||
<core name="post_html">254</core>
|
||||
<core name="post_script">250</core>
|
||||
<core name="filter_script">1</core>
|
||||
<core name="predefinedLoginName"></core>
|
||||
<core name="profanity_filter">0</core>
|
||||
<core name="profanity_replace">[censored]</core>
|
||||
|
@@ -2,26 +2,40 @@
|
||||
/*
|
||||
* e107 website system
|
||||
*
|
||||
* Copyright (C) 2008-2009 e107 Inc (e107.org)
|
||||
* Copyright (C) 2008-2010 e107 Inc (e107.org)
|
||||
* Released under the terms and conditions of the
|
||||
* GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
|
||||
*
|
||||
*
|
||||
*
|
||||
* $Source: /cvs_backup/e107_0.8/e107_handlers/bbcode_handler.php,v $
|
||||
* $URL$
|
||||
* $Revision$
|
||||
* $Date$
|
||||
* $Id$
|
||||
* $Author$
|
||||
*/
|
||||
|
||||
/**
|
||||
*
|
||||
* @package e107
|
||||
* @category e107_handlers
|
||||
* @version $Id$
|
||||
* @author e107inc
|
||||
*
|
||||
* bbcode_handler - processes bbcodes within strings.
|
||||
*
|
||||
* Separate processing (via class-based bbcodes) for pre-save and pre-display
|
||||
*/
|
||||
|
||||
if (!defined('e107_INIT')) { exit; }
|
||||
|
||||
class e_bbcode
|
||||
{
|
||||
var $bbList; // Caches the file contents for each bbcode processed
|
||||
var $bbLocation; // Location for each file - 'core' or a plugin name
|
||||
var $preProcess = FALSE; // Set when processing bbcodes prior to saving
|
||||
|
||||
function e_bbcode()
|
||||
|
||||
function __construct()
|
||||
{
|
||||
global $pref;
|
||||
$core_bb = array(
|
||||
@@ -31,7 +45,7 @@ class e_bbcode
|
||||
'url', 'quote', 'left', 'right',
|
||||
'b', 'justify', 'file', 'stream',
|
||||
'textarea', 'list', 'php', 'time',
|
||||
'spoiler', 'hide'
|
||||
'spoiler', 'hide', 'youtube', 'sanitised'
|
||||
);
|
||||
|
||||
foreach($core_bb as $c)
|
||||
@@ -56,26 +70,60 @@ class e_bbcode
|
||||
krsort($this->bbLocation);
|
||||
}
|
||||
|
||||
// If $bb_strip is TRUE, all bbcodes are stripped. If FALSE, none are stripped.
|
||||
// If a comma separated (lower case) list is passed, only the listed codes are stripped (and the rest are processed)
|
||||
function parseBBCodes($value, $p_ID, $force_lower = 'default', $bb_strip = FALSE)
|
||||
|
||||
/**
|
||||
* Parse a string for bbcodes.
|
||||
* Process using the 'pre-save' or 'display' routines as appropriate
|
||||
*
|
||||
* @var string $value - the string to be processed
|
||||
* @var int $p_ID - ID of a user (the 'post ID') needed by some bbcodes in display mode
|
||||
* @var string|boolean $force_lower - determines whether bbcode detection is case-insensitive
|
||||
* TRUE - case-insensitive
|
||||
* 'default' - case-insensitive
|
||||
* FALSE - case-sensitive (only lower case bbcodes processed)
|
||||
* @var string|boolean $bbStrip - determines action when a bbcode is encountered.
|
||||
* TRUE (boolean or word), all bbcodes are stripped.
|
||||
* FALSE - normal display processing of all bbcodes
|
||||
* comma separated (lower case) list - only the listed codes are stripped (and the rest are processed)
|
||||
* If the first word is 'PRE', sets pre-save mode. Any other parameters follow, comma separated
|
||||
*
|
||||
* @return string processed data
|
||||
*
|
||||
* Code uses a crude stack-based syntax analyser to handle nested bbcodes (including nested 'size' bbcodes, for example)
|
||||
*/
|
||||
function parseBBCodes($value, $p_ID, $force_lower = 'default', $bbStrip = FALSE)
|
||||
{
|
||||
global $postID;
|
||||
$postID = $p_ID;
|
||||
|
||||
|
||||
if (strlen($value) <= 6) return $value; // Don't waste time on trivia!
|
||||
if (strlen($value) <= 6) return $value; // Don't waste time on trivia!
|
||||
if ($force_lower == 'default') $force_lower = TRUE; // Set the default behaviour if not overridden
|
||||
$code_stack = array(); // Stack for unprocessed bbcodes and text
|
||||
$unmatch_stack = array(); // Stack for unmatched bbcodes
|
||||
$result = ''; // Accumulates fully processed text
|
||||
$stacktext = ''; // Accumulates text which might be subject to one or more bbcodes
|
||||
$nopro = FALSE; // Blocks processing within [code]...[/code] tags
|
||||
$code_stack = array(); // Stack for unprocessed bbcodes and text
|
||||
$unmatch_stack = array(); // Stack for unmatched bbcodes
|
||||
$result = ''; // Accumulates fully processed text
|
||||
$stacktext = ''; // Accumulates text which might be subject to one or more bbcodes
|
||||
$nopro = FALSE; // Blocks processing within [code]...[/code] tags
|
||||
$this->preProcess = FALSE;
|
||||
|
||||
$strip_array = array();
|
||||
if (!is_bool($bb_strip))
|
||||
if (!is_bool($bbStrip))
|
||||
{
|
||||
$strip_array = explode(',',$bb_strip);
|
||||
$strip_array = explode(',',$bbStrip);
|
||||
if ($strip_array[0] == 'PRE')
|
||||
{
|
||||
$this->preProcess = TRUE;
|
||||
unset($strip_array[0]);
|
||||
if (count($strip_array) == 0)
|
||||
{
|
||||
$bbStrip = FALSE;
|
||||
}
|
||||
elseif (in_array('TRUE', $strip_array))
|
||||
{
|
||||
$bbStrip = TRUE;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
$pattern = '#^\[(/?)([A-Za-z_]+)(\d*)([=:]?)(.*?)]$#i'; // Pattern to split up bbcodes
|
||||
// $matches[0] - same as the input text
|
||||
@@ -100,14 +148,13 @@ class e_bbcode
|
||||
$bbword = (isset($matches[2])) ? $matches[2] : '';
|
||||
if($cont[1] != '/')
|
||||
{
|
||||
$bbstart = $cont;
|
||||
$bbsep = varset($matches[4]);
|
||||
}
|
||||
if ($force_lower) $bbword = strtolower($bbword);
|
||||
if ($nopro && ($bbword == 'code') && ($matches[1] == '/')) $nopro = FALSE; // End of code block
|
||||
if (($bbword) && ($bbword == trim($bbword)) && !$nopro)
|
||||
{ // Got a code to process here
|
||||
if (($bb_strip === TRUE) || in_array($bbword,$strip_array))
|
||||
if (($bbStrip === TRUE) || in_array($bbword,$strip_array))
|
||||
{
|
||||
$is_proc = TRUE; // Just discard this bbcode
|
||||
}
|
||||
@@ -146,7 +193,7 @@ class e_bbcode
|
||||
case 'bbcode' :
|
||||
if (($code_stack[0]['code'] == $bbword) && ($code_stack[0]['numbers'] == $matches[3]))
|
||||
{
|
||||
$stacktext = $this->proc_bbcode($bbword,$code_stack[0]['param'],$stacktext,$bbparam, $bbsep, $bbstart.$stacktext.$cont);
|
||||
$stacktext = $this->proc_bbcode($bbword, $code_stack[0]['param'], $stacktext, $bbparam, $code_stack[0]['bbsep'], $code_stack[0]['block'].$stacktext.$cont);
|
||||
array_shift($code_stack);
|
||||
// Intentionally don't terminate here - may be some text we can clean up
|
||||
$bbword=''; // Necessary to make sure we don't double process if several instances on stack
|
||||
@@ -175,11 +222,11 @@ class e_bbcode
|
||||
{ // Single code to process
|
||||
if (count($code_stack) == 0)
|
||||
{
|
||||
$result .= $this->proc_bbcode('_'.$bbword,$bbparam);
|
||||
$result .= $this->proc_bbcode('_'.$bbword,$bbparam,'','','',$cont);
|
||||
}
|
||||
else
|
||||
{
|
||||
$stacktext .= $this->proc_bbcode('_'.$bbword,$bbparam);
|
||||
$stacktext .= $this->proc_bbcode('_'.$bbword,$bbparam,'','','',$cont);
|
||||
}
|
||||
$is_proc = TRUE;
|
||||
}
|
||||
@@ -190,12 +237,11 @@ class e_bbcode
|
||||
array_unshift($code_stack,array('type' => 'text','code' => $stacktext));
|
||||
$stacktext = '';
|
||||
}
|
||||
array_unshift($code_stack,array('type' => 'bbcode','code' => $bbword, 'numbers'=> $matches[3], 'param'=>$bbparam));
|
||||
array_unshift($code_stack,array('type' => 'bbcode','code' => $bbword, 'numbers'=> $matches[3], 'param'=>$bbparam, 'bbsep' => $bbsep, 'block' => $cont));
|
||||
if ($bbword == 'code') $nopro = TRUE;
|
||||
$is_proc = TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
// Next lines could be deleted - but gives better rejection of 'stray' opening brackets
|
||||
@@ -243,14 +289,21 @@ class e_bbcode
|
||||
|
||||
|
||||
|
||||
function proc_bbcode($code, $param1='',$code_text_par='', $param2='', $sep='', $full_text='')
|
||||
// Invoke an actual bbcode handler
|
||||
// $code - textual value of the bbcode (already begins with '_' if a single code)
|
||||
// $param1 - any text after '=' in the opening code
|
||||
// $code_text_par - text between the opening and closing codes
|
||||
// $param2 - any text after '=' for the closing code
|
||||
|
||||
/**
|
||||
* Process a bbcode
|
||||
*
|
||||
* @var string $code - textual value of the bbcode (already begins with '_' if a single code)
|
||||
* @var string $param1 - any text after '=' in the opening code
|
||||
* @var string $code_text_par - text between the opening and closing codes
|
||||
* @var string $param2 - any text after '=' for the closing code
|
||||
* @var char $sep - character separating bbcode name and any parameters
|
||||
* @var string $full_text - the 'raw' text between, and including, the opening and closing bbcode tags
|
||||
*/
|
||||
private function proc_bbcode($code, $param1='', $code_text_par='', $param2='', $sep='', $full_text='')
|
||||
{
|
||||
global $tp, $postID, $code_text, $parm;
|
||||
|
||||
$parm = $param1;
|
||||
|
||||
$code_text = $code_text_par;
|
||||
@@ -269,26 +322,47 @@ class e_bbcode
|
||||
{ // Find the file
|
||||
if ($this->bbLocation[$code] == 'core')
|
||||
{
|
||||
$bbFile = e_CORE.'bbcodes/'.strtolower(str_replace('_', '', $code)).'.bb';
|
||||
$bbFile = e_CORE.'bbcodes/'.strtolower(str_replace('_', '', $code));
|
||||
}
|
||||
else
|
||||
{ // Add code to check for plugin bbcode addition
|
||||
$bbFile = e_PLUGIN.$this->bbLocation[$code].'/'.strtolower($code).'.bb';
|
||||
$bbFile = e_PLUGIN.$this->bbLocation[$code].'/'.strtolower($code);
|
||||
}
|
||||
if (file_exists($bbFile))
|
||||
if (file_exists($bbFile.'.php'))
|
||||
{ // Its a bbcode class file
|
||||
require_once($bbFile.'.php');
|
||||
//echo "Load: {$bbFile}.php -->".$code_text.'<br />';
|
||||
$className = 'bb_'.$code;
|
||||
$this->bbList[$code] = new $className();
|
||||
}
|
||||
elseif (file_exists($bbFile.'.bb'))
|
||||
{
|
||||
$bbcode = file_get_contents($bbFile);
|
||||
$bbcode = file_get_contents($bbFile.'.bb');
|
||||
$this->bbList[$code] = $bbcode;
|
||||
}
|
||||
else
|
||||
{
|
||||
$this->bbList[$code] = '';
|
||||
//echo "<br />File not found: {$bbFile}.php<br />";
|
||||
return false;
|
||||
}
|
||||
}
|
||||
global $e107_debug;
|
||||
|
||||
if (is_object($this->bbList[$code]))
|
||||
{
|
||||
if ($this->preProcess)
|
||||
{
|
||||
//echo "Preprocess: ".htmlspecialchars($code_text).", params: {$param1}<br />";
|
||||
return $this->bbList[$code]->bbPreSave($code_text, $param1);
|
||||
}
|
||||
return $this->bbList[$code]->bbPreDisplay($code_text, $param1);
|
||||
}
|
||||
if ($this->preProcess) return $full_text; // No change
|
||||
|
||||
/**
|
||||
* @todo - capturing output deprecated
|
||||
*/
|
||||
ob_start();
|
||||
$bbcode_return = eval($bbcode);
|
||||
$bbcode_output = ob_get_contents();
|
||||
@@ -305,4 +379,60 @@ class e_bbcode
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Base class for bbcode handlers
|
||||
*
|
||||
* Contains core routines for entry, security, logging....
|
||||
*
|
||||
* @todo add security
|
||||
*/
|
||||
class e_bb_base
|
||||
{
|
||||
/**
|
||||
* Constructor
|
||||
*/
|
||||
public function __construct()
|
||||
{
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Called prior to save of user-entered text
|
||||
*
|
||||
* Allows initial parsing of bbcode, including the possibility of removing or transforming the enclosed text (as is done by the youtube processing)
|
||||
* Parameters passed by reference to minimise memory use
|
||||
*
|
||||
* @param string $code_text - text between the bbcode tags
|
||||
* @param string $parm - any parameters specified for the bbcode
|
||||
*
|
||||
* @return string for insertion into DB. (If a bbcode is to be inserted, the bbcode 'tags' must be included in the return string.)
|
||||
*/
|
||||
final public function bbPreSave(&$code_text, &$parm)
|
||||
{
|
||||
// Could add logging, security in here
|
||||
return $this->toDB($code_text, $parm);
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Process bbcode prior to display
|
||||
* Functionally this routine does exactly the same as the existing bbcodes
|
||||
* Parameters passed by reference to minimise memory use
|
||||
*
|
||||
* @param string $code_text - text between the bbcode tags
|
||||
* @param string $parm - any parameters specified for the bbcode
|
||||
*
|
||||
* @return string with $code_text transformed into displayable XHTML as necessary
|
||||
*/
|
||||
final public function bbPreDisplay(&$code_text, &$parm)
|
||||
{
|
||||
// Could add logging, security in here
|
||||
return $this->toHTML($code_text, $parm);
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
@@ -477,6 +477,13 @@ class e_parse
|
||||
{
|
||||
$data = stripslashes($data);
|
||||
}
|
||||
|
||||
$data = $this->preFilter($data);
|
||||
if (!check_class(varset($pref['post_html'], e_UC_MAINADMIN)) || !check_class(varset($pref['post_script'], e_UC_MAINADMIN)))
|
||||
{
|
||||
$data = $this->dataFilter($data);
|
||||
}
|
||||
|
||||
if (isset($pref['post_html']) && check_class($pref['post_html']))
|
||||
{
|
||||
$no_encode = TRUE;
|
||||
@@ -507,6 +514,94 @@ class e_parse
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Checks a string for potentially dangerous HTML tags, including malformed tags
|
||||
*
|
||||
*/
|
||||
public function dataFilter($data)
|
||||
{
|
||||
$ans = '';
|
||||
$vetWords = array('<applet', '<body', '<embed', '<frame', '<script', '<frameset', '<html', '<iframe',
|
||||
'<style', '<layer', '<link', '<ilayer', '<meta', '<object', 'javascript:', 'vbscript:');
|
||||
|
||||
$ret = preg_split('#(\[code.*?\[/code.*?])#mis', $data, -1, PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE );
|
||||
|
||||
foreach ($ret as $s)
|
||||
{
|
||||
if (substr($s, 0, 5) != '[code')
|
||||
{
|
||||
$vl = array();
|
||||
$t = html_entity_decode(rawurldecode($s), ENT_QUOTES, CHARSET);
|
||||
$t = str_replace(array("\r", "\n", "\t", "\v", "\f", "\0"), '', $t);
|
||||
$t1 = strtolower($t);
|
||||
foreach ($vetWords as $vw)
|
||||
{
|
||||
if (strpos($t1, $vw) !== FALSE)
|
||||
{
|
||||
$vl[] = $vw; // Add to list of words found
|
||||
}
|
||||
if (substr($vw, 0, 1) == '<')
|
||||
{
|
||||
$vw = '</'.substr($vw, 1);
|
||||
if (strpos($t1, $vw) !== FALSE)
|
||||
{
|
||||
$vl[] = $vw; // Add to list of words found
|
||||
}
|
||||
}
|
||||
}
|
||||
// More checks here
|
||||
if (count($vl))
|
||||
{ // Do something
|
||||
$s = preg_replace_callback('#('.implode('|', $vl).')#mis', array($this, 'modtag'), $t);
|
||||
}
|
||||
}
|
||||
$ans .= $s;
|
||||
}
|
||||
return $ans;
|
||||
}
|
||||
|
||||
|
||||
private function modTag($match)
|
||||
{
|
||||
$ans = '';
|
||||
if (isset($match[1]))
|
||||
{
|
||||
$chop = intval(strlen($match[1]) / 2);
|
||||
$ans = substr($match[1], 0, $chop).'##xss##'.substr($match[1], $chop);
|
||||
}
|
||||
else
|
||||
{
|
||||
$ans = '?????';
|
||||
}
|
||||
return '[sanitised]'.$ans.'[/sanitised]';
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Processes data as needed before its written to the DB.
|
||||
* Currently gives bbcodes the opportunity to do something
|
||||
*
|
||||
* @param $data string - data about to be written to DB
|
||||
* @return string - modified data
|
||||
*/
|
||||
public function preFilter($data)
|
||||
{
|
||||
if (!is_object($this->e_bb))
|
||||
{
|
||||
require_once(e_HANDLER.'bbcode_handler.php');
|
||||
$this->e_bb = new e_bbcode;
|
||||
}
|
||||
$ret = $this->e_bb->parseBBCodes($data, USERID, 'default', 'PRE'); // $postID = logged in user here
|
||||
return $ret;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
function toForm($text)
|
||||
{
|
||||
if($text == '')
|
||||
@@ -1244,6 +1339,7 @@ class e_parse
|
||||
|
||||
default : // Most bbcodes will just execute their normal file
|
||||
// Just read in the code file and execute it
|
||||
/// @todo Handle class-based bbcodes
|
||||
$bbcode = file_get_contents($bbFile);
|
||||
} // end - switch ($matches[2])
|
||||
|
||||
|
@@ -91,7 +91,7 @@ class e_online
|
||||
$page = (strpos(e_SELF, 'forum_') !== FALSE) ? e_SELF.'.'.e_QUERY : e_SELF;
|
||||
$page = (strpos(e_SELF, 'comment') !== FALSE) ? e_SELF.'.'.e_QUERY : $page;
|
||||
$page = (strpos(e_SELF, 'content') !== FALSE) ? e_SELF.'.'.e_QUERY : $page;
|
||||
$page = $e107->tp->toDB($page, true);
|
||||
$page = $e107->tp->toDB($page, true); /// @todo - try not to use toDB() - triggers prefilter
|
||||
$ip = $e107->getip();
|
||||
$udata = ($user->isUser() ? $user->getId().'.'.$user->getName() : '0');
|
||||
$agent = $_SERVER['HTTP_USER_AGENT'];
|
||||
|
@@ -1,22 +1,19 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
+ ----------------------------------------------------------------------------+
|
||||
| e107 website system
|
||||
|
|
||||
| Copyright (C) 2008-2009 e107 Inc (e107.org)
|
||||
| http://e107.org
|
||||
|
|
||||
|
|
||||
| Released under the terms and conditions of the
|
||||
| GNU General Public License (http://gnu.org).
|
||||
|
|
||||
| $Source: /cvs_backup/e107_0.8/e107_languages/English/admin/lan_prefs.php,v $
|
||||
| $Revision$
|
||||
| $Date$
|
||||
| $Author$
|
||||
+----------------------------------------------------------------------------+
|
||||
*/
|
||||
* e107 website system
|
||||
*
|
||||
* Copyright (C) 2008-2010 e107 Inc (e107.org)
|
||||
* Released under the terms and conditions of the
|
||||
* GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
|
||||
*
|
||||
* Administration - Language file for Site Preferences
|
||||
*
|
||||
* $URL$
|
||||
* $Revision$
|
||||
* $Id$
|
||||
* $Author$
|
||||
*/
|
||||
|
||||
define("PRFLAN_1", "Site Information");
|
||||
define("PRFLAN_2", "Site Name");
|
||||
@@ -72,11 +69,11 @@ define("PRFLAN_58", "Restrict website to members only");
|
||||
define("PRFLAN_59", "ticking will restrict all areas apart from the front page and signup page to members only");
|
||||
define("PRFLAN_60", "Enable SSL");
|
||||
define("PRFLAN_61", "Only enable SSL if <span class='error'>you are sure you know what you are doing!</span>");
|
||||
define("PRFLAN_76", "Enable Image-code verification during signup");
|
||||
define("PRFLAN_76", "Enable Image-code verification during signup.");
|
||||
define("PRFLAN_77", "Admin Display Options ");
|
||||
define("PRFLAN_78", "Leave blank to disable");
|
||||
define("PRFLAN_80", "Click here to view");
|
||||
define("PRFLAN_81", "Enable Image-code verification during login");
|
||||
define("PRFLAN_81", "Enable Image-code verification during login.");
|
||||
define("PRFLAN_83", "example");
|
||||
define("PRFLAN_87", "Comments/Posting");
|
||||
define("PRFLAN_88", "Turn on nested comments");
|
||||
@@ -122,8 +119,8 @@ define("PRFLAN_110", "words longer than the length entered will be wrapped onto
|
||||
define("PRFLAN_111", "Wrap long words in menu text");
|
||||
define("PRFLAN_112", "On");
|
||||
define("PRFLAN_113", "Off");
|
||||
define("PRFLAN_116", "Allow HTML posting");
|
||||
define("PRFLAN_117", "This will allow users to post HTML code anywhere on the site, select the userclass to allow this.");
|
||||
define("PRFLAN_116", "Class which can post HTML");
|
||||
define("PRFLAN_117", "This will allow users to post most HTML code anywhere on the site, select the userclass to allow this.");
|
||||
define("PRFLAN_118", "Use Geshi for syntax highlighting");
|
||||
define("PRFLAN_119", "Geshi is an open source multi-language syntax highlighter, see http://qbnz.com/highlighter/ for more information");
|
||||
define("PRFLAN_120", "Default Geshi syntax language");
|
||||
@@ -229,5 +226,10 @@ define('PRFLAN_211', 'Cannot make email address optional if required for validat
|
||||
define('PRFLAN_212', 'Value for --FIELD-- too high - changed to --VALUE--');
|
||||
define('PRFLAN_213', 'Value for --FIELD-- too low - changed to --VALUE--');
|
||||
define('PRFLAN_214', "Site Logo");
|
||||
define('PRFLAN_215', 'Class which can post <script> and similar tags');
|
||||
define('PRFLAN_216', '(Requires HTML posting rights as well)');
|
||||
define('PRFLAN_217', 'Filter HTML content');
|
||||
define('PRFLAN_218', 'If \'off\', puts users at increased risk of XSS exploits posted by members of the above class, or prior to 0.7.24');
|
||||
|
||||
|
||||
?>
|
@@ -63,4 +63,6 @@ define("LANHELP_45", "Insert image from directory: ");
|
||||
define("LANHELP_46", "* No files found in: ");
|
||||
|
||||
define("LANHELP_47", "Insert flash: [flash=width,height]http://www.example.com/file.swf[/flash]");
|
||||
define("LANHELP_48", "YouTube video: [youtube=tiny|small|medium|big|huge|width,height]6kYjxJmk0wc[/youtube]");
|
||||
|
||||
?>
|
@@ -21,7 +21,7 @@
|
||||
|
||||
$BBCODE_TEMPLATE = "
|
||||
{BB=link}{BB=b}{BB=i}{BB=u}{BB=img}{BB=center}{BB=left}{BB=right}
|
||||
{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}
|
||||
{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}{BB=youtube}
|
||||
<div class='field-spacer'><!-- --></div>
|
||||
";
|
||||
|
||||
@@ -36,7 +36,7 @@ $BBCODE_TEMPLATE_SUBMITNEWS = "
|
||||
{BB_HELP}
|
||||
<div class='field-spacer'><!-- --></div>
|
||||
{BB=link}{BB=b}{BB=i}{BB=u}{BB=img}{BB=center}{BB=left}{BB=right}
|
||||
{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}{BB=flash}
|
||||
{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}{BB=flash}{BB=youtube}
|
||||
<div class='field-spacer'><!-- --></div>
|
||||
";
|
||||
|
||||
@@ -49,7 +49,7 @@ $BBCODE_TEMPLATE_ADMIN = "
|
||||
{BB=link}{BB=b}{BB=i}{BB=u}{BB=img}{BB=center}{BB=left}
|
||||
{BB=right}{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}
|
||||
{BB_PREIMAGEDIR=".e_IMAGE."}
|
||||
{BB=preimage}{BB=prefile}{BB=flash}
|
||||
{BB=preimage}{BB=prefile}{BB=flash}{BB=youtube}
|
||||
<div class='field-spacer'><!-- --></div>
|
||||
";
|
||||
|
||||
@@ -71,7 +71,7 @@ $BBCODE_TEMPLATE_NEWSPOST = "
|
||||
{BB=link}{BB=b}{BB=i}{BB=u}{BB=img}{BB=center}{BB=left}
|
||||
{BB=right}{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}
|
||||
{BB_PREIMAGEDIR=".e_IMAGE."newspost_images/}
|
||||
{BB=preimage}{BB=prefile}{BB=flash}
|
||||
{BB=preimage}{BB=prefile}{BB=flash}{BB=youtube}
|
||||
<div class='field-spacer'><!-- --></div>
|
||||
";
|
||||
|
||||
@@ -82,7 +82,7 @@ $BBCODE_TEMPLATE_CPAGE = "
|
||||
{BB=link}{BB=b}{BB=i}{BB=u}{BB=img}{BB=center}{BB=left}{BB=right}
|
||||
{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}
|
||||
{BB_PREIMAGEDIR=".e_IMAGE."custom/}
|
||||
{BB=preimage}{BB=prefile}{BB=flash}
|
||||
{BB=preimage}{BB=prefile}{BB=flash}{BB=youtube}
|
||||
<div class='field-spacer'><!-- --></div>
|
||||
";
|
||||
?>
|
Reference in New Issue
Block a user