1
0
mirror of https://github.com/e107inc/e107.git synced 2025-01-17 20:58:30 +01:00

371 Commits

Author SHA1 Message Date
Nick Liu
55200fe686
#4547: Strip BBCode from download_shortcodes JavaScript alerts
Fixes: #4547

Discussion:
https://github.com/e107inc/e107/pull/4547#issuecomment-917229877
2021-09-15 16:05:31 -05:00
Nick Liu
f6d6d1b185
Deprecate e_parse::toJS()
`e_parse::toJS()`, documented with the description

> Convert text blocks which are to be embedded within JS

, does not protect strings from injections, which appears to be its
primary use.  Additionally, it performs multiple unrelated string
modifications:

* Replace Windows line breaks with a literal `\\n` (which would later be
  parsed as `\n` in JavaScript/JSON)
* Does not modify Unix line breaks (`\n`), which is inconsistent with
  the Windows line break behavior
* Removes HTML tags
* Replaces HTML entities as `htmlentities()` does

This method cannot be fixed because its usages are inconsistent.  Most
notably, some usages surround the method's output in single quotes while
others surround it with double quotes.  Strings cannot be JSON-encoded
without confounding quotation mark styles.

All core usages of `e_parse::toJS()` have been replaced with
alternatives, which are also documented in the method's DocBlock.

Fixes: #4546
2021-08-31 00:11:14 +02:00
Nick Liu
20882920a0
Fix all PHP 8.1 test failures
* `strftime()` has been replaced with a polyfill based on `DateTime`.
* Explicit type casts/assertions added where required by PHP 8.1
* `filter_var(…, FILTER_SANITIZE_STRING)` replaced with `strip_tags()`
  or HTML entity encoding of quotation marks, depending on a guess of
  what the intended "sanitization" was
* `http_build_query()` usage type mismatches fixed
* Removed usages of the `FILE_TEXT` constant
* To avoid breaking PHP 5.6 compatibility (function return types),
  `e_session_db` no longer implements `SessionHandlerInterface`.
  Instead, the alternative non-OOP invocation of
  `session_set_save_handler()` is used instead to apply the session
  handler.
* The shim for `strptime()` still calls the native function if available
  but now suppresses the deprecation warning.

* `e_db_pdo` explicitly asks for `PDO::ATTR_STRINGIFY_FETCHES` to
  maintain consistent behavior with past versions of PHP.
* `e_db_mysql` explicitly sets `mysqli_report(MYSQLI_REPORT_OFF)` to
  maintain consistent behavior with past versions of PHP.

* Removed pointless random number generator seed from `banner` plugin
* Workaround for `COUNT(*)` SQL query in
  `validatorClass::dbValidateArray()` without a proper API for avoiding
  SQL injection
2021-09-04 15:06:19 +02:00
Cameron
95fab15c02 Gsitemap: Display link visibility status while importing. 2021-07-22 13:51:35 -07:00
Nick Liu
ccf0f037aa
#4299: Wrap more potentially undefined constants
In:
* Forums
* /e107_admin/menus.php
2021-07-13 13:10:59 +02:00
Cameron
240c088eff Issue #4478 - Fixes decorate_download_location() and check_download_limits() 'missing function' errors. 2021-04-06 10:40:58 -07:00
Cameron
76af210666 Issue #4332 - Bootstrap 5 styling fixes. 2021-02-23 11:11:35 -08:00
Cameron
340ff05fcd Bootstrap5 markup added to download item pagination. Fallback added to e107.css 2021-02-21 14:13:01 -08:00
Cameron
835e477147 Bootstrap 5 styling. (data-bs-toggle)
Signup shortcodes now automatically load the required template.
2021-01-26 15:08:58 -08:00
Cameron
acc1a9af0d Plugin script tests and PHP8 fixes. 2021-01-22 13:44:10 -08:00
Cameron
f055b49d91 PHP8 Plugin code cleanup 2021-01-21 09:38:38 -08:00
Cameron
f091709847 Issue #4352 - Canonical added for page, forum and download. Replaced some e_PAGETITLE with e107::title() 2021-01-19 09:50:02 -08:00
Cameron
3d19db894b PHP8 Fixes and shortcode tests for chatbox_menu, download, faqs, forum and forum-post 2021-01-07 09:42:19 -08:00
Cameron
ffc605f936 Fixes #4324 typo causing fatal error. 2020-12-30 10:18:33 -08:00
Cameron
21e3c3f8ab PHP warning fixes. 2020-12-29 09:48:36 -08:00
Cameron
10482b8a89 Solves the duplicate breadcrumb issue. 2020-12-28 09:48:44 -08:00
Cameron
7dfac0dcfa Issue #4299 - PHP8 compatibility fixes. 2020-12-25 10:23:56 -08:00
Cameron
3f8e043998 Replaced e107::getAdminLog() with e107::getLog(). e107::getAdminLog() will continue as a deprecated alias. 2020-12-22 09:36:02 -08:00
Cameron
630f3f415f Improved detection of deprecated functions/methods and display in DEBUG mode: deprecated. 2020-12-21 10:00:28 -08:00
Cameron
601df26d51 Code optimization for speed and reduced memory usage. 2020-12-20 11:50:10 -08:00
Cameron
5b82c292b1 Code cleanup 2020-12-18 19:55:12 -08:00
Cameron
f5153bf640 Updating of deprecated method usage. Removal of old files. Log tests added. 2020-12-18 09:39:02 -08:00
Cameron
0e90d4aa66 Code optimization and cleaning 2020-12-17 13:13:29 -08:00
Cameron
42f0e902d4 Issue #4283 - Update deprecated sql method usage. Removed old code. 2020-12-17 05:52:54 -08:00
Cameron
f80d611202 Bbcode code optimization and test. 2020-12-15 08:59:31 -08:00
Cameron
44e260b121 Code cleanup and optimization 2020-12-14 16:21:48 -08:00
Cameron
f605ddc552 Code optimization and cleanup. 2020-12-10 15:52:48 -08:00
Cameron
d0feb76cef Issue #3291 - gSitemap upgrades to save table and table_id info for syncing on changes. (coming soon) 2020-12-09 15:12:56 -08:00
Cameron
afaac88003 PHP8 Compatibility and code cleanup. 2020-12-08 12:21:12 -08:00
Cameron
09fb747374 Code cleanup 2020-12-05 14:13:18 -08:00
Nick Liu
043bc702e5
Fixed all PHP syntax errors 2020-09-28 20:59:12 -05:00
Cameron
e1593de8ee Removed redundant PHP closing tags. 2020-08-10 15:49:44 -07:00
Cameron
4ce699b380
Merge pull request #4011 from Deltik/fix-4010
Support NGINX $host in Downloads hotlink protection
2020-07-02 10:55:31 -07:00
Cameron
9a2f979551 Removed unused code from download admin area. 2020-03-03 13:12:14 -08:00
Deltik
a8887d2a5e
Support NGINX $host in Downloads hotlink protection
Fixes: #4010
Related: #3111

==== Problem ====
If there are two download mirrors, `slow.example.com` and
`fast.example.com`, hotlink protection using an NGINX `secure_link_md5`
expression in the Downloads plugin cannot distinguish between these
hostnames.

This means that a user limited to `slow.example.com` can change the
download host to `fast.example.com` and download from the better mirror.

==== Solution ====
To solve this, `NginxSecureLinkMd5Decorator` needs to support the NGINX
`$host` variable.  Having this variable in the expression will lock down
the secure link to the specific download host.
2019-11-05 13:33:48 -06:00
Tijn Kuyper
c96053cbba
Closes #3864 - Added raw option for {DOWNLOAD_CAT_SUB_NAME} and {DOWNLOAD_CAT_SUBSUB_NAME} 2019-10-31 12:14:07 +01:00
Tijn Kuyper
23c0f882dc
#3864 - Allow class styling to download next/prev shortcodes 2019-10-30 14:40:29 +01:00
Tijn Kuyper
e470f4b786
#3270 - Download meta description 2019-10-29 16:58:03 +01:00
Tijn Kuyper
46f01e17bf
Fixes #3270 - Download meta description limit and formatting 2019-10-29 15:33:54 +01:00
Tijn Kuyper
389f08d216
Fixes #2601 - Download plugin round filesize 2019-10-29 15:23:27 +01:00
Tijn Kuyper
c394560fe3
PHP warnings clean-up 2019-10-29 14:50:24 +01:00
Tijn Kuyper
104dbed53d
#3622 - Fix individual deletion of broken dowload reports 2019-10-29 14:50:06 +01:00
Tijn Kuyper
b01f5cbb19
Make sure user has appropriate rights to report a broken download
Prevents 'spam' broken download reports
2019-10-29 12:56:57 +01:00
Tijn Kuyper
8a27ac2b31
#3622 - Rewrite e_notify and e_dashboard check 2019-10-29 11:20:22 +01:00
Tijn Kuyper
ef2a831132
#3622 - add e_notify check for download plugin 2019-10-28 20:52:47 +01:00
Tijn Kuyper
30302dbbfc
#3622 - Broken downloads clean-up 2019-10-27 22:28:00 +01:00
Tijn Kuyper
1b9251e75f
Fixes #3622 - Reported broken downloads reworked
- Moved away from e107_admin/message.php to its own place in the Downloads admin area.
- Notification of broken downloads now controlled by e_notify (see Admin Area > Settings > Notify)
- Updated notification message
- Added e_dashboard addon to show latest status on broken download reports
2019-10-27 21:40:59 +01:00
Tijn Kuyper
abcce8639d
#3622 - Get rid of old download_mail pref
No longer needed now that we have e_notify
2019-10-27 18:55:23 +01:00
Tijn Kuyper
59e8d0762a
#3622 - Download plugin LAN clean-up 2019-10-27 18:24:43 +01:00
Tijn Kuyper
e5f024e669
#3622 - Download plugin - moving 'Report Broken Download' to e_notify
Work in progress:
- Convert previous 'download_email' pref
- Move broken download list to download plugin admin  /e107_admin/message.php
2019-10-27 18:20:59 +01:00