merging TEXT warn from 3_0_0

git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_7@10512 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-02-25 04:23:38 +01:00 · 2010-02-20 16:44:00 +00:00 · 2010-02-20 16:44:00 +00:00 · d7f4922993
commit d7f4922993
parent a63ceb28e2
3 changed files with 138 additions and 97 deletions
--- a/phpBB/adm/style/confirm_bbcode.html
+++ b/phpBB/adm/style/confirm_bbcode.html
@ -0,0 +1,22 @@
+<!-- INCLUDE overall_header.html -->
+
+<form id="confirm" method="post" action="{S_CONFIRM_ACTION}">
+	<div class="errorbox">
+		<h3>{L_WARNING}</h3>
+		<p>{MESSAGE_TEXT}</p>
+	</div>
+<fieldset>
+
+
+	{S_HIDDEN_FIELDS}
+
+	<div style="text-align: center;">
+		<input type="submit" name="confirm" value="{L_YES}" class="button2" />&nbsp; 
+		<input type="submit" name="cancel" value="{L_CANCEL}" class="button2" />
+	</div>
+
+</fieldset>
+		
+</form>
+
+<!-- INCLUDE overall_footer.html -->
--- a/phpBB/includes/acp/acp_bbcodes.php
+++ b/phpBB/includes/acp/acp_bbcodes.php
@ -124,6 +124,9 @@ class acp_bbcodes
 			case 'modify':
 			case 'create':
 			
+				$warn_text = preg_match('%<[^>]*\{text[\d]*\}[^>]*>%i', $bbcode_tpl);
+				if (!$warn_text || confirm_box(true))
+				{
 					$data = $this->build_regexp($bbcode_match, $bbcode_tpl);

 					// Make sure the user didn't pick a "bad" name for the BBCode tag.
@ -238,6 +241,19 @@ class acp_bbcodes
 					add_log('admin', $log_action, $data['bbcode_tag']);

 					trigger_error($user->lang[$lang] . adm_back_link($this->u_action));
+				}
+				else
+				{  
+					confirm_box(false, $user->lang['BBCODE_DANGER'], build_hidden_fields(array(
+						'action'				=> $action,
+						'bbcode'				=> $bbcode_id,
+						'bbcode_match'			=> $bbcode_match,
+						'bbcode_tpl'			=> htmlspecialchars($bbcode_tpl),
+						'bbcode_helpline'		=> $bbcode_helpline,
+						'display_on_posting'	=> $display_on_posting,
+						))
+					, 'confirm_bbcode.html');
+				}

 			break;

--- a/phpBB/language/en/acp/posting.php
+++ b/phpBB/language/en/acp/posting.php
@ -41,6 +41,9 @@ $lang = array_merge($lang, array(
 	'ACP_BBCODES_EXPLAIN'		=> 'BBCode is a special implementation of HTML offering greater control over what and how something is displayed. From this page you can add, remove and edit custom BBCodes.',
 	'ADD_BBCODE'				=> 'Add a new BBCode',

+	'BBCODE_DANGER'				=> 'The BBCode you are trying to add seems to use a {TEXT} token inside a HTML attribute. This is a possible XSS security issue. Try using the more restrictive {SIMPLETEXT} type instead. Only proceed if you understand the risks involved and you consider the use of {TEXT} absolutely unavoidable.',
+	'BBCODE_DANGER_PROCEED'		=> 'Proceed', //'I understand the risk',
+
 	'BBCODE_ADDED'				=> 'BBCode added successfully.',
 	'BBCODE_EDITED'				=> 'BBCode edited successfully.',
 	'BBCODE_NOT_EXIST'			=> 'The BBCode you selected does not exist.',