diff options
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/comment.inc | 16 | ||||
| -rw-r--r-- | includes/common.inc | 75 | ||||
| -rw-r--r-- | includes/conf.php (renamed from includes/setting.php) | 15 | ||||
| -rw-r--r-- | includes/database.inc | 1 | ||||
| -rw-r--r-- | includes/module.inc | 2 | ||||
| -rw-r--r-- | includes/node.inc | 9 | ||||
| -rw-r--r-- | includes/search.inc | 2 | ||||
| -rw-r--r-- | includes/structure.inc | 4 | ||||
| -rw-r--r-- | includes/variable.inc | 10 |
9 files changed, 74 insertions, 60 deletions
diff --git a/includes/comment.inc b/includes/comment.inc index 9ecc1c690..f7bea9ac6 100644 --- a/includes/comment.inc +++ b/includes/comment.inc @@ -48,7 +48,7 @@ function comment_settings($mode, $order, $threshold) { } function comment_reply($pid, $id) { - global $allowed_html, $REQUEST_URI, $theme, $user; + global $REQUEST_URI, $theme, $user; if ($pid) { $item = db_fetch_object(db_query("SELECT comments.*, users.userid FROM comments LEFT JOIN users ON comments.author = users.id WHERE comments.cid = '$pid'")); @@ -69,8 +69,8 @@ function comment_reply($pid, $id) { // Comment field: $output .= "<B>".t("Comment") .":</B><BR>\n"; - $output .= "<TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"comment\">". check_textarea($user->signature) ."</TEXTAREA><BR>\n"; - $output .= "<SMALL><I>". t("Allowed HTML tags") .": ". htmlspecialchars($allowed_html) .".</I></SMALL><P>\n"; + $output .= "<TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"comment\">". check_form($user->signature) ."</TEXTAREA><BR>\n"; + $output .= "<SMALL><I>". t("Allowed HTML tags") .": ". htmlspecialchars(variable_get("allowed_html", "")) .".</I></SMALL><P>\n"; // Preview button: $output .= "<SMALL><I>". t("You must preview at least once before you can submit") .":</I></SMALL><BR>\n"; @@ -84,10 +84,10 @@ function comment_reply($pid, $id) { } function comment_preview($pid, $id, $subject, $comment) { - global $allowed_html, $REQUEST_URI, $theme, $user; + global $REQUEST_URI, $theme, $user; // Preview comment: - comment_view(new Comment($user->userid, $subject, $comment, time(), $user->url, $user->fake_email, 0, 0, 0, 0), t("reply to this comment")); + comment_view(new Comment($user->userid, check_preview($subject), check_preview($comment), time(), check_preview($user->url), check_preview($user->fake_email), 0, 0, 0, 0), t("reply to this comment")); // Build reply form: $output .= "<FORM ACTION=\"$REQUEST_URI\" METHOD=\"post\">\n"; @@ -98,12 +98,12 @@ function comment_preview($pid, $id, $subject, $comment) { // Subject field: $output .= "<B>". t("Subject") .":</B><BR>\n"; - $output .= "<INPUT TYPE=\"text\" NAME=\"subject\" SIZE=\"50\" MAXLENGTH=\"60\" VALUE=\"". check_textfield($subject) ."\"><P>\n"; + $output .= "<INPUT TYPE=\"text\" NAME=\"subject\" SIZE=\"50\" MAXLENGTH=\"60\" VALUE=\"". check_form($subject) ."\"><P>\n"; // Comment field: $output .= "<B>". t("Comment") .":</B><BR>\n"; - $output .= "<TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"comment\">". check_textarea($comment) ."</TEXTAREA><BR>\n"; - $output .= "<SMALL><I>". t("Allowed HTML tags") .": ". htmlspecialchars($allowed_html) .".</I></SMALL><P>\n"; + $output .= "<TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"comment\">". check_form($comment) ."</TEXTAREA><BR>\n"; + $output .= "<SMALL><I>". t("Allowed HTML tags") .": ". htmlspecialchars(variable_get("allowed_html", "")) .".</I></SMALL><P>\n"; // Hidden fields: $output .= "<INPUT TYPE=\"hidden\" NAME=\"pid\" VALUE=\"$pid\">\n"; diff --git a/includes/common.inc b/includes/common.inc index bb8c2677e..2ceb45505 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -6,7 +6,7 @@ function conf_init() { global $HTTP_HOST, $REQUEST_URI; $file = strtolower(strtr($HTTP_HOST ."". substr($REQUEST_URI, 0, strrpos($REQUEST_URI, "/")), "/:", "..")); while ($file && !file_exists("includes/$file.php")) $file = substr($file, 0, strrpos($file, ".")); - return $file ? $file : "setting"; + return $file ? $file : "conf"; } function error_handler($errno, $message, $filename, $line, $variables) { @@ -52,30 +52,16 @@ function notice_account() { return t("This page requires a valid user account. Please <A HREF=\"account.php\">create a user account</A> and <A HREF=\"account.php\">login</A> prior to accessing it."); } -function check_textfield($message) { - return strip_tags(str_replace("\"", """, stripslashes($message))); +function check_form($text) { + return htmlspecialchars(stripslashes($text)); } -function check_select($message) { - return check_textfield($message); +function check_export($text) { + return htmlspecialchars(stripslashes($text)); } -function check_export($message) { - return check_textfield($message); -} - -function check_textarea($message) { - global $allowed_html; - return htmlspecialchars(strip_tags(stripslashes($message), $allowed_html)); -} - -function check_input($message) { - global $allowed_html; - return strip_tags(addslashes(stripslashes(substr($message, 0, variable_get(max_input_size, 10000)))), $allowed_html); -} - -function check_code($message) { - return $message; +function check_code($text) { + return $text; } function check_mail($mail) { @@ -86,10 +72,18 @@ function check_name($name) { return ereg("[^a-zA-Z0-9_-]", $name) ? 0 : 1; } -function check_output($message, $nl2br = 0) { - global $allowed_html, $na; - $var = strip_tags(stripslashes(node_macro($message)), $allowed_html); - return ($var) ? (($nl2br) ? nl2br($var) : $var) : $na; +function check_preview($text) { + return check_output(check_input($text), 1); +} + +function check_input($text) { + foreach (module_list() as $module) $text = module_invoke($module, "filter", $text); + return addslashes(stripslashes(substr($text, 0, variable_get("max_input_size", 10000)))); +} + +function check_output($text, $nl2br = 0) { + global $na; + return ($text) ? (($nl2br) ? nl2br(stripslashes($text)) : stripslashes($text)) : $na; } function format_plural($count, $singular, $plural) { @@ -172,15 +166,15 @@ function form_item($title, $value, $description = 0) { } function form_textfield($title, $name, $value, $size, $maxlength, $description = 0) { - return form_item($title, "<INPUT MAXLENGTH=\"$maxlength\" NAME=\"edit[$name]\" SIZE=\"$size\" VALUE=\"". check_textfield($value) ."\">", $description); + return form_item($title, "<INPUT MAXLENGTH=\"$maxlength\" NAME=\"edit[$name]\" SIZE=\"$size\" VALUE=\"". check_form($value) ."\">", $description); } function form_textarea($title, $name, $value, $cols, $rows, $description = 0) { - return form_item($title, "<TEXTAREA WRAP=\"virtual\" COLS=\"$cols\" ROWS=\"$rows\" NAME=\"edit[$name]\">". check_textarea($value) ."</TEXTAREA>", $description); + return form_item($title, "<TEXTAREA WRAP=\"virtual\" COLS=\"$cols\" ROWS=\"$rows\" NAME=\"edit[$name]\">". check_form($value) ."</TEXTAREA>", $description); } function form_select($title, $name, $value, $options, $description = 0) { - foreach ($options as $key=>$choice) $select .= "<OPTION VALUE=\"$key\"". ($key == $value ? " SELECTED" : "") .">". check_select($choice) ."</OPTION>"; + foreach ($options as $key=>$choice) $select .= "<OPTION VALUE=\"$key\"". ($key == $value ? " SELECTED" : "") .">". check_form($choice) ."</OPTION>"; return form_item($title, "<SELECT NAME=\"edit[$name]\">$select</SELECT>", $description); } @@ -189,11 +183,11 @@ function form_file($title, $name, $size, $description = 0) { } function form_hidden($name, $value) { - return "<INPUT TYPE=\"hidden\" NAME=\"edit[$name]\" VALUE=\"". check_textfield($value) ."\">\n"; + return "<INPUT TYPE=\"hidden\" NAME=\"edit[$name]\" VALUE=\"". check_form($value) ."\">\n"; } function form_submit($value) { - return "<INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"". check_textfield($value) ."\">\n"; + return "<INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"". check_form($value) ."\">\n"; } function field_get($string, $name) { @@ -227,6 +221,26 @@ function field_set($string, $name, $value) { return $rval; } +function timer_start() { + global $timer; + $timer = explode(" ", microtime()); +} + +function timer_print() { + global $timer; + $stop = explode(" ", microtime()); + $diff = $stop[0] - $timer[0]; + print "<PRE>execution time: $diff ms</PRE>"; +} + +function page_header() { + if (variable_get("dev_timer", 0)) timer_start(); +} + +function page_footer() { + if (variable_get("dev_timer", 0)) timer_print(); +} + $conf = conf_init(); include_once "includes/$conf.php"; @@ -237,7 +251,6 @@ include_once "includes/comment.inc"; include_once "includes/module.inc"; include_once "includes/locale.inc"; include_once "includes/search.inc"; -include_once "includes/timer.inc"; include_once "includes/theme.inc"; include_once "includes/user.inc"; include_once "includes/node.inc"; diff --git a/includes/setting.php b/includes/conf.php index 525de3bb4..77fb30298 100644 --- a/includes/setting.php +++ b/includes/conf.php @@ -25,11 +25,6 @@ $comment_votes = array("none" => "none", "+5" => "+ 5"); # -# Allowed HTML tags: -# -$allowed_html = "<A><B><BLOCKQUOTE><CODE><DD><DL><DT><EM><HR><I><LI><SMALL><OL><U><UL>"; - -# # Themes: # The first theme listed in this associative array will automatically # become the default theme. @@ -47,16 +42,6 @@ $themes = array("UnConeD" => array( # automatically become the default language. You can add a language # but make sure your SQL table, called locales is updated # appropriately. -# -# Translation support - as provided by the default locale module add -# significant overhead to your site in exchange for excessive -# maintenance capabilities. If your site does not require -# translation support, disable it by commenting out the $language -# variable below. -#$languages = array(); // = language support disabled $languages = array("en" => "English"); -# This line prevents users from accessing your settings file: -if (basename($SCRIPT_FILENAME) == basename(__FILE__) && basename($SCRIPT_FILENAME) != "") die("access denied"); - ?>
\ No newline at end of file diff --git a/includes/database.inc b/includes/database.inc index 634ec55ef..68562f334 100644 --- a/includes/database.inc +++ b/includes/database.inc @@ -6,6 +6,7 @@ function db_connect($host, $user, $pass, $name) { // NOTE: we are using a persistent connection! } + function db_query($query, $debug = 0) { $result = mysql_query($query); if ($debug) print "<P>query: $query<BR>error:". mysql_error() ."</P>"; diff --git a/includes/module.inc b/includes/module.inc index aa631faec..9033078c3 100644 --- a/includes/module.inc +++ b/includes/module.inc @@ -13,7 +13,7 @@ function module_iterate($function, $argument = "") { // invoke hook $hook of module $name with optional arguments: function module_invoke($name, $hook, $argument = "") { $function = $name ."_". $hook; - if (function_exists($function)) return $function($argument); + return function_exists($function) ? $function($argument) : $argument; } // return true if module $name supports hook $hook, and false otherwise: diff --git a/includes/node.inc b/includes/node.inc index fcfd26dd7..6d999e25c 100644 --- a/includes/node.inc +++ b/includes/node.inc @@ -183,13 +183,20 @@ function node_control($node) { } $output .= "<FORM METHOD=\"get\" ACTION=\"\">\n"; - foreach ($choices as $key => $value) $options .= "<OPTION VALUE=\"$key\"". (strstr($REQUEST_URI,"/$key") ? " SELECTED" : "") .">". check_select($value) ."</OPTION>\n"; + foreach ($choices as $key => $value) $options .= "<OPTION VALUE=\"$key\"". (strstr($REQUEST_URI,"/$key") ? " SELECTED" : "") .">". check_form($value) ."</OPTION>\n"; $output .= " <SELECT NAME=\"op\" ONCHANGE=\"visit(this.options[this.selectedIndex].value)\">$options</SELECT>\n"; $output .= "</FORM>\n"; return $output; } +function node_preview($node) { + foreach ($node as $key=>$value) { + if ($node[$key]) $node[$key] = check_preview($value); + } + return $node; +} + function node_visible($node) { global $user, $status; return ($node->status == $status[posted]) || ($node->status == $status[queued] && $user->id) || user_access($user, $node->type) || user_access($user, "node"); diff --git a/includes/search.inc b/includes/search.inc index af2139e84..11247c525 100644 --- a/includes/search.inc +++ b/includes/search.inc @@ -3,7 +3,7 @@ function search_form($keys) { global $REQUEST_URI; $output .= "<FORM ACTION=\"$REQUEST_URI\" METHOD=\"POST\">\n"; - $output .= " <INPUT SIZE=\"50\" VALUE=\"". check_textfield($keys) ."\" NAME=\"keys\">"; + $output .= " <INPUT SIZE=\"50\" VALUE=\"". check_form($keys) ."\" NAME=\"keys\">"; $output .= " <INPUT TYPE=\"submit\" VALUE=\"". t("Search") ."\">\n"; $output .= "</FORM>\n"; return $output; diff --git a/includes/structure.inc b/includes/structure.inc index 6d38bfbce..989ee7f2f 100644 --- a/includes/structure.inc +++ b/includes/structure.inc @@ -74,7 +74,7 @@ function category_name($cid) { function category_form_select($type, $edit = array(), $size = 1) { $result = db_query("SELECT * FROM category WHERE type = '$type'"); while ($category = db_fetch_object($result)) { - $options .= "<OPTION VALUE=\"$category->cid\"". ($edit[cid] == $category->cid ? "SELECTED" : "") .">". check_select($category->name) ."</OPTION>"; + $options .= "<OPTION VALUE=\"$category->cid\"". ($edit[cid] == $category->cid ? "SELECTED" : "") .">". check_form($category->name) ."</OPTION>"; } return "<SELECT NAME=\"edit[cid]\" SIZE=\"$size\"". ($size > 1 ? "MULTIPLE" : "") .">$options</SELECT>\n"; } @@ -133,7 +133,7 @@ function topic_moderate($tid) { // renders a HTML form to select one or more topics: function topic_form_select($edit = array(), $size = 1) { foreach (topic_tree() as $tid=>$name) { - $options .= "<OPTION VALUE=\"$tid\"". ($edit[tid] == $tid ? "SELECTED" : "") .">". check_select($name) ."</OPTION>"; + $options .= "<OPTION VALUE=\"$tid\"". ($edit[tid] == $tid ? "SELECTED" : "") .">". check_form($name) ."</OPTION>"; } return "<SELECT NAME=\"edit[tid]\" SIZE=\"$size\"". ($size > 1 ? "MULTIPLE" : "") .">$options</SELECT>\n"; } diff --git a/includes/variable.inc b/includes/variable.inc index 5f47c03e6..618c7f4ce 100644 --- a/includes/variable.inc +++ b/includes/variable.inc @@ -32,7 +32,7 @@ function variable_get($name, $default, $object = 0) { case "expire_threshold": return handler_expire_threshold($object, $default); default: - return ($conf[$name] ? $conf[$name] : $default); + return $conf[$name] ? $conf[$name] : $default; } } @@ -45,4 +45,12 @@ function variable_set($name, $value) { $conf[$name] = $value; } +function variable_del($name) { + global $conf; + + db_query("DELETE FROM variable WHERE name = '". check_input($name) ."'"); + + $conf[$name] = ""; +} + ?>
\ No newline at end of file |