diff options
| -rw-r--r-- | inc/actions.php | 33 | ||||
| -rw-r--r-- | inc/template.php | 5 | ||||
| -rw-r--r-- | tpl/default/layout.css | 1 |
3 files changed, 32 insertions, 7 deletions
diff --git a/inc/actions.php b/inc/actions.php index 345ef8e37..6208e1970 100644 --- a/inc/actions.php +++ b/inc/actions.php @@ -9,6 +9,7 @@ if(!defined('DOKU_INC')) define('DOKU_INC',realpath(dirname(__FILE__).'/../').'/'); require_once(DOKU_INC.'inc/template.php'); + /** * Call the needed action handlers * @@ -22,6 +23,9 @@ function act_dispatch(){ global $lang; global $conf; + //sanitize $ACT + $ACT = act_clean($ACT); + //check permissions $ACT = act_permcheck($ACT); @@ -35,7 +39,7 @@ function act_dispatch(){ //edit if(($ACT == 'edit' || $ACT == $lang['btn_preview']) && $INFO['editable']){ - $ACT = act_save($ACT); + $ACT = act_edit($ACT); }else{ unlock($ID); //try to unlock } @@ -55,14 +59,36 @@ function act_dispatch(){ $ACT = 'show'; } - //fixme sanitize $ACT - //call template FIXME: all needed vars available? header('Content-Type: text/html; charset=utf-8'); include(DOKU_INC.'tpl/'.$conf['template'].'/main.php'); } /** + * Sanitize the action command + * + * Add all allowed commands here. + * + * @author Andreas Gohr <andi@splitbrain.org> + */ +function act_clean($act){ + global $lang; + global $conf; + + if($act == 'register' && !$conf['openregister']) + return 'show'; + + if(!array_search($act,array('login','logout','register','save','edit', + $lang['btn_preview'],'export_raw','export_html', + 'search','show','check','index','revisions', + 'diff','recent','backlink',))){ + msg('Unknown command',-1); + return 'show'; + } + return $act; +} + +/** * Run permissionchecks * * @author Andreas Gohr <andi@splitbrain.org> @@ -83,6 +109,7 @@ function act_permcheck($act){ return 'denied'; } + return $act; } diff --git a/inc/template.php b/inc/template.php index 00de7ad67..bb2a52352 100644 --- a/inc/template.php +++ b/inc/template.php @@ -95,7 +95,6 @@ function tpl_content(){ html_login(); break; case 'register': - #FIXME check for $conf['openregister']) needs to be done first!! html_register(); break; default: @@ -104,7 +103,6 @@ function tpl_content(){ } - /** * Print the correct HTML meta headers * @@ -223,12 +221,11 @@ function tpl_button($type){ /** * Print the search form * - * @todo svcheck missing * @author Andreas Gohr <andi@splitbrain.org> */ function tpl_searchform(){ global $lang; - print '<form action="'.wl().'" accept-charset="utf-8" class="search">'; + print '<form action="'.wl().'" accept-charset="utf-8" class="search" onsubmit="return svchk()">'; print '<input type="hidden" name="do" value="search" />'; print '<input type="text" accesskey="f" name="id" class="edit" />'; print '<input type="submit" value="'.$lang['btn_search'].'" class="button" />'; diff --git a/tpl/default/layout.css b/tpl/default/layout.css index c4208c2c6..292851316 100644 --- a/tpl/default/layout.css +++ b/tpl/default/layout.css @@ -55,6 +55,7 @@ background:#DEE7EC; padding:2px; margin:0; + clear: both; } .bar-left { |