Add in security code, youtube bbcode from 0.7

2025-08-03 13:17:24 +02:00 · 2010-09-06 12:34:06 +00:00
parent bd4d34d933
commit decaecf54d
14 changed files with 559 additions and 64 deletions
--- a/e107_admin/cpage.php
+++ b/e107_admin/cpage.php
@@ -487,6 +487,7 @@ class page
 		$page_text = $tp->toDB($_POST['data']);
 	//	$pauthor = ($_POST['page_display_authordate_flag'] ? USERID : 0); // this check should be done in the front-end.
 		$pauthor = USERID;
 		$update = 0;			// Make sure some updates happen
 		if($mode)
@@ -495,6 +496,7 @@ class page
 			$menuname = ($type && vartrue($_POST['menu_name']) ? ", page_theme = '".$tp -> toDB($_POST['menu_name'])."'" : "");
 			$status = $sql -> db_Update("page", "page_title='{$page_title}', page_text='{$page_text}', page_datestamp='".time()."', page_author='{$pauthor}', page_rating_flag='".intval($_POST['page_rating_flag'])."', page_comment_flag='".intval($_POST['page_comment_flag'])."', page_password='".$_POST['page_password']."', page_class='".$_POST['page_class']."', page_ip_restrict='".varset($_POST['page_ip_restrict'],'')."', page_template='".$_POST['page_template']."' {$menuname} WHERE page_id='{$mode}'") ?  E_MESSAGE_SUCCESS : E_MESSAGE_ERROR;
 			if ($status == E_MESSAGE_SUCCESS) $update++;
 			$mes = e107::getMessage();
 			$mes->add($message, $status);
@@ -541,7 +543,7 @@ class page
 					$e107cache->clear("sitelinks");
 				}
 			}
-			admin_update($update, 'update', LAN_UPDATED, false, false);
+			admin_update($update, 'update', LAN_UPDATED, false, false);		// Display result of update
 		}
 		else
 		{	// New page/menu
--- a/e107_admin/newspost.php
+++ b/e107_admin/newspost.php
@@ -1379,7 +1379,8 @@ class admin_newspost
 					$_POST['news_body'] .= "\n[[b]".NWSLAN_49." {$row['submitnews_name']}[/b]]";
 					$_POST['news_body'] .= ($row['submitnews_file'])?"\n\n[img]{e_NEWSIMAGE}{$row['submitnews_file']}[/img]": "";
 				}
-
+				$_POST['data'] = $tp->dataFilter($_POST['data']);		// Filter any nasties
 				$_POST['news_title'] = $tp->dataFilter($_POST['news_title']);
 			}
 		}
--- a/e107_admin/prefs.php
+++ b/e107_admin/prefs.php
@@ -9,9 +9,10 @@
 * Administration - Site Preferences
 *
 * $URL$
 * $Revision$
 * $Id$
- *
+ * $Author$
-*/
+ */
 require_once ("../class2.php");
 if(isset($_POST['newver']))
@@ -765,6 +766,21 @@ $text .= "
 							<div class='smalltext field-help'>".PRFLAN_117."</div>
 						</td>
 					</tr>
 					<tr>
 						<td class='label'>".PRFLAN_215.":</td>
 						<td class='control'>
 							".r_userclass('post_script',$pref['post_script'],'off','nobody,member,admin,main,classes')."
 							<div class='smalltext field-help'>".PRFLAN_216."</div>
 						</td>
 					</tr>
 					<tr>
 						<td class='label'>".PRFLAN_217.":</td>
 						<td class='control'>
 							".$frm->radio_switch('filter_script', varset($pref['filter_script'], 1))."
 							<div class='smalltext field-help'>".PRFLAN_218."</div>
 						</td>
 					</tr>
 					<tr>
 						<td class='label'>".PRFLAN_122.":</td>
 						<td class='control'>
--- a/e107_core/bbcodes/sanitised.bb
+++ b/e107_core/bbcodes/sanitised.bb
@@ -0,0 +1,7 @@
 /* $Id: sanitised.bb 11660 2010-08-16 16:41:35Z secretr $ */
 // decode (just in case) and re-code sanitised string if debug and ADMIN
 if(defsettrue('ADMIN') && defsettrue('E107_DEBUG_LEVEL'))
 {
 	return '<span class="sanitised"> SANITISED: '.htmlentities(html_entity_decode(rawurldecode($code_text), ENT_QUOTES, CHARSET), ENT_QUOTES, CHARSET).'  SANITISED END</span>';
 }
 return '<span class="sanitised">##'.LAN_SANITISED.'##</span>';
--- a/e107_core/bbcodes/youtube.php
+++ b/e107_core/bbcodes/youtube.php
@@ -0,0 +1,235 @@
 <?php
 /*
 + ----------------------------------------------------------------------------+
 |     e107 website system
 |
 |     Copyright (C) 2001-2002 Steve Dunstan (jalist@e107.org)
 |     Copyright (C) 2008-2010 e107 Inc (e107.org)
 |
 |
 |     Released under the terms and conditions of the
 |     GNU General Public License (http://gnu.org).
 |
 |     $URL: https://e107.svn.sourceforge.net/svnroot/e107/trunk/e107_0.7/e107_handlers/emote.php $
 |     $Revision: 11678 $
 |     $Id: emote.php 11678 2010-08-22 00:43:45Z e107coders $
 |     $Author: e107coders $
 +----------------------------------------------------------------------------+
 */
 if (!defined('e107_INIT')) { exit; }
 /**
 *	Youtube handling
 *
 * [youtube=tiny|small|medium|big|huge or width,height|nofull&norel&border&privacy&hd]ID[/youtube]
 * Youtube ID is the only required data!
 * BBcode 'pre-save' processes youtube's 'copy and paste' HTML code to generate an appropriate bbcode
 * TODO - more: http://code.google.com/apis/youtube/player_parameters.html
 * TODO - use swfobject JS - XHTML validation
 */
 /**
 *	Class-based bbcode validation
 *
 *	Class name must be 'bb_'.bbname - where bbname is the name of the bbcode. (Note some bbcodes begin '_', and this is retained)
 *
 *	This class must contain exactly two public methods:
 *		toDB($code_text, $parm) - called prior to text being saved
 *		toHTML($code_text, $parm) - called prior to text being displayed
 */
 class bb_youtube extends e_bb_base
 {
 	/**
 	 *	Called prior to save
 	 *
 	 *	If user has posted the complete youtube 'copy and paste' text between the tags, parse it and generate the relevant bbcode
 	 */
 	protected function toDB($code_text, $parm)
 	{
 		$bbpars = array();
 		$widthString = '';
 		$parm = trim($parm);
 		if ($parm)
 		{
 			if (strpos($parm, '|') !== FALSE)
 			{
 				list($widthString, $parm) = explode('|', $parm);
 			}
 			elseif (in_array($parm, array('tiny', 'small', 'medium', 'big', 'huge')) || (strpos($parm, ',') !== FALSE))
 			{	// Assume we're just setting a width
 				$widthString = $parm;
 				$parm = '';
 			}
 			if ($parm)
 			{
 				$bbpars = explode('&', $parm);
 			}
 		}
 		$params = array();										// Accumulator for parameters from youtube code
 		$ok = 0;
 		if (strpos($code_text, '<') === FALSE)
 		{	// 'Properly defined' bbcode (we hope)
 			$picRef = $code_text;
 		}
 		else
 		{
 			//libxml_use_internal_errors(TRUE);
 			if (FALSE === ($info = simplexml_load_string($code_text)))
 			{
 				//print_a($matches);
 				//$xmlErrs = libxml_get_errors();
 				//print_a($xmlErrs);
 				$ok = 1;
 			}
 			else
 			{
 				$info1 = (array)$info;
 				if (!isset($info1['embed']))
 				{
 					$ok = 2;
 				}
 				else
 				{
 					$info2 = (array)$info1['embed'];
 					if (!isset($info2['@attributes']))
 					{
 						$ok = 3;
 					}
 				}
 			}
 			if ($ok != 0)
 			{
 				print_a($info);
 				return '[sanitised]'.$ok.'B'.htmlspecialchars($matches[0]).'B[/sanitised]';
 			}
 			$target =  $info2['@attributes'];
 			unset($info);
 			$ws = varset($target['width'], 0);
 			$hs = varset($target['height'], 0);
 			if (($ws == 0) || ($hs == 0) || !isset($target['src'])) return  '[sanitised]A'.htmlspecialchars($matches[0]).'A[/sanitised]';
 			if (!$widthString)
 			{
 				$widthString = $ws.','.$hs;			// Set size of window
 			}
 			list($url, $query) = explode('?', $target['src']);
 			if (strpos($url, 'youtube-nocookie.com') !== FALSE)
 			{
 				$params[] = 'privacy';
 			}
 			parse_str($query, $vals);		// Various options set here
 			if (varset($vals['allowfullscreen'], 'true') != 'true')
 			{
 				$params[] = 'nofull';
 			}
 			if (varset($vals['border'], 0) != 0)
 			{
 				$params[] = 'border';
 			}
 			if (varset($vals['rel'], 1) == 0)
 			{
 				$params[] = 'norel';
 			}
 			$picRef = substr($url, strrpos($url, '/') + 1);
 		}
 		$yID = preg_replace('/[^0-9a-z]/i', '', $picRef);
 		if (($yID != $picRef) || (strlen($yID) > 20))
 		{	// Possible hack attempt
 		}
 		$params = array_merge($params, $bbpars);			// Any parameters set in bbcode override those in HTML
 		// Could check for valid array indices here
 		$paramString = implode('&', $params);
 		if ($paramString) $widthString .= '|'.$paramString;
 		$ans = '[youtube='.$widthString.']'.$picRef.'[/youtube]';
 		return $ans;
 	}
 	/**
 	 *	Translate youtube bbcode into the appropriate <EMBED> object
 	 */
 	protected function toHTML($code_text, $parm)
 	{
 		if(empty($code_text)) return '';
 		$parms = explode('|', $parm, 2);
 		parse_str(varset($parms[1], ''), $params);
 		if(empty($parms[0])) $parms[0] = 'small';
 		switch ($parms[0]) 
 		{
 			case 'tiny':
 				$params['w'] = 200;
 				$params['h'] = 180;
 			break;
 			case 'small':
 				$params['w'] = 445;
 				$params['h'] = 364;
 			break;
 			case 'medium':
 				$params['w'] = 500;
 				$params['h'] = 405;
 			break;
 			case 'big':
 				$params['w'] = 660;
 				$params['h'] = 525;
 			break;
 			case 'huge':
 				$params['w'] = 980;
 				$params['h'] = 765;
 			break;
 			default:
 				$dim = explode(',', $parms[0], 2);
 				$params['w'] = (integer) varset($dim[0], 445);
 				if($params['w'] > 980 || $params['w'] < 200) $params['w'] = 445;
 				$params['h'] = (integer) varset($dim[1], 364);
 				if($params['h'] > 765 || $params['h'] < 180) $params['h'] = 364;
 			break;
 		}
 		$yID = preg_replace('/[^0-9a-z\-_\&]/i', '', $code_text);
 		$url = isset($params['privacy']) ? 'http://www.youtube-nocookie.com/v/' : 'http://www.youtube.com/v/';
 		$url .= $yID.'?';
 		if(isset($params['nofull'])) 
 		{
 			$fscr = 'false';
 			$url = $url.'fs=0';
 		} 
 		else 
 		{
 			$fscr = 'true';
 			$url = $url.'fs=1';
 		}
 		if(isset($params['border'])) $url = $url.'&amp;border=1';
 		if(isset($params['norel'])) $url = $url.'&amp;rel=0';
 		if(isset($params['hd'])) $url = $url.'&amp;hd=1';
 		$ret = ' 
 		<object width="'.$params['w'].'" height="'.$params['h'].'">
 			<param name="movie" value="'.$url.'"></param>
 			<param name="allowFullScreen" value="'.$fscr.'"></param>
 			<param name="allowscriptaccess" value="always"></param>
 			<param name="wmode" value="transparent"></param>
 			<embed src="'.$url.'" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="'.$fscr.'" wmode="transparent" width="'.$params['w'].'" height="'.$params['h'].'"></embed>
 		</object>
 		';
 		return $ret;
 	}
 }
 ?>
--- a/e107_core/shortcodes/batch/bbcode_shortcodes.php
+++ b/e107_core/shortcodes/batch/bbcode_shortcodes.php
@@ -65,6 +65,8 @@ class bbcode_shortcodes
 		$bbcode['list'] = array($bbcode_func,"[list][/list]", LANHELP_36,"list.png");
 		$bbcode['img'] = array($bbcode_func,"[img][/img]", LANHELP_27,"image.png");
 		$bbcode['flash'] = array($bbcode_func,"[flash=width,height][/flash]", LANHELP_47,"flash.png");
 		$bbcode['youtube'] = array($bbcode_func,"[youtube][/youtube]", LANHELP_48,"youtube.png");
 		$bbcode['sanitised'] = array('', '', '');
 		$bbcode['fontsize'] = array("expandit","size_selector_".$rand, LANHELP_22,"fontsize.png","Size_Select",'size_selector_'.$rand);
 		$bbcode['fontcol'] = array("expandit","col_selector_".$rand, LANHELP_21,"fontcol.png","Color_Select",'col_selector_'.$rand);
--- a/e107_core/xml/default_install.xml
+++ b/e107_core/xml/default_install.xml
@@ -134,6 +134,8 @@
 		<core name="password_CHAP">0</core>
 		<core name="php_bbcode">255</core>
 		<core name="post_html">254</core>
 		<core name="post_script">250</core>
 		<core name="filter_script">1</core>
 		<core name="predefinedLoginName"></core>
 		<core name="profanity_filter">0</core>
 		<core name="profanity_replace">[censored]</core>
--- a/e107_handlers/bbcode_handler.php
+++ b/e107_handlers/bbcode_handler.php
@@ -2,26 +2,40 @@
 /*
 * e107 website system
 *
- * Copyright (C) 2008-2009 e107 Inc (e107.org)
+ * Copyright (C) 2008-2010 e107 Inc (e107.org)
 * Released under the terms and conditions of the
 * GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
 *
 *
 *
- * $Source: /cvs_backup/e107_0.8/e107_handlers/bbcode_handler.php,v $
+ * $URL$
 * $Revision$
- * $Date$
+ * $Id$
 * $Author$
 */
 /**
 *
 * @package     e107
 * @category	e107_handlers
 * @version     $Id$
 * @author      e107inc
 *
 *	bbcode_handler - processes bbcodes within strings.
 *
 *	Separate processing (via class-based bbcodes) for pre-save and pre-display
 */
 if (!defined('e107_INIT')) { exit; }
 class e_bbcode
 {
 	var $bbList;			// Caches the file contents for each bbcode processed
 	var $bbLocation;		// Location for each file - 'core' or a plugin name
 	var $preProcess = FALSE;	// Set when processing bbcodes prior to saving
-	function e_bbcode()
+
 	function __construct()
 	{
 		global $pref;
 		$core_bb = array(
@@ -31,7 +45,7 @@ class e_bbcode
 		'url', 'quote', 'left', 'right',
 		'b', 'justify', 'file', 'stream',
 		'textarea', 'list', 'php', 'time',
-		'spoiler', 'hide'
+		'spoiler', 'hide', 'youtube', 'sanitised'
 		);
 		foreach($core_bb as $c)
@@ -56,26 +70,60 @@ class e_bbcode
 		krsort($this->bbLocation);
 	}
-	// If $bb_strip is TRUE, all bbcodes are stripped. If FALSE, none are stripped.
+
-	// If a comma separated (lower case) list is passed, only the listed codes are stripped (and the rest are processed)
+	/**
-	function parseBBCodes($value, $p_ID, $force_lower = 'default', $bb_strip = FALSE)
+	 *	Parse a string for bbcodes.
 	 *	Process using the 'pre-save' or 'display' routines as appropriate
 	 *
 	 *	@var string $value - the string to be processed
 	 *	@var int $p_ID - ID of a user (the 'post ID') needed by some bbcodes in display mode
 	 *	@var string|boolean $force_lower - determines whether bbcode detection is case-insensitive
 	 *			TRUE - case-insensitive
 	 *			'default' - case-insensitive
 	 *			FALSE - case-sensitive (only lower case bbcodes processed)
 	 *	@var string|boolean $bbStrip - determines action when a bbcode is encountered.
 	 *			TRUE (boolean or word), all bbcodes are stripped. 
 	 *			FALSE - normal display processing of all bbcodes
 	 *			comma separated (lower case) list - only the listed codes are stripped (and the rest are processed)
 	 *			If the first word is 'PRE', sets pre-save mode. Any other parameters follow, comma separated
 	 *
 	 *	@return string processed data
 	 *
 	 *	Code uses a crude stack-based syntax analyser to handle nested bbcodes (including nested 'size' bbcodes, for example)
 	 */
 	function parseBBCodes($value, $p_ID, $force_lower = 'default', $bbStrip = FALSE)
 	{
 		global $postID;
 		$postID = $p_ID;
-		if (strlen($value) <= 6) return $value;     // Don't waste time on trivia!
+		if (strlen($value) <= 6) return $value;     		// Don't waste time on trivia!
 		if ($force_lower == 'default') $force_lower = TRUE;	// Set the default behaviour if not overridden
-		$code_stack = array();				// Stack for unprocessed bbcodes and text
+		$code_stack = array();								// Stack for unprocessed bbcodes and text
-		$unmatch_stack = array();				// Stack for unmatched bbcodes
+		$unmatch_stack = array();							// Stack for unmatched bbcodes
-		$result = '';							// Accumulates fully processed text
+		$result = '';										// Accumulates fully processed text
-		$stacktext = '';						// Accumulates text which might be subject to one or more bbcodes
+		$stacktext = '';									// Accumulates text which might be subject to one or more bbcodes
-		$nopro = FALSE;						// Blocks processing within [code]...[/code] tags
+		$nopro = FALSE;										// Blocks processing within [code]...[/code] tags
 		$this->preProcess = FALSE;
 		$strip_array = array();
-		if (!is_bool($bb_strip))
+		if (!is_bool($bbStrip))
 		{
-			$strip_array = explode(',',$bb_strip);
+			$strip_array = explode(',',$bbStrip);
 			if ($strip_array[0] == 'PRE')
 			{
 				$this->preProcess = TRUE;
 				unset($strip_array[0]);
 				if (count($strip_array) == 0) 
 				{
 					$bbStrip = FALSE;
 				}
 				elseif (in_array('TRUE', $strip_array))
 				{
 					$bbStrip = TRUE;
 				}
 			}
 		}
 		$pattern = '#^\[(/?)([A-Za-z_]+)(\d*)([=:]?)(.*?)]$#i';	// Pattern to split up bbcodes
 		// $matches[0] - same as the input text
@@ -100,14 +148,13 @@ class e_bbcode
 					$bbword = (isset($matches[2])) ? $matches[2] : '';
 					if($cont[1] != '/')
 					{
 						$bbstart = $cont;
 						$bbsep = varset($matches[4]);
 					}
 					if ($force_lower) $bbword = strtolower($bbword);
 					if ($nopro && ($bbword == 'code') && ($matches[1] == '/')) $nopro = FALSE;		// End of code block
 					if (($bbword) && ($bbword == trim($bbword)) && !$nopro)
 					{  // Got a code to process here
-						if (($bb_strip === TRUE) || in_array($bbword,$strip_array))
+						if (($bbStrip === TRUE) || in_array($bbword,$strip_array))
 						{
 							$is_proc = TRUE;		// Just discard this bbcode
 						}
@@ -146,7 +193,7 @@ class e_bbcode
 											case 'bbcode' :
 												if (($code_stack[0]['code'] == $bbword) && ($code_stack[0]['numbers'] == $matches[3]))
 												{
-													$stacktext = $this->proc_bbcode($bbword,$code_stack[0]['param'],$stacktext,$bbparam, $bbsep, $bbstart.$stacktext.$cont);
+													$stacktext = $this->proc_bbcode($bbword, $code_stack[0]['param'], $stacktext, $bbparam, $code_stack[0]['bbsep'], $code_stack[0]['block'].$stacktext.$cont);
 													array_shift($code_stack);
 													// Intentionally don't terminate here - may be some text we can clean up
 													$bbword='';    // Necessary to make sure we don't double process if several instances on stack
@@ -175,11 +222,11 @@ class e_bbcode
 								{  // Single code to process
 									if (count($code_stack) == 0)
 									{
-										$result .= $this->proc_bbcode('_'.$bbword,$bbparam);
+										$result .= $this->proc_bbcode('_'.$bbword,$bbparam,'','','',$cont);
 									}
 									else
 									{
-										$stacktext .= $this->proc_bbcode('_'.$bbword,$bbparam);
+										$stacktext .= $this->proc_bbcode('_'.$bbword,$bbparam,'','','',$cont);
 									}
 									$is_proc = TRUE;
 								}
@@ -190,12 +237,11 @@ class e_bbcode
 										array_unshift($code_stack,array('type' => 'text','code' => $stacktext));
 										$stacktext = '';
 									}
-									array_unshift($code_stack,array('type' => 'bbcode','code' => $bbword, 'numbers'=> $matches[3], 'param'=>$bbparam));
+									array_unshift($code_stack,array('type' => 'bbcode','code' => $bbword, 'numbers'=> $matches[3], 'param'=>$bbparam, 'bbsep' => $bbsep, 'block' => $cont));
 									if ($bbword == 'code') $nopro = TRUE;
 									$is_proc = TRUE;
 								}
 							}
 						}
 					}
 					// Next lines could be deleted - but gives better rejection of 'stray' opening brackets
@@ -243,14 +289,21 @@ class e_bbcode
-	function proc_bbcode($code, $param1='',$code_text_par='', $param2='', $sep='', $full_text='')
+
-	// Invoke an actual bbcode handler
+	/**
-	// $code - textual value of the bbcode (already begins with '_' if a single code)
+	 *	Process a bbcode
-	// $param1 - any text after '=' in the opening code
+	 *
-	// $code_text_par - text between the opening and closing codes
+	 *	@var string $code - textual value of the bbcode (already begins with '_' if a single code)
-	// $param2 - any text after '=' for the closing code
+	 *	@var string $param1 - any text after '=' in the opening code
 	 *	@var string $code_text_par - text between the opening and closing codes
 	 *	@var string $param2 - any text after '=' for the closing code
 	 *	@var char $sep - character separating bbcode name and any parameters
 	 *	@var string $full_text - the 'raw' text between, and including, the opening and closing bbcode tags
 	 */
 	private function proc_bbcode($code, $param1='', $code_text_par='', $param2='', $sep='', $full_text='')
 	{
 		global $tp, $postID, $code_text, $parm;
 		$parm = $param1;
 		$code_text = $code_text_par;
@@ -269,26 +322,47 @@ class e_bbcode
 		{	// Find the file
 			if ($this->bbLocation[$code] == 'core')
 			{
-				$bbFile = e_CORE.'bbcodes/'.strtolower(str_replace('_', '', $code)).'.bb';
+				$bbFile = e_CORE.'bbcodes/'.strtolower(str_replace('_', '', $code));
 			}
 			else
 			{	// Add code to check for plugin bbcode addition
-				$bbFile = e_PLUGIN.$this->bbLocation[$code].'/'.strtolower($code).'.bb';
+				$bbFile = e_PLUGIN.$this->bbLocation[$code].'/'.strtolower($code);
 			}
-			if (file_exists($bbFile))
+			if (file_exists($bbFile.'.php'))
 			{	// Its a bbcode class file
 				require_once($bbFile.'.php');
 				//echo "Load: {$bbFile}.php -->".$code_text.'<br />';
 				$className = 'bb_'.$code;
 				$this->bbList[$code] = new $className();
 			}
 			elseif (file_exists($bbFile.'.bb'))
 			{
-				$bbcode = file_get_contents($bbFile);
+				$bbcode = file_get_contents($bbFile.'.bb');
 				$this->bbList[$code] = $bbcode;
 			}
 			else
 			{
 				$this->bbList[$code] = '';
 				//echo "<br />File not found: {$bbFile}.php<br />";
 				return false;
 			}
 		}
 		global $e107_debug;
 		if (is_object($this->bbList[$code]))
 		{
 			if ($this->preProcess)
 			{
 				//echo "Preprocess: ".htmlspecialchars($code_text).", params: {$param1}<br />";
 				return $this->bbList[$code]->bbPreSave($code_text, $param1);
 			}
 			return $this->bbList[$code]->bbPreDisplay($code_text, $param1);
 		}
 		if ($this->preProcess) return $full_text;		// No change
 		/**
 		 *	@todo - capturing output deprecated
 		 */
 		ob_start();
 		$bbcode_return = eval($bbcode);
 		$bbcode_output = ob_get_contents();
@@ -305,4 +379,60 @@ class e_bbcode
 	}
 }
 /**
 *	Base class for bbcode handlers
 *
 *	Contains core routines for entry, security, logging....
 *
 *	@todo add security
 */
 class e_bb_base
 {
 	/**
 	 *	Constructor
 	 */
 	public function __construct()
 	{
 	}
 	/**
 	 *	Called prior to save of user-entered text
 	 *
 	 *	Allows initial parsing of bbcode, including the possibility of removing or transforming the enclosed text (as is done by the youtube processing)
 	 *	Parameters passed by reference to minimise memory use
 	 *
 	 *	@param string $code_text - text between the bbcode tags
 	 *	@param string $parm - any parameters specified for the bbcode
 	 *
 	 *	@return string for insertion into DB. (If a bbcode is to be inserted, the bbcode 'tags' must be included in the return string.)
 	 */
 	final public function bbPreSave(&$code_text, &$parm)
 	{
 		// Could add logging, security in here
 		return $this->toDB($code_text, $parm);
 	}
 	/**
 	 *	Process bbcode prior to display
 	 *	Functionally this routine does exactly the same as the existing bbcodes
 	 *	Parameters passed by reference to minimise memory use
 	 *
 	 *	@param string $code_text - text between the bbcode tags
 	 *	@param string $parm - any parameters specified for the bbcode
 	 *
 	 *	@return string with $code_text transformed into displayable XHTML as necessary
 	 */
 	final public function bbPreDisplay(&$code_text, &$parm)
 	{
 		// Could add logging, security in here
 		return $this->toHTML($code_text, $parm);
 	}
 }
 ?>
--- a/e107_handlers/e_parse_class.php
+++ b/e107_handlers/e_parse_class.php
@@ -477,6 +477,13 @@ class e_parse
 		{
 			$data = stripslashes($data);
 		}
 		$data = $this->preFilter($data);
 		if (!check_class(varset($pref['post_html'], e_UC_MAINADMIN)) || !check_class(varset($pref['post_script'], e_UC_MAINADMIN)))
 		{
 			$data = $this->dataFilter($data);
 		}
 		if (isset($pref['post_html']) && check_class($pref['post_html']))
 		{
 			$no_encode = TRUE;
@@ -507,6 +514,94 @@ class e_parse
 	}
 	/**
 	 *	Checks a string for potentially dangerous HTML tags, including malformed tags
 	 *
 	 */
 	public function dataFilter($data)
 	{
 		$ans = '';
 		$vetWords = array('<applet', '<body', '<embed', '<frame', '<script', '<frameset', '<html', '<iframe', 
 					'<style', '<layer', '<link', '<ilayer', '<meta', '<object', 'javascript:', 'vbscript:');
 		$ret = preg_split('#(\[code.*?\[/code.*?])#mis', $data, -1, PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE );
 		foreach ($ret as $s)
 		{
 			if (substr($s, 0, 5) != '[code')
 			{
 				$vl = array();
 				$t = html_entity_decode(rawurldecode($s), ENT_QUOTES, CHARSET);
 				$t = str_replace(array("\r", "\n", "\t", "\v", "\f", "\0"), '', $t);
 				$t1 = strtolower($t);
 				foreach ($vetWords as $vw)
 				{
 					if (strpos($t1, $vw) !== FALSE)
 					{
 						$vl[] = $vw;		// Add to list of words found
 					}
 					if (substr($vw, 0, 1) == '<')
 					{
 						$vw = '</'.substr($vw, 1);
 						if (strpos($t1, $vw) !== FALSE)
 						{
 							$vl[] = $vw;		// Add to list of words found
 						}
 					}
 				}
 				// More checks here
 				if (count($vl))
 				{	// Do something
 					$s = preg_replace_callback('#('.implode('|', $vl).')#mis', array($this, 'modtag'), $t);
 				}
 			}
 			$ans .= $s;
 		}
 		return $ans;
 	}
 	private function modTag($match)
 	{
 		$ans = '';
 		if (isset($match[1]))
 		{
 			$chop = intval(strlen($match[1]) / 2);
 			$ans = substr($match[1], 0, $chop).'##xss##'.substr($match[1], $chop);
 		}
 		else
 		{
 			$ans = '?????';
 		}
 		return '[sanitised]'.$ans.'[/sanitised]';
 	}
 	/**
 	 *	Processes data as needed before its written to the DB.
 	 *	Currently gives bbcodes the opportunity to do something
 	 *
 	 *	@param $data string - data about to be written to DB
 	 *	@return string - modified data
 	 */
 	public function preFilter($data)
 	{
 		if (!is_object($this->e_bb)) 
 		{
 			require_once(e_HANDLER.'bbcode_handler.php');
 			$this->e_bb = new e_bbcode;
 		}
 		$ret = $this->e_bb->parseBBCodes($data, USERID, 'default', 'PRE');			// $postID = logged in user here
 		return $ret;
 	}
 	function toForm($text)
 	{
 		if($text == '')
@@ -1244,6 +1339,7 @@ class e_parse
 						default :		// Most bbcodes will just execute their normal file
 							// Just read in the code file and execute it
 							/// @todo Handle class-based bbcodes
 							$bbcode = file_get_contents($bbFile);
 					}   // end - switch ($matches[2])
--- a/e107_handlers/online_class.php
+++ b/e107_handlers/online_class.php
@@ -91,7 +91,7 @@ class e_online
 			$page = (strpos(e_SELF, 'forum_') !== FALSE) ? e_SELF.'.'.e_QUERY : e_SELF;
 			$page = (strpos(e_SELF, 'comment') !== FALSE) ? e_SELF.'.'.e_QUERY : $page;
 			$page = (strpos(e_SELF, 'content') !== FALSE) ? e_SELF.'.'.e_QUERY : $page;
-			$page = $e107->tp->toDB($page, true);
+			$page = $e107->tp->toDB($page, true);								/// @todo - try not to use toDB() - triggers prefilter
 			$ip = $e107->getip();
 			$udata = ($user->isUser() ? $user->getId().'.'.$user->getName() : '0');
 			$agent = $_SERVER['HTTP_USER_AGENT'];
--- a/e107_languages/English/admin/lan_prefs.php
+++ b/e107_languages/English/admin/lan_prefs.php
@@ -1,22 +1,19 @@
 <?php
 /*
-+ ----------------------------------------------------------------------------+
+ * e107 website system
-|     e107 website system
+ *
-|
+ * Copyright (C) 2008-2010 e107 Inc (e107.org)
-|    	Copyright (C) 2008-2009 e107 Inc (e107.org)
+ * Released under the terms and conditions of the
-|     http://e107.org
+ * GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
-|
+ *
-|
+ * Administration - Language file for Site Preferences
-|     Released under the terms and conditions of the
+ *
-|     GNU General Public License (http://gnu.org).
+ * $URL$
-|
+ * $Revision$
-|     $Source: /cvs_backup/e107_0.8/e107_languages/English/admin/lan_prefs.php,v $
+ * $Id$
-|     $Revision$
+ * $Author$
-|     $Date$
+ */
 |     $Author$
 +----------------------------------------------------------------------------+
 */
 define("PRFLAN_1", "Site Information");
 define("PRFLAN_2", "Site Name");
@@ -72,11 +69,11 @@ define("PRFLAN_58", "Restrict website to members only");
 define("PRFLAN_59", "ticking will restrict all areas apart from the front page and signup page to members only");
 define("PRFLAN_60", "Enable SSL");
 define("PRFLAN_61", "Only enable SSL if <span class='error'>you are sure you know what you are doing!</span>");
-define("PRFLAN_76", "Enable Image-code verification during signup");
+define("PRFLAN_76", "Enable Image-code verification during signup.");
 define("PRFLAN_77", "Admin Display Options ");
 define("PRFLAN_78", "Leave blank to disable");
 define("PRFLAN_80", "Click here to view");
-define("PRFLAN_81", "Enable Image-code verification during login");
+define("PRFLAN_81", "Enable Image-code verification during login.");
 define("PRFLAN_83", "example");
 define("PRFLAN_87", "Comments/Posting");
 define("PRFLAN_88", "Turn on nested comments");
@@ -122,8 +119,8 @@ define("PRFLAN_110", "words longer than the length entered will be wrapped onto
 define("PRFLAN_111", "Wrap long words in menu text");
 define("PRFLAN_112", "On");
 define("PRFLAN_113", "Off");
-define("PRFLAN_116", "Allow HTML posting");
+define("PRFLAN_116", "Class which can post HTML");
-define("PRFLAN_117", "This will allow users to post HTML code anywhere on the site, select the userclass to allow this.");
+define("PRFLAN_117", "This will allow users to post most HTML code anywhere on the site, select the userclass to allow this.");
 define("PRFLAN_118", "Use Geshi for syntax highlighting");
 define("PRFLAN_119", "Geshi is an open source multi-language syntax highlighter, see http://qbnz.com/highlighter/ for more information");
 define("PRFLAN_120", "Default Geshi syntax language");
@@ -229,5 +226,10 @@ define('PRFLAN_211', 'Cannot make email address optional if required for validat
 define('PRFLAN_212', 'Value for --FIELD-- too high - changed to --VALUE--');
 define('PRFLAN_213', 'Value for --FIELD-- too low - changed to --VALUE--');
 define('PRFLAN_214', "Site Logo");
 define('PRFLAN_215', 'Class which can post &lt;script&gt; and similar tags');
 define('PRFLAN_216', '(Requires HTML posting rights as well)');
 define('PRFLAN_217', 'Filter HTML content');
 define('PRFLAN_218', 'If \'off\', puts users at increased risk of XSS exploits posted by members of the above class, or prior to 0.7.24');
 ?>
--- a/e107_languages/English/lan_ren_help.php
+++ b/e107_languages/English/lan_ren_help.php
@@ -63,4 +63,6 @@ define("LANHELP_45", "Insert image from directory: ");
 define("LANHELP_46", "* No files found in: ");
 define("LANHELP_47", "Insert flash: [flash=width,height]http://www.example.com/file.swf[/flash]");
 define("LANHELP_48", "YouTube video: [youtube=tiny|small|medium|big|huge|width,height]6kYjxJmk0wc[/youtube]");
 ?>
--- a/e107_themes/templates/bbcode_template.php
+++ b/e107_themes/templates/bbcode_template.php
@@ -21,7 +21,7 @@
 $BBCODE_TEMPLATE = "
 	{BB=link}{BB=b}{BB=i}{BB=u}{BB=img}{BB=center}{BB=left}{BB=right}
-	{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}
+	{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}{BB=youtube}
 	<div class='field-spacer'><!-- --></div>
 ";
@@ -36,7 +36,7 @@ $BBCODE_TEMPLATE_SUBMITNEWS = "
 	{BB_HELP}
 	<div class='field-spacer'><!-- --></div>
    {BB=link}{BB=b}{BB=i}{BB=u}{BB=img}{BB=center}{BB=left}{BB=right}
-	{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}{BB=flash}
+	{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}{BB=flash}{BB=youtube}
 	<div class='field-spacer'><!-- --></div>
 ";
@@ -49,7 +49,7 @@ $BBCODE_TEMPLATE_ADMIN = "
 	{BB=link}{BB=b}{BB=i}{BB=u}{BB=img}{BB=center}{BB=left}
 	{BB=right}{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}
 	{BB_PREIMAGEDIR=".e_IMAGE."}
-	{BB=preimage}{BB=prefile}{BB=flash}
+	{BB=preimage}{BB=prefile}{BB=flash}{BB=youtube}
 	<div class='field-spacer'><!-- --></div>
 ";
@@ -71,7 +71,7 @@ $BBCODE_TEMPLATE_NEWSPOST = "
 	{BB=link}{BB=b}{BB=i}{BB=u}{BB=img}{BB=center}{BB=left}
 	{BB=right}{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}
 	{BB_PREIMAGEDIR=".e_IMAGE."newspost_images/}
-	{BB=preimage}{BB=prefile}{BB=flash}
+	{BB=preimage}{BB=prefile}{BB=flash}{BB=youtube}
 	<div class='field-spacer'><!-- --></div>
 ";
@@ -82,7 +82,7 @@ $BBCODE_TEMPLATE_CPAGE = "
 	{BB=link}{BB=b}{BB=i}{BB=u}{BB=img}{BB=center}{BB=left}{BB=right}
 	{BB=bq}{BB=code}{BB=list}{BB=fontcol}{BB=fontsize}{BB=emotes}
 	{BB_PREIMAGEDIR=".e_IMAGE."custom/}
-	{BB=preimage}{BB=prefile}{BB=flash}
+	{BB=preimage}{BB=prefile}{BB=flash}{BB=youtube}
 	<div class='field-spacer'><!-- --></div>
 ";
 ?>
--- a/news.php
+++ b/news.php
@@ -375,7 +375,7 @@ if (empty($order))
 {
  $order = 'news_datestamp';
 }
-$order = $tp -> toDB($order, true);
+$order = $tp -> toDB($order, true);			/// @todo - try not to use toDB() - triggers prefilter
 $interval = $pref['newsposts'];