mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-02-24 20:13:22 +01:00
Code Issues Releases Wiki Activity

merging TEXT warn from 3_0_0

Browse Source 
git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_7@10512 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Henry Sudhof 2010-02-20 16:44:00 +00:00
parent a63ceb28e2
commit d7f4922993
3 changed files with 138 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
phpBB/adm/style/confirm_bbcode.html Executable file
View File

@ -0,0 +1,22 @@
<!-- INCLUDE overall_header.html -->
<form id="confirm" method="post" action="{S_CONFIRM_ACTION}">
<div class="errorbox">
<h3>{L_WARNING}</h3>
<p>{MESSAGE_TEXT}</p>
</div>
<fieldset>
{S_HIDDEN_FIELDS}
<div style="text-align: center;">
<input type="submit" name="confirm" value="{L_YES}" class="button2" />&nbsp;
<input type="submit" name="cancel" value="{L_CANCEL}" class="button2" />
</div>
</fieldset>
</form>
<!-- INCLUDE overall_footer.html -->

210
phpBB/includes/acp/acp_bbcodes.php
View File

@ -33,7 +33,7 @@ class acp_bbcodes
// Set up general vars
$action = request_var('action', '');
$bbcode_id = request_var('bbcode', 0);
$this->tpl_name = 'acp_bbcodes';
$this->page_title = 'ACP_BBCODES';
$form_key = 'acp_bbcodes';
@ -123,122 +123,138 @@ class acp_bbcodes
case 'modify':
case 'create':
$data = $this->build_regexp($bbcode_match, $bbcode_tpl);
// Make sure the user didn't pick a "bad" name for the BBCode tag.
$hard_coded = array('code', 'quote', 'quote=', 'attachment', 'attachment=', 'b', 'i', 'url', 'url=', 'img', 'size', 'size=', 'color', 'color=', 'u', 'list', 'list=', 'email', 'email=', 'flash', 'flash=');
if (($action == 'modify' && strtolower($data['bbcode_tag']) !== strtolower($row['bbcode_tag'])) || ($action == 'create'))
$warn_text = preg_match('%<[^>]*\{text[\d]*\}[^>]*>%i', $bbcode_tpl);
if (!$warn_text || confirm_box(true))
{
$sql = 'SELECT 1 as test
FROM ' . BBCODES_TABLE . "
WHERE LOWER(bbcode_tag) = '" . $db->sql_escape(strtolower($data['bbcode_tag'])) . "'";
$result = $db->sql_query($sql);
$info = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
$data = $this->build_regexp($bbcode_match, $bbcode_tpl);
// Grab the end, interrogate the last closing tag
if ($info['test'] === '1' || in_array(strtolower($data['bbcode_tag']), $hard_coded) || (preg_match('#\[/([^[]*)]$#', $bbcode_match, $regs) && in_array(strtolower($regs[1]), $hard_coded)))
// Make sure the user didn't pick a "bad" name for the BBCode tag.
$hard_coded = array('code', 'quote', 'quote=', 'attachment', 'attachment=', 'b', 'i', 'url', 'url=', 'img', 'size', 'size=', 'color', 'color=', 'u', 'list', 'list=', 'email', 'email=', 'flash', 'flash=');
if (($action == 'modify' && strtolower($data['bbcode_tag']) !== strtolower($row['bbcode_tag'])) || ($action == 'create'))
{
trigger_error($user->lang['BBCODE_INVALID_TAG_NAME'] . adm_back_link($this->u_action), E_USER_WARNING);
}
}
$sql = 'SELECT 1 as test
FROM ' . BBCODES_TABLE . "
WHERE LOWER(bbcode_tag) = '" . $db->sql_escape(strtolower($data['bbcode_tag'])) . "'";
$result = $db->sql_query($sql);
$info = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
if (substr($data['bbcode_tag'], -1) === '=')
{
$test = substr($data['bbcode_tag'], 0, -1);
}
else
{
$test = $data['bbcode_tag'];
}
if (!preg_match('%\\[' . $test . '[^]]*].*?\\[/' . $test . ']%s', $bbcode_match))
{
trigger_error($user->lang['BBCODE_OPEN_ENDED_TAG'] . adm_back_link($this->u_action), E_USER_WARNING);
}
if (strlen($data['bbcode_tag']) > 16)
{
trigger_error($user->lang['BBCODE_TAG_TOO_LONG'] . adm_back_link($this->u_action), E_USER_WARNING);
}
if (strlen($bbcode_match) > 4000)
{
trigger_error($user->lang['BBCODE_TAG_DEF_TOO_LONG'] . adm_back_link($this->u_action), E_USER_WARNING);
}
if (strlen($bbcode_helpline) > 255)
{
trigger_error($user->lang['BBCODE_HELPLINE_TOO_LONG'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$sql_ary = array(
'bbcode_tag' => $data['bbcode_tag'],
'bbcode_match' => $bbcode_match,
'bbcode_tpl' => $bbcode_tpl,
'display_on_posting' => $display_on_posting,
'bbcode_helpline' => $bbcode_helpline,
'first_pass_match' => $data['first_pass_match'],
'first_pass_replace' => $data['first_pass_replace'],
'second_pass_match' => $data['second_pass_match'],
'second_pass_replace' => $data['second_pass_replace']
);
if ($action == 'create')
{
$sql = 'SELECT MAX(bbcode_id) as max_bbcode_id
FROM ' . BBCODES_TABLE;
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
if ($row)
{
$bbcode_id = $row['max_bbcode_id'] + 1;
// Make sure it is greater than the core bbcode ids...
if ($bbcode_id <= NUM_CORE_BBCODES)
// Grab the end, interrogate the last closing tag
if ($info['test'] === '1' || in_array(strtolower($data['bbcode_tag']), $hard_coded) || (preg_match('#\[/([^[]*)]$#', $bbcode_match, $regs) && in_array(strtolower($regs[1]), $hard_coded)))
{
$bbcode_id = NUM_CORE_BBCODES + 1;
trigger_error($user->lang['BBCODE_INVALID_TAG_NAME'] . adm_back_link($this->u_action), E_USER_WARNING);
}
}
if (substr($data['bbcode_tag'], -1) === '=')
{
$test = substr($data['bbcode_tag'], 0, -1);
}
else
{
$bbcode_id = NUM_CORE_BBCODES + 1;
$test = $data['bbcode_tag'];
}
if ($bbcode_id > 1511)
if (!preg_match('%\\[' . $test . '[^]]*].*?\\[/' . $test . ']%s', $bbcode_match))
{
trigger_error($user->lang['TOO_MANY_BBCODES'] . adm_back_link($this->u_action), E_USER_WARNING);
trigger_error($user->lang['BBCODE_OPEN_ENDED_TAG'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$sql_ary['bbcode_id'] = (int) $bbcode_id;
if (strlen($data['bbcode_tag']) > 16)
{
trigger_error($user->lang['BBCODE_TAG_TOO_LONG'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$db->sql_query('INSERT INTO ' . BBCODES_TABLE . $db->sql_build_array('INSERT', $sql_ary));
$cache->destroy('sql', BBCODES_TABLE);
if (strlen($bbcode_match) > 4000)
{
trigger_error($user->lang['BBCODE_TAG_DEF_TOO_LONG'] . adm_back_link($this->u_action), E_USER_WARNING);
}
if (strlen($bbcode_helpline) > 255)
{
trigger_error($user->lang['BBCODE_HELPLINE_TOO_LONG'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$lang = 'BBCODE_ADDED';
$log_action = 'LOG_BBCODE_ADD';
$sql_ary = array(
'bbcode_tag' => $data['bbcode_tag'],
'bbcode_match' => $bbcode_match,
'bbcode_tpl' => $bbcode_tpl,
'display_on_posting' => $display_on_posting,
'bbcode_helpline' => $bbcode_helpline,
'first_pass_match' => $data['first_pass_match'],
'first_pass_replace' => $data['first_pass_replace'],
'second_pass_match' => $data['second_pass_match'],
'second_pass_replace' => $data['second_pass_replace']
);
if ($action == 'create')
{
$sql = 'SELECT MAX(bbcode_id) as max_bbcode_id
FROM ' . BBCODES_TABLE;
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
if ($row)
{
$bbcode_id = $row['max_bbcode_id'] + 1;
// Make sure it is greater than the core bbcode ids...
if ($bbcode_id <= NUM_CORE_BBCODES)
{
$bbcode_id = NUM_CORE_BBCODES + 1;
}
}
else
{
$bbcode_id = NUM_CORE_BBCODES + 1;
}
if ($bbcode_id > 1511)
{
trigger_error($user->lang['TOO_MANY_BBCODES'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$sql_ary['bbcode_id'] = (int) $bbcode_id;
$db->sql_query('INSERT INTO ' . BBCODES_TABLE . $db->sql_build_array('INSERT', $sql_ary));
$cache->destroy('sql', BBCODES_TABLE);
$lang = 'BBCODE_ADDED';
$log_action = 'LOG_BBCODE_ADD';
}
else
{
$sql = 'UPDATE ' . BBCODES_TABLE . '
SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
WHERE bbcode_id = ' . $bbcode_id;
$db->sql_query($sql);
$cache->destroy('sql', BBCODES_TABLE);
$lang = 'BBCODE_EDITED';
$log_action = 'LOG_BBCODE_EDIT';
}
add_log('admin', $log_action, $data['bbcode_tag']);
trigger_error($user->lang[$lang] . adm_back_link($this->u_action));
}
else
{
$sql = 'UPDATE ' . BBCODES_TABLE . '
SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
WHERE bbcode_id = ' . $bbcode_id;
$db->sql_query($sql);
$cache->destroy('sql', BBCODES_TABLE);
$lang = 'BBCODE_EDITED';
$log_action = 'LOG_BBCODE_EDIT';
{
confirm_box(false, $user->lang['BBCODE_DANGER'], build_hidden_fields(array(
'action' => $action,
'bbcode' => $bbcode_id,
'bbcode_match' => $bbcode_match,
'bbcode_tpl' => htmlspecialchars($bbcode_tpl),
'bbcode_helpline' => $bbcode_helpline,
'display_on_posting' => $display_on_posting,
))
, 'confirm_bbcode.html');
}
add_log('admin', $log_action, $data['bbcode_tag']);
trigger_error($user->lang[$lang] . adm_back_link($this->u_action));
break;
case 'delete':

3
phpBB/language/en/acp/posting.php
View File

@ -41,6 +41,9 @@ $lang = array_merge($lang, array(
'ACP_BBCODES_EXPLAIN' => 'BBCode is a special implementation of HTML offering greater control over what and how something is displayed. From this page you can add, remove and edit custom BBCodes.',
'ADD_BBCODE' => 'Add a new BBCode',
'BBCODE_DANGER' => 'The BBCode you are trying to add seems to use a {TEXT} token inside a HTML attribute. This is a possible XSS security issue. Try using the more restrictive {SIMPLETEXT} type instead. Only proceed if you understand the risks involved and you consider the use of {TEXT} absolutely unavoidable.',
'BBCODE_DANGER_PROCEED' => 'Proceed', //'I understand the risk',
'BBCODE_ADDED' => 'BBCode added successfully.',
'BBCODE_EDITED' => 'BBCode edited successfully.',
'BBCODE_NOT_EXIST' => 'The BBCode you selected does not exist.',