Menu
▾
▴
[Xoops-svn] SF.net SVN: xoops-svn:[12877] XoopsCore/branches/2.5.x/2.5.7.1
|
From: <be...@us...> - 2014-11-27 20:16:06
|
Revision: 12877
http://sourceforge.net/p/xoops/svn/12877
Author: beckmi
Date: 2014-11-27 20:15:53 +0000 (Thu, 27 Nov 2014)
Log Message:
-----------
Adding 2.5.7.1 patch
Modified Paths:
--------------
XoopsCore/branches/2.5.x/2.5.7.1/docs/changelog.250.txt
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/uploader.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/xoopsfilterinput.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/xoopsrequest.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/include/common.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/include/version.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/kernel/session.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/pmlite.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/readpmsg.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/viewpmsg.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/system/admin/modulesadmin/main.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/system/themes/default/default.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/pmlite.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/readpmsg.php
XoopsCore/branches/2.5.x/2.5.7.1/htdocs/viewpmsg.php
XoopsCore/branches/2.5.x/2.5.7.1/release_notes.txt
Modified: XoopsCore/branches/2.5.x/2.5.7.1/docs/changelog.250.txt
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/docs/changelog.250.txt 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/docs/changelog.250.txt 2014-11-27 20:15:53 UTC (rev 12877)
@@ -1,5 +1,17 @@
XOOPS 2.5.x Changelog (Language changes: see: /docs/lang_diff.txt)
+=================================
+2014/06/14: Version 2.5.7.1 Final
+=================================
+
+This patch for XOOPS 2.5.7 corrects the following issues:
+
+- CSRF and XSS issues reported by Dingjie 'Daniel' Yang of Qualsys
+- XSS and best practice issues reported by Narendra Bhati
+
+All XOOPS 2.5.7 users are advised to apply this patch as soon as possible. Any users that are running an older XOOPS version are advised to update to XOOPS 2.5.7.1 now.
+
+
===============================
2014/06/14: Version 2.5.7 Final
===============================
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/uploader.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/uploader.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/uploader.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -9,7 +9,7 @@
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
- * @copyright The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @package kernel
* @since 2.0.0
@@ -589,7 +589,7 @@
} else {
$ret = '';
if (count($this->errors) > 0) {
- $ret = '<h4>' . sprintf(_ER_UP_ERRORSRETURNED, $this->mediaName) . '</h4>';
+ $ret = '<h4>' . sprintf(_ER_UP_ERRORSRETURNED, htmlspecialchars($this->mediaName, ENT_QUOTES)) . '</h4>';
foreach ($this->errors as $error) {
$ret .= $error . '<br />';
}
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/xoopsfilterinput.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/xoopsfilterinput.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/xoopsfilterinput.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -13,7 +13,7 @@
* XoopsFilterInput is a class for filtering input from any data source
*
* Forked from the php input filter library by Daniel Morris
- *
+ *
* Original Contributors: Gianpaolo Racca, Ghislain Picard,
* Marco Wandschneider, Chris Tobin and Andrew Eddie.
*
@@ -26,7 +26,7 @@
* @author Richard Griffith <ri...@ge...>
* @copyright 2005 Daniel Morris
* @copyright 2005 - 2013 Open Source Matters, Inc. All rights reserved.
- * @copyright 2011-2013 The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright 2011-2014 The XOOPS Project http://sourceforge.net/projects/xoops/
* @license GNU GPL 2 or later (http://www.gnu.org/licenses/gpl-2.0.html)
* @version Release: 1.0
* @link http://xoops.org
@@ -66,10 +66,10 @@
$xssAuto = 1
) {
// make sure user defined arrays are in lowercase
- for ($i = 0; $i < count($tagsArray); $i++) {
+ for ($i = 0; $i < count($tagsArray); ++$i) {
$tagsArray[$i] = strtolower($tagsArray[$i]);
}
- for ($i = 0; $i < count($attrArray); $i++) {
+ for ($i = 0; $i < count($attrArray); ++$i) {
$attrArray[$i] = strtolower($attrArray[$i]);
}
// assign to member vars
@@ -121,11 +121,11 @@
}
/**
- * Method to be called by another php script. Processes for XSS and
+ * Method to be called by another php script. Processes for XSS and
* any specified bad code.
*
* @param Mixed $source - input string/array-of-string to be 'cleaned'
- *
+ *
* @return String $source - 'cleaned' version of input parameter
*/
public function process($source)
@@ -258,7 +258,7 @@
* Internal method to iteratively remove all unwanted tags and attributes
*
* @param String $source - input string to be 'cleaned'
- *
+ *
* @return String $source - 'cleaned' version of input parameter
*/
protected function remove($source)
@@ -267,7 +267,7 @@
// provides nested-tag protection
while ($source != $this->filterTags($source)) {
$source = $this->filterTags($source);
- $loopCounter++;
+ ++$loopCounter;
}
return $source;
@@ -275,9 +275,9 @@
/**
* Internal method to strip a string of certain tags
- *
+ *
* @param String $source - input string to be 'cleaned'
- *
+ *
* @return String $source - 'cleaned' version of input parameter
*/
protected function filterTags($source)
@@ -355,7 +355,7 @@
$attr = substr($fromSpace, 0, $nextSpace);
}
// one or neither exist
-
+
} else {
// no more equals exist
$attr = substr($fromSpace, 0, $nextSpace);
@@ -378,7 +378,7 @@
if (!$isCloseTag) {
$attrSet = $this->filterAttr($attrSet);
$preTag .= '<' . $tagName;
- for ($i = 0; $i < count($attrSet); $i++) {
+ for ($i = 0; $i < count($attrSet); ++$i) {
$preTag .= ' ' . $attrSet[$i];
}
// reformat single tags to XHTML
@@ -406,14 +406,14 @@
* Internal method to strip a tag of certain attributes
*
* @param array $attrSet attributes
- *
+ *
* @return Array $newSet stripped attributes
*/
protected function filterAttr($attrSet)
{
$newSet = array();
// process attributes
- for ($i = 0; $i <count($attrSet); $i++) {
+ for ($i = 0; $i <count($attrSet); ++$i) {
// skip blank spaces in tag
if (!$attrSet[$i]) {
continue;
@@ -483,7 +483,7 @@
* Try to convert to plaintext
*
* @param String $source string to decode
- *
+ *
* @return String $source decoded
*/
protected function decode($source)
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/xoopsrequest.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/xoopsrequest.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/class/xoopsrequest.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -21,7 +21,7 @@
* @author Richard Griffith <ri...@ge...>
* @author trabis <lus...@gm...>
* @author Joomla!
- * @copyright 2011-2013 The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 or later (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @version Release: 1.0
* @link http://xoops.org
@@ -429,6 +429,11 @@
$var = trim($var);
}
+ // convert $var in array if $type is ARRAY
+ if (strtoupper($type) == 'ARRAY' && !is_array($var)) {
+ $var = array($var);
+ }
+
// Now we handle input filtering
if ($mask & 2) {
// If the allow raw flag is set, do not modify the variable
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/include/common.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/include/common.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/include/common.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -9,7 +9,7 @@
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
- * @copyright The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @package kernel
* @version $Id$
@@ -130,6 +130,14 @@
trigger_error('File Path Error: ' . 'var/configs/xoopsconfig.php' . ' does not exist.');
}
+/**
+ * clickjack protection - Add option to HTTP header restrictig using site in an iframe
+ */
+$xFrameOptions = isset($xoopsConfig['xFrameOptions']) ? $xoopsConfig['xFrameOptions'] : 'sameorigin';
+if (!headers_sent() && !empty($xFrameOptions)) {
+ header('X-Frame-Options: ' .$xFrameOptions);
+}
+
//check if user set a local timezone (from XavierS)
// $xoops_server_timezone="Etc/GMT";
// if ($xoopsConfig["server_TZ"]>0) {
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/include/version.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/include/version.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/include/version.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -30,4 +30,4 @@
/**
* Define XOOPS version
*/
-define('XOOPS_VERSION', 'XOOPS 2.5.7');
+define('XOOPS_VERSION', 'XOOPS 2.5.7.1');
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/kernel/session.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/kernel/session.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/kernel/session.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -9,7 +9,7 @@
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
- * @copyright The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @package kernel
* @since 2.0.0
@@ -26,7 +26,7 @@
*
* @author Kazumi Ono <on...@xo...>
* @author Taiwen Jiang <ph...@us...>
- * @copyright copyright (c) The XOOPS project XOOPS.org
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
*/
class XoopsSessionHandler
{
@@ -255,6 +255,6 @@
$session_name = ($xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] != '') ? $xoopsConfig['session_name'] : session_name();
$session_expire = !is_null($expire) ? intval($expire) : (($xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] != '') ? $xoopsConfig['session_expire'] * 60 : ini_get("session.cookie_lifetime"));
$session_id = empty($sess_id) ? session_id() : $sess_id;
- setcookie($session_name, $session_id, $session_expire ? time() + $session_expire : 0, '/', XOOPS_COOKIE_DOMAIN, 0);
+ setcookie($session_name, $session_id, $session_expire ? time() + $session_expire : 0, '/', XOOPS_COOKIE_DOMAIN, false, true);
}
}
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/pmlite.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/pmlite.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/pmlite.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -9,7 +9,7 @@
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
- * @copyright The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @package pm
* @since 2.3.0
@@ -19,27 +19,33 @@
*/
if (!defined('XOOPS_MAINFILE_INCLUDED')) {
- include_once dirname(dirname(dirname(__FILE__))) . DIRECTORY_SEPARATOR . 'mainfile.php';
+ include_once dirname(dirname(__DIR__)) . DIRECTORY_SEPARATOR . 'mainfile.php';
} else {
chdir(XOOPS_ROOT_PATH . '/modules/pm/');
xoops_loadLanguage('main', 'pm');
}
-$reply = !empty($_GET['reply']) ? 1 : 0;
-$send = !empty($_GET['send']) ? 1 : 0;
-$send2 = !empty($_GET['send2']) ? 1 : 0;
-$sendmod = !empty($_POST['sendmod']) ? 1 : 0; // send from other modules with post data
-$to_userid = isset($_GET['to_userid']) ? intval($_GET['to_userid']) : 0;
-$msg_id = isset($_GET['msg_id']) ? intval($_GET['msg_id']) : 0;
+XoopsLoad::load('XoopsRequest');
-if (empty($_GET['refresh']) && isset($_POST['op']) && $_POST['op'] != "submit") {
+$subject_icons = XoopsLists::getSubjectsList();
+
+$op = XoopsRequest::getCmd('op', '', 'POST');
+
+$reply = XoopsRequest::getBool('reply', 0, 'GET');
+$send = XoopsRequest::getBool('send', 0, 'GET');
+$send2 = XoopsRequest::getBool('send2', 0, 'GET');
+$sendmod = XoopsRequest::getBool('sendmod', 0, 'POST'); // send from other modules with post data
+$to_userid = XoopsRequest::getInt('to_userid', 0, 'GET');
+$msg_id = XoopsRequest::getInt('msg_id', 0, 'GET');
+
+if (empty($_GET['refresh']) && $op != "submit") {
$jump = "pmlite.php?refresh=" . time();
if ($send == 1) {
- $jump .= "&send={$send}";
- } else if ($send2 == 1) {
- $jump .= "&send2={$send2}&to_userid={$to_userid}";
- } else if ($reply == 1) {
- $jump .= "&reply={$reply}&msg_id={$msg_id}";
+ $jump .= "&send={$send}";
+ } elseif ($send2 == 1) {
+ $jump .= "&send2={$send2}&to_userid={$to_userid}";
+ } elseif ($reply == 1) {
+ $jump .= "&reply={$reply}&msg_id={$msg_id}";
} else {
}
header('location: ' . $jump);
@@ -53,28 +59,26 @@
xoops_header();
$myts =& MyTextSanitizer::getInstance();
-if (isset($_POST['op']) && $_POST['op'] == "submit") {
+if ($op == "submit") {
$member_handler =& xoops_gethandler('member');
- $count = $member_handler->getUserCount(new Criteria('uid', intval($_POST['to_userid'])));
+ $count = $member_handler->getUserCount(new Criteria('uid', XoopsRequest::getInt('to_userid', 0, 'POST')));
if ($count != 1) {
echo "<br /><br /><div><h4>"._PM_USERNOEXIST."<br />";
echo _PM_PLZTRYAGAIN."</h4><br />";
echo "[ <a href='javascript:history.go(-1)'>"._PM_GOBACK."</a> ]</div>";
- } else if ($GLOBALS['xoopsSecurity']->check()) {
+ } elseif ($GLOBALS['xoopsSecurity']->check()) {
$pm_handler =& xoops_getModuleHandler('message', 'pm');
$pm =& $pm_handler->create();
$pm->setVar("msg_time", time());
-//------------------ mamba
-if (isset($_POST['icon'])) {
- $pm->setVar("msg_image", $_POST['icon']);
+ $msg_image = XoopsRequest::getCmd('icon', null, 'POST');
+ if (in_array($msg_image, $subject_icons)) {
+ $pm->setVar("msg_image", $msg_image);
}
- //else $pm->setVar("msg_image", 'icon1.gif');
-//----------------- mamba
- $pm->setVar("subject", $_POST['subject']);
- $pm->setVar("msg_text", $_POST['message']);
- $pm->setVar("to_userid", $_POST['to_userid']);
+ $pm->setVar("subject", XoopsRequest::getString('subject', null, 'POST'));
+ $pm->setVar("msg_text", XoopsRequest::getString('message', null, 'POST'));
+ $pm->setVar("to_userid", XoopsRequest::getInt('to_userid', 0, 'POST'));
$pm->setVar("from_userid", $GLOBALS['xoopsUser']->getVar("uid"));
- if (isset($_REQUEST['savecopy']) && $_REQUEST['savecopy'] == 1) {
+ if (XoopsRequest::getBool('savecopy', 0)) {
//PMs are by default not saved in outbox
$pm->setVar('from_delete', 0);
}
@@ -91,14 +95,14 @@
echo "<br /><a href=\"javascript:window.close();\">"._PM_ORCLOSEWINDOW."</a>";
}
-} else if ($reply == 1 || $send == 1 || $send2 == 1 || $sendmod == 1) {
+} elseif ($reply == 1 || $send == 1 || $send2 == 1 || $sendmod == 1) {
if ($reply == 1) {
$pm_handler =& xoops_getModuleHandler('message', 'pm');
$pm =& $pm_handler->get($msg_id);
if ($pm->getVar("to_userid") == $GLOBALS['xoopsUser']->getVar('uid')) {
$pm_uname = XoopsUser::getUnameFromId($pm->getVar("from_userid"));
$message = "[quote]\n";
- $message .= sprintf(_PM_USERWROTE , $pm_uname);
+ $message .= sprintf(_PM_USERWROTE, $pm_uname);
$message .= "\n" . $pm->getVar("msg_text", "E") . "\n[/quote]";
} else {
unset($pm);
@@ -118,11 +122,11 @@
}
$GLOBALS['xoopsTpl']->assign('to_username', $pm_uname);
$pmform->addElement(new XoopsFormHidden('to_userid', $pm->getVar("from_userid")));
- } else if ($sendmod == 1) {
- $GLOBALS['xoopsTpl']->assign('to_username', XoopsUser::getUnameFromId($_POST["to_userid"]));
- $pmform->addElement(new XoopsFormHidden('to_userid', intval($_POST["to_userid"])));
- $subject = $myts->htmlSpecialChars($myts->stripSlashesGPC($_POST['subject']));
- $message = $myts->htmlSpecialChars($myts->stripSlashesGPC($_POST['message']));
+ } elseif ($sendmod == 1) {
+ $GLOBALS['xoopsTpl']->assign('to_username', XoopsUser::getUnameFromId(XoopsRequest::getInt("to_userid", 0, 'POST')));
+ $pmform->addElement(new XoopsFormHidden('to_userid', XoopsRequest::getInt("to_userid", 0, 'POST')));
+ $subject = $myts->htmlSpecialChars(XoopsRequest::getString('subject', '', 'POST'));
+ $message = $myts->htmlSpecialChars(XoopsRequest::getString('message', '', 'POST'));
} else {
if ($send2 == 1) {
$GLOBALS['xoopsTpl']->assign('to_username', XoopsUser::getUnameFromId($to_userid, false));
@@ -136,19 +140,11 @@
}
$pmform->addElement(new XoopsFormText('', 'subject', 30, 100, $subject), true);
-//----------------------------- mamba
- $msg_image='';
- $icons_radio = new XoopsFormRadio(_MESSAGEICON, 'msg_image', $msg_image);
- $subject_icons = XoopsLists::getSubjectsList();
- // foreach ($subject_icons as $iconfile) {
- // $icons_radio->addOption($iconfile, '<img src="' . XOOPS_URL . '/images/subject/' . $iconfile . '" alt="" />');
- // }
- // $pmform->addElement($icons_radio, true);
+ $msg_image='';
+ $icons_radio = new XoopsFormRadio(_MESSAGEICON, 'msg_image', $msg_image);
+ //$subject_icons = XoopsLists::getSubjectsList();
+ $xoopsTpl->assign('radio_icons', $subject_icons);
- $xoopsTpl->assign('radio_icons', $subject_icons);
-//------------------------------- mamba
-
-
$pmform->addElement(new XoopsFormDhtmlTextArea('', 'message', $message, 8, 37), true);
$pmform->addElement(new XoopsFormRadioYN('', 'savecopy', 0));
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/readpmsg.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/readpmsg.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/readpmsg.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -9,7 +9,7 @@
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
- * @copyright The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @package pm
* @since 2.3.0
@@ -18,7 +18,7 @@
* @version $Id$
*/
-include_once dirname(dirname(dirname(__FILE__))) . DIRECTORY_SEPARATOR . 'mainfile.php';
+include_once dirname(dirname(__DIR__)) . DIRECTORY_SEPARATOR . 'mainfile.php';
if (!is_object($GLOBALS['xoopsUser'])) {
redirect_header(XOOPS_URL, 3, _NOPERM);
@@ -36,12 +36,12 @@
if (is_object($pm) && ($pm->getVar('from_userid') != $GLOBALS['xoopsUser']->getVar('uid'))
&& ($pm->getVar('to_userid') != $GLOBALS['xoopsUser']->getVar('uid'))
-){
+) {
redirect_header(XOOPS_URL . '/modules/' . $GLOBALS['xoopsModule']->getVar("dirname", "n") . '/index.php', 2, _NOPERM);
exit();
}
-if (is_object($pm) && !empty($_POST['action']) ) {
+if (is_object($pm) && !empty($_POST['action'])) {
if (!$GLOBALS['xoopsSecurity']->check()) {
echo implode('<br />', $GLOBALS['xoopsSecurity']->getErrors());
exit();
@@ -49,7 +49,7 @@
$res = false;
if (!empty($_REQUEST['email_message'])) {
$res = $pm_handler->sendEmail($pm, $GLOBALS['xoopsUser']);
- } else if (!empty($_REQUEST['move_message'])
+ } elseif (!empty($_REQUEST['move_message'])
&& $_REQUEST['op'] != 'save'
&& !$GLOBALS['xoopsUser']->isAdmin()
&& $pm_handler->getSavecount() >= $GLOBALS['xoopsModuleConfig']['max_save']
@@ -58,10 +58,12 @@
} else {
switch ($_REQUEST['op']) {
case 'out':
- if ($pm->getVar('from_userid') != $GLOBALS['xoopsUser']->getVar('uid')) break;
+ if ($pm->getVar('from_userid') != $GLOBALS['xoopsUser']->getVar('uid')) {
+ break;
+ }
if (!empty($_REQUEST['delete_message'])) {
$res = $pm_handler->setFromdelete($pm);
- } else if (!empty($_REQUEST['move_message'])) {
+ } elseif (!empty($_REQUEST['move_message'])) {
$res = $pm_handler->setFromsave($pm);
}
break;
@@ -70,7 +72,7 @@
if (!empty($_REQUEST['delete_message'])) {
$res1 = $pm_handler->setTodelete($pm);
$res1 = ($res1) ? $pm_handler->setTosave($pm, 0) : false;
- } else if (!empty($_REQUEST['move_message'])) {
+ } elseif (!empty($_REQUEST['move_message'])) {
$res1 = $pm_handler->setTosave($pm, 0);
}
}
@@ -78,7 +80,7 @@
if (!empty($_REQUEST['delete_message'])) {
$res2 = $pm_handler->setFromDelete($pm);
$res2 = ($res2) ? $pm_handler->setFromsave($pm, 0) : false;
- } else if (!empty($_REQUEST['move_message'])) {
+ } elseif (!empty($_REQUEST['move_message'])) {
$res2 = $pm_handler->setFromsave($pm, 0);
}
}
@@ -92,14 +94,14 @@
}
if (!empty($_REQUEST['delete_message'])) {
$res = $pm_handler->setTodelete($pm);
- } else if (!empty($_REQUEST['move_message'])) {
+ } elseif (!empty($_REQUEST['move_message'])) {
$res = $pm_handler->setTosave($pm);
}
break;
}
}
$res_message = isset($res_message) ? $res_message : (($res) ? _PM_ACTION_DONE : _PM_ACTION_ERROR);
- redirect_header('viewpmsg.php?op=' . htmlspecialchars($_REQUEST['op'] ) , 2, $res_message);
+ redirect_header('viewpmsg.php?op=' . htmlspecialchars($_REQUEST['op']), 2, $res_message);
}
$start = !empty($_GET['start']) ? intval($_GET['start']) : 0;
$total_messages = !empty($_GET['total_messages']) ? intval($_GET['total_messages']) : 0;
@@ -111,10 +113,10 @@
$criteria = new CriteriaCompo(new Criteria('from_delete', 0));
$criteria->add(new Criteria('from_userid', $GLOBALS['xoopsUser']->getVar('uid')));
$criteria->add(new Criteria('from_save', 0));
- } else if ($_REQUEST['op'] == "save") {
+ } elseif ($_REQUEST['op'] == "save") {
$crit_to = new CriteriaCompo(new Criteria('to_delete', 0));
$crit_to->add(new Criteria('to_save', 1));
- $crit_to->add(new Criteria('to_userid',$GLOBALS['xoopsUser']->getVar('uid')));
+ $crit_to->add(new Criteria('to_userid', $GLOBALS['xoopsUser']->getVar('uid')));
$crit_from = new CriteriaCompo(new Criteria('from_delete', 0));
$crit_from->add(new Criteria('from_save', 1));
$crit_from->add(new Criteria('from_userid', $GLOBALS['xoopsUser']->getVar('uid')));
@@ -139,7 +141,7 @@
if (is_object($pm) && !empty($pm)) {
if ($pm->getVar('from_userid') != $GLOBALS['xoopsUser']->getVar('uid')) {
$reply_button = new XoopsFormButton('', 'send', _PM_REPLY);
- $reply_button->setExtra("onclick='javascript:openWithSelfMain(\"" . XOOPS_URL . "/modules/pm/pmlite.php?reply=1&msg_id=".$pm->getVar("msg_id")."\", \"pmlite\", 565,500);'");
+ $reply_button->setExtra("onclick='javascript:openWithSelfMain(\"" . XOOPS_URL . "/modules/pm/pmlite.php?reply=1&msg_id=".$pm->getVar("msg_id")."\", \"pmlite\", 565,500);'");
$pmform->addElement($reply_button);
}
$pmform->addElement(new XoopsFormButton('', 'delete_message', _PM_DELETE, 'submit'));
@@ -168,6 +170,7 @@
$message = $pm->getValues();
$message['msg_time'] = formatTimestamp($pm->getVar("msg_time"));
+ $message['msg_image'] = htmlspecialchars($message['msg_image'], ENT_QUOTES);
}
$GLOBALS['xoopsTpl']->assign('message', $message);
$GLOBALS['xoopsTpl']->assign('op', $_REQUEST['op']);
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/viewpmsg.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/viewpmsg.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/pm/viewpmsg.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -9,7 +9,7 @@
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
- * @copyright The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @package pm
* @since 2.3.0
@@ -18,7 +18,7 @@
* @version $Id$
*/
-include_once dirname(dirname(dirname(__FILE__))) . DIRECTORY_SEPARATOR . 'mainfile.php';
+include_once dirname(dirname(__DIR__)) . DIRECTORY_SEPARATOR . 'mainfile.php';
if (!is_object($GLOBALS['xoopsUser'])) {
redirect_header(XOOPS_URL, 3, _NOPERM);
@@ -34,15 +34,15 @@
$start = empty($_REQUEST["start"]) ? 0 : intval($_REQUEST["start"]);
$pm_handler =& xoops_getModuleHandler('message');
-if (isset($_POST['delete_messages']) && isset($_POST['msg_id'])) {
+if (isset($_POST['delete_messages']) && (isset($_POST['msg_id']) || isset($_POST['msg_ids']))) {
if (!$GLOBALS['xoopsSecurity']->check()) {
$GLOBALS['xoopsTpl']->assign('errormsg', implode('<br />', $GLOBALS['xoopsSecurity']->getErrors()));
- } else if (empty($_REQUEST['ok'])) {
- xoops_confirm(array('ok' => 1, 'delete_messages' => 1, 'op' => $_REQUEST['op'], 'msg_id'=> json_encode(array_map("intval", $_POST['msg_id']))), $_SERVER['REQUEST_URI'], _PM_SURE_TO_DELETE);
+ } elseif (empty($_REQUEST['ok'])) {
+ xoops_confirm(array('ok' => 1, 'delete_messages' => 1, 'op' => $_REQUEST['op'], 'msg_ids'=> json_encode(array_map("intval", $_POST['msg_id']))), $_SERVER['REQUEST_URI'], _PM_SURE_TO_DELETE);
include $GLOBALS['xoops']->path('footer.php');
exit();
} else {
- $clean_msg_id = json_decode($_POST['msg_id'], true, 2);
+ $clean_msg_id = json_decode($_POST['msg_ids'], true, 2);
if (!empty($clean_msg_id)) {
$clean_msg_id = array_map("intval", $clean_msg_id);
}
@@ -52,7 +52,7 @@
$pm =& $pm_handler->get($msg[$i]);
if ($pm->getVar('to_userid') == $GLOBALS['xoopsUser']->getVar('uid')) {
$pm_handler->setTodelete($pm);
- } else if ($pm->getVar('from_userid') == $GLOBALS['xoopsUser']->getVar('uid')) {
+ } elseif ($pm->getVar('from_userid') == $GLOBALS['xoopsUser']->getVar('uid')) {
$pm_handler->setFromdelete($pm);
}
unset($pm);
@@ -63,7 +63,7 @@
if (isset($_POST['move_messages']) && isset($_POST['msg_id'])) {
if (!$GLOBALS['xoopsSecurity']->check()) {
$GLOBALS['xoopsTpl']->assign('errormsg', implode('<br />', $GLOBALS['xoopsSecurity']->getErrors()));
- } else{
+ } else {
$size = count($_POST['msg_id']);
$msg = $_POST['msg_id'];
if ($_POST['op'] == 'save') {
@@ -71,7 +71,7 @@
$pm =& $pm_handler->get($msg[$i]);
if ($pm->getVar('to_userid') == $GLOBALS['xoopsUser']->getVar('uid')) {
$pm_handler->setTosave($pm, 0);
- } else if ($pm->getVar('from_userid') == $GLOBALS['xoopsUser']->getVar('uid')) {
+ } elseif ($pm->getVar('from_userid') == $GLOBALS['xoopsUser']->getVar('uid')) {
$pm_handler->setFromsave($pm, 0);
}
unset($pm);
@@ -85,7 +85,7 @@
$pm =& $pm_handler->get($msg[$i]);
if ($_POST['op']=='in') {
$pm_handler->setTosave($pm);
- } else if ($_POST['op'] == 'out') {
+ } elseif ($_POST['op'] == 'out') {
$pm_handler->setFromsave($pm);
}
unset($pm);
@@ -93,7 +93,7 @@
}
if ($_POST['op'] == 'save') {
$GLOBALS['xoopsTpl']->assign('msg', _PM_UNSAVED);
- } else if (isset($total_save) && !$GLOBALS['xoopsUser']->isAdmin()) {
+ } elseif (isset($total_save) && !$GLOBALS['xoopsUser']->isAdmin()) {
$GLOBALS['xoopsTpl']->assign('msg', sprintf(_PM_SAVED_PART, $GLOBALS['xoopsModuleConfig']['max_save'], $i));
} else {
$GLOBALS['xoopsTpl']->assign('msg', _PM_SAVED_ALL);
@@ -103,25 +103,25 @@
if (isset($_REQUEST['empty_messages'])) {
if (!$GLOBALS['xoopsSecurity']->check()) {
$GLOBALS['xoopsTpl']->assign('errormsg', implode('<br />', $GLOBALS['xoopsSecurity']->getErrors()));
- } else if (empty($_REQUEST['ok'])) {
+ } elseif (empty($_REQUEST['ok'])) {
xoops_confirm(array('ok' => 1, 'empty_messages' => 1, 'op' => $_REQUEST['op']), $_SERVER['REQUEST_URI'], _PM_RUSUREEMPTY);
include $GLOBALS['xoops']->path('footer.php');
exit();
} else {
if ($_POST['op'] == 'save') {
$crit_to = new CriteriaCompo(new Criteria('to_delete', 0));
- $crit_to->add(new Criteria('to_save',1));
- $crit_to->add(new Criteria('to_userid',$GLOBALS['xoopsUser']->getVar('uid')));
+ $crit_to->add(new Criteria('to_save', 1));
+ $crit_to->add(new Criteria('to_userid', $GLOBALS['xoopsUser']->getVar('uid')));
$crit_from = new CriteriaCompo(new Criteria('from_delete', 0));
$crit_from->add(new Criteria('from_save', 1));
- $crit_from->add(new Criteria('from_userid',$GLOBALS['xoopsUser']->getVar('uid')));
+ $crit_from->add(new Criteria('from_userid', $GLOBALS['xoopsUser']->getVar('uid')));
$criteria = new CriteriaCompo($crit_to);
$criteria->add($crit_from, "OR");
- } else if ($_POST['op'] == 'out') {
+ } elseif ($_POST['op'] == 'out') {
$criteria = new CriteriaCompo(new Criteria('from_delete', 0));
$criteria->add(new Criteria('from_userid', $GLOBALS['xoopsUser']->getVar('uid')));
$criteria->add(new Criteria('from_save', 0));
- } else{
+ } else {
$criteria = new CriteriaCompo(new Criteria('to_delete', 0));
$criteria->add(new Criteria('to_userid', $GLOBALS['xoopsUser']->getVar('uid')));
$criteria->add(new Criteria('to_save', 0));
@@ -137,14 +137,14 @@
if ($pms[$i]->getVar('to_userid') == $GLOBALS['xoopsUser']->getVar('uid')) {
if ($_POST['op'] == 'save') {
$pm_handler->setTosave($pms[$i], 0);
- } else if ($_POST['op'] == 'in') {
+ } elseif ($_POST['op'] == 'in') {
$pm_handler->setTodelete($pms[$i]);
}
}
if ($pms[$i]->getVar('from_userid') == $GLOBALS['xoopsUser']->getVar('uid')) {
if ($_POST['op']=='save') {
- $pm_handler->setFromsave($pms[$i],0);
- } else if ($_POST['op']=='out') {
+ $pm_handler->setFromsave($pms[$i], 0);
+ } elseif ($_POST['op']=='out') {
$pm_handler->setFromdelete($pms[$i]);
}
}
@@ -158,7 +158,7 @@
$criteria = new CriteriaCompo(new Criteria('from_delete', 0));
$criteria->add(new Criteria('from_userid', $GLOBALS['xoopsUser']->getVar('uid')));
$criteria->add(new Criteria('from_save', 0));
-} else if ($_REQUEST['op'] == "save") {
+} elseif ($_REQUEST['op'] == "save") {
$crit_to = new CriteriaCompo(new Criteria('to_delete', 0));
$crit_to->add(new Criteria('to_save', 1));
$crit_to->add(new Criteria('to_userid', $GLOBALS['xoopsUser']->getVar('uid')));
@@ -200,9 +200,10 @@
}
}
$member_handler =& xoops_gethandler('member');
- $senders = $member_handler->getUserList(new Criteria('uid', "(" . implode(", ", array_unique($uids) ) . ")", "IN"));
+ $senders = $member_handler->getUserList(new Criteria('uid', "(" . implode(", ", array_unique($uids)) . ")", "IN"));
foreach (array_keys($pm_arr) as $i) {
$message = $pm_arr[$i];
+ $message['msg_image'] = htmlspecialchars($message['msg_image'], ENT_QUOTES);
$message['msg_time'] = formatTimestamp($message["msg_time"]);
if (isset($_REQUEST['op']) && $_REQUEST['op'] == "out") {
$message['postername'] = $senders[$pm_arr[$i]['to_userid']];
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/system/admin/modulesadmin/main.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/system/admin/modulesadmin/main.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/system/admin/modulesadmin/main.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -2,7 +2,7 @@
// $Id$
// ------------------------------------------------------------------------ //
// XOOPS - PHP Content Management System //
-// Copyright (c) 2000 XOOPS.org //
+// Copyright (c) 2000-2014 XOOPS Project (www.xoops.org) //
// <http://www.xoops.org/> //
// ------------------------------------------------------------------------ //
// This program is free software; you can redistribute it and/or modify //
@@ -36,6 +36,7 @@
include_once XOOPS_ROOT_PATH . '/class/xoopsblock.php';
include_once XOOPS_ROOT_PATH . '/modules/system/admin/modulesadmin/modulesadmin.php';
+XoopsLoad::load('XoopsFilterInput');
if (isset($_POST)) {
foreach ($_POST as $k => $v) {
@@ -88,6 +89,7 @@
$install_mods = array();
foreach ($installed_mods as $module) {
$listed_mods[$i] = $module->toArray();
+ $listed_mods[$i]['name'] = htmlspecialchars($module->getVar('name'), ENT_QUOTES);
$listed_mods[$i]['image'] = $module->getInfo('image');
$listed_mods[$i]['adminindex'] = $module->getInfo('adminindex');
$listed_mods[$i]['version'] = round($module->getVar('version') / 100, 2);
@@ -104,7 +106,7 @@
}
$install_mods[] = $module->getInfo('dirname');
unset($module);
- $i++;
+ ++$i;
}
// Get module to install
$dirlist = XoopsLists::getModulesList();
@@ -115,7 +117,7 @@
clearstatcache();
$file = trim($file);
if (!in_array($file, $install_mods)) {
- $i++;
+ ++$i;
}
}
}
@@ -166,7 +168,7 @@
if (!in_array($file, $install_mods)) {
$module =& $module_handler->create();
$module->loadInfo($file);
- $toinstall_mods[$i]['name'] = $module->getInfo('name');
+ $toinstall_mods[$i]['name'] = htmlspecialchars($module->getInfo('name'), ENT_QUOTES);
$toinstall_mods[$i]['dirname'] = $module->getInfo('dirname');
$toinstall_mods[$i]['image'] = $module->getInfo('image');
$toinstall_mods[$i]['version'] = round($module->getInfo('version'), 2);
@@ -177,7 +179,7 @@
$toinstall_mods[$i]['description'] = $module->getInfo('description');
$toinstall_mods[$i]['mid'] = $i; // Use only for display popup
unset($module);
- $i++;
+ ++$i;
}
}
}
@@ -202,7 +204,7 @@
if (!$module_handler->insert($module)) {
$error = true;
}
- $i++;
+ ++$i;
}
}
}
@@ -242,11 +244,12 @@
$module = empty($_POST['module']) ? array() : $_POST['module'];
foreach ($module as $mid) {
$mid = (int) $mid;
+ $newname[$mid] = trim(XoopsFilterInput::clean($newname[$mid], 'STRING'));
$modifs_mods[$i]['mid'] = $mid;
$modifs_mods[$i]['oldname'] = $myts->htmlspecialchars($myts->stripSlashesGPC($oldname[$mid]));
$modifs_mods[$i]['newname'] = $myts->htmlspecialchars(trim($myts->stripslashesGPC($newname[$mid])));
$modifs_mods[$i]['newstatus'] = (isset($newstatus[$mid])) ? $myts->htmlspecialchars($newstatus[$mid]) : 0;
- $i++;
+ ++$i;
}
$xoopsTpl->assign('modifs_mods', $modifs_mods);
$xoopsTpl->assign('input_security', $GLOBALS['xoopsSecurity']->getTokenHTML());
@@ -268,7 +271,7 @@
}
$blocks = XoopsBlock::getByModule($module_id);
$bcount = count($blocks);
- for ($i = 0; $i < $bcount; $i++) {
+ for ($i = 0; $i < $bcount; ++$i) {
$blocks[$i]->setVar('isactive', !$old);
$blocks[$i]->store();
}
@@ -306,7 +309,7 @@
$ret[] = xoops_module_deactivate($mid);
}
}
- $newname[$mid] = trim($newname[$mid]);
+ $newname[$mid] = trim(XoopsFilterInput::clean($newname[$mid], 'STRING'));
if ($oldname[$mid] != $newname[$mid]) {
$ret[] = xoops_module_change($mid, $newname[$mid]);
$write = true;
@@ -551,7 +554,7 @@
if (is_array($deltpl)) {
// delete template file entry in db
$dcount = count($deltpl);
- for ($i = 0; $i < $dcount; $i++) {
+ for ($i = 0; $i < $dcount; ++$i) {
if (!$tplfile_handler->delete($deltpl[$i])) {
$delng[] = $deltpl[$i]->getVar('tpl_file');
}
@@ -582,7 +585,7 @@
$tplfile = empty($tplfiles) ? $tplfile_handler->create() : $tplfiles[0];
// END irmtfan solve templates duplicate issue
$tplfile->setVar('tpl_refid', $newmid);
- $tplfile->setVar('tpl_lastimported', 0);
+// $tplfile->setVar('tpl_lastimported', 0);
$tplfile->setVar('tpl_lastmodified', time());
$tplfile->setVar('tpl_type', $type);
$tplfile->setVar('tpl_source', $tpldata, true);
@@ -659,7 +662,7 @@
$fresult = $xoopsDB->query($sql);
$fcount = 0;
while ($fblock = $xoopsDB->fetchArray($fresult)) {
- $fcount++;
+ ++$fcount;
$sql
=
"UPDATE " . $xoopsDB->prefix("newblocks") . " SET name='" . addslashes($block['name'])
@@ -686,7 +689,7 @@
$tplfile_new->setVar('tpl_source', $content, true);
$tplfile_new->setVar('tpl_desc', $block['description'], true);
$tplfile_new->setVar('tpl_lastmodified', time());
- $tplfile_new->setVar('tpl_lastimported', 0);
+// $tplfile_new->setVar('tpl_lastimported', 0);
$tplfile_new->setVar(
'tpl_file',
$block['template'],
@@ -848,7 +851,7 @@
$tplfiles = $tplfile_handler->find(null, 'block', $block->getVar('bid'));
if (is_array($tplfiles)) {
$btcount = count($tplfiles);
- for ($k = 0; $k < $btcount; $k++) {
+ for ($k = 0; $k < $btcount; ++$k) {
if (!$tplfile_handler->delete($tplfiles[$k])) {
$msgs[] = ' <span style="color:#ff0000;">'
. _AM_SYSTEM_MODULES_BLOCK_DEPRECATED_ERROR . '(ID: <strong>'
@@ -877,7 +880,7 @@
$config_delng = array();
if ($confcount > 0) {
$msgs[] = _AM_SYSTEM_MODULES_MODULE_DATA_DELETE;
- for ($i = 0; $i < $confcount; $i++) {
+ for ($i = 0; $i < $confcount; ++$i) {
if (!$config_handler->deleteConfig($configs[$i])) {
$msgs[]
= ' <span style="color:#ff0000;">' . _AM_SYSTEM_MODULES_GONFIG_DATA_DELETE_ERROR
@@ -1065,7 +1068,7 @@
unset($confop);
}
}
- $order++;
+ ++$order;
if (false != $config_handler->insertConfig($confobj)) {
//$msgs[] = ' Config <strong>'.$config['name'].'</strong> added to the database.'.$confop_msgs;
$msgs[] = " " . sprintf(
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/system/themes/default/default.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/system/themes/default/default.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/modules/system/themes/default/default.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -14,7 +14,7 @@
/*
* Xoops Cpanel default GUI class
*
- * @copyright The XOOPS project http://sf.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license http://www.fsf.org/copyleft/gpl.html GNU public license
* @package system
* @usbpackage GUI
@@ -113,7 +113,7 @@
$tpl->append('navitems', array('link' => XOOPS_URL . '/admin.php', 'text' => _CPHOME, 'menu' => $menu));
//add SYSTEM Menu items
- include dirname(__FILE__) . '/menu.php';
+ include __DIR__ . '/menu.php';
if (empty($xoopsModule) || 'system' == $xoopsModule->getVar('dirname', 'n')) {
$modpath = XOOPS_URL . '/admin.php';
$modname = _OXYGEN_SYSOPTIONS;
@@ -166,7 +166,7 @@
} else {
$rtn['link'] = XOOPS_URL . '/modules/system/admin.php?fct=preferences&op=showmod&mod=' . $mod->getVar('mid');
}
- $rtn['title'] = $mod->name();
+ $rtn['title'] = htmlspecialchars($mod->name(), ENT_QUOTES);
$rtn['absolute'] = 1;
$rtn['url'] = XOOPS_URL . '/modules/'. $mod->getVar('dirname', 'n') . '/'; //add for sub menus
$modOptions = $mod->getAdminMenu(); //add for sub menus
@@ -239,7 +239,7 @@
$sadmin = $moduleperm_handler->checkRight('module_admin', $mod->getVar('mid'), $xoopsUser->getGroups());
if ($sadmin && ($mod->getVar('hasnotification') || is_array($mod->getInfo('config')) || is_array($mod->getInfo('comments')))) {
$rtn['link'] = XOOPS_URL . '/modules/system/admin.php?fct=preferences&op=showmod&mod=' . $mod->getVar('mid');
- $rtn['title'] = $mod->name();
+ $rtn['title'] = htmlspecialchars($mod->name(), ENT_QUOTES);
$rtn['absolute'] = 1;
$rtn['icon'] = XOOPS_ADMINTHEME_URL . '/gui/oxygen/icons/prefs_small.png';
$menu[] = $rtn;
@@ -298,7 +298,7 @@
} else {
$rtn ['link'] = XOOPS_URL . '/modules/system/admin.php?fct=preferences&op=showmod&mod=' . $mod->getVar ( 'mid' );
}
- $rtn ['title'] = $mod->getVar ('name');
+ $rtn ['title'] = htmlspecialchars($mod->getVar ('name'), ENT_QUOTES);
$rtn ['description'] = $mod->getInfo('description');
$rtn ['absolute'] = 1;
if (isset ( $info ['icon_big'] )) {
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/pmlite.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/pmlite.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/pmlite.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -9,39 +9,39 @@
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
- * @copyright The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @package core
* @since 2.0.0
* @version $Id$
*/
-include dirname(__FILE__) . DIRECTORY_SEPARATOR . 'mainfile.php';
+include __DIR__ . DIRECTORY_SEPARATOR . 'mainfile.php';
$xoopsPreload =& XoopsPreload::getInstance();
$xoopsPreload->triggerEvent('core.pmlite.start');
xoops_loadLanguage('pmsg');
+XoopsLoad::load('XoopsRequest');
-
-//------------------------------ mamba
include $GLOBALS['xoops']->path('class/xoopsformloader.php');
$icon='';
$icons_radio = new XoopsFormRadio(_MESSAGEICON, 'icon', $icon);
$subject_icons = XoopsLists::getSubjectsList();
-//------------------------------- mamba
-$reply = !empty($_GET['reply']) ? 1 : 0;
-$send = !empty($_GET['send']) ? 1 : 0;
-$send2 = !empty($_GET['send2']) ? 1 : 0;
-$to_userid = !empty($_GET['to_userid']) ? intval($_GET['to_userid']) : 0;
-$msg_id = !empty($_GET['msg_id']) ? intval($_GET['msg_id']) : 0;
-if (empty($_GET['refresh']) && isset($_POST['op']) && $_POST['op'] != "submit") {
+$op = XoopsRequest::getCmd('op', '', 'POST');
+
+$reply = XoopsRequest::getBool('reply', 0, 'GET');
+$send = XoopsRequest::getBool('send', 0, 'GET');
+$send2 = XoopsRequest::getBool('send2', 0, 'GET');
+$to_userid = XoopsRequest::getInt('to_userid', 0, 'GET');
+$msg_id = XoopsRequest::getInt('msg_id', 0, 'GET');
+if (empty($_GET['refresh']) && $op != "submit") {
$jump = "pmlite.php?refresh=" . time() . "";
if ($send == 1) {
$jump .= "&send=" . $send . "";
- } else if ($send2 == 1) {
+ } elseif ($send2 == 1) {
$jump .= "&send2=" . $send2 . "&to_userid=" . $to_userid . "";
- } else if ($reply == 1) {
+ } elseif ($reply == 1) {
$jump .= "&reply=" . $reply . "&msg_id=" . $msg_id . "";
} else {
}
@@ -50,32 +50,37 @@
}
xoops_header();
+
+$method = XoopsRequest::getMethod();
+$safeMethods = array('GET', 'HEAD');
+if (!in_array($method, $safeMethods)) {
+ if (!$GLOBALS['xoopsSecurity']->check()) {
+ echo "<br /><br /><div><h4>" . _ERRORS . "</h4><br />";
+ echo "[ <a href='javascript:history.go(-1)' title=''>" . _PM_GOBACK . "</a> ]</div>";
+ xoops_footer();
+ exit;
+ }
+}
+
if (is_object($xoopsUser)) {
$myts =& MyTextSanitizer::getInstance();
- if (isset($_POST['op']) && $_POST['op'] == "submit") {
- if (!$GLOBALS['xoopsSecurity']->check()) {
- $security_error = true;
- }
- $res = $xoopsDB->query("SELECT COUNT(*) FROM " . $xoopsDB->prefix("users") . " WHERE uid=" . intval($_POST['to_userid']) . "");
+ if ($op == 'submit') {
+ $res = $xoopsDB->query("SELECT COUNT(*) FROM " . $xoopsDB->prefix("users") . " WHERE uid=" . XoopsRequest::getInt('to_userid', 0, 'POST') . "");
list ($count) = $xoopsDB->fetchRow($res);
if ($count != 1) {
echo "<br /><br /><div><h4>" . _PM_USERNOEXIST . "<br />";
echo _PM_PLZTRYAGAIN . "</h4><br />";
- if (isset($security_error) && $security_error == true) {
- echo implode('<br />', $GLOBALS['xoopsSecurity']->getErrors());
- }
echo "[ <a href='javascript:history.go(-1)' title=''>" . _PM_GOBACK . "</a> ]</div>";
} else {
$pm_handler =& xoops_gethandler('privmessage');
$pm =& $pm_handler->create();
-//------------------ mamba
-if (isset($_POST['icon'])) {
- $pm->setVar("msg_image", $_POST['icon']);
+ $msg_image = XoopsRequest::getCmd('icon', null, 'POST');
+ if (in_array($msg_image, $subject_icons)) {
+ $pm->setVar("msg_image", $msg_image);
}
-//----------------- mamba
- $pm->setVar("subject", $_POST['subject']);
- $pm->setVar("msg_text", $_POST['message']);
- $pm->setVar("to_userid", $_POST['to_userid']);
+ $pm->setVar("subject", XoopsRequest::getString('subject', null, 'POST'));
+ $pm->setVar("msg_text", XoopsRequest::getString('message', null, 'POST'));
+ $pm->setVar("to_userid", XoopsRequest::getInt('to_userid', 0, 'POST'));
$pm->setVar("from_userid", $xoopsUser->getVar("uid"));
if (!$pm_handler->insert($pm)) {
echo $pm->getHtmlErrors();
@@ -84,7 +89,7 @@
echo "<br /><br /><div style='text-align:center;'><h4>" . _PM_MESSAGEPOSTED . "</h4><br /><a href=\"javascript:window.opener.location='" . XOOPS_URL . "/viewpmsg.php';window.close();\" title=\"\">" . _PM_CLICKHERE . "</a><br /><br /><a href=\"javascript:window.close();\" title=\"\">" . _PM_ORCLOSEWINDOW . "</a></div>";
}
}
- } else if ($reply == 1 || $send == 1 || $send2 == 1) {
+ } elseif ($reply == 1 || $send == 1 || $send2 == 1) {
include_once $GLOBALS['xoops']->path('include/xoopscodes.php');
if ($reply == 1) {
$pm_handler =& xoops_gethandler('privmessage');
@@ -103,14 +108,14 @@
echo "<table style=' text-align:left;' class='outer'><tr><td class='head txtright' style='width:25%'>" . _PM_TO . "</td>";
if ($reply == 1) {
echo "<td class='even'><input type='hidden' name='to_userid' value='" . $pm->getVar("from_userid") . "' />" . $pm_uname . "</td>";
- } else if ($send2 == 1) {
+ } elseif ($send2 == 1) {
$to_username = XoopsUser::getUnameFromId($to_userid);
echo "<td class='even'><input type='hidden' name='to_userid' value='" . $to_userid . "' />" . $to_username . "</td>";
} else {
- require_once $GLOBALS['xoops']->path('class/xoopsform/formelement.php');
- require_once $GLOBALS['xoops']->path('class/xoopsform/formselect.php');
- require_once $GLOBALS['xoops']->path('class/xoopsform/formlabel.php');
- require_once $GLOBALS['xoops']->path('class/xoopsform/formselectuser.php');
+ //require_once $GLOBALS['xoops']->path('class/xoopsform/formelement.php');
+ //require_once $GLOBALS['xoops']->path('class/xoopsform/formselect.php');
+ //require_once $GLOBALS['xoops']->path('class/xoopsform/formlabel.php');
+ //require_once $GLOBALS['xoops']->path('class/xoopsform/formselectuser.php');
$user_sel = new XoopsFormSelectUser("", "to_userid");
echo "<td class='even'>" . $user_sel->render();
echo "</td>";
@@ -129,16 +134,14 @@
}
echo "</tr>";
-//----------------------------- mamba
- echo "<tr>";
- echo "<td class='head txtright' style='width:25%;'>" . _MESSAGEICON. "</td>";
- foreach ($subject_icons as $iconfile) {
- $icons_radio->addOption($iconfile, '<img src="' . XOOPS_URL . '/images/subject/' . $iconfile . '" alt="" />');
+ echo "<tr>";
+ echo "<td class='head txtright' style='width:25%;'>" . _MESSAGEICON. "</td>";
+ foreach ($subject_icons as $iconfile) {
+ $icons_radio->addOption($iconfile, '<img src="' . XOOPS_URL . '/images/subject/' . $iconfile . '" alt="" />');
}
- echo "<td class='even'>" . $icons_radio->render();
- echo "</td>";
- echo "</tr>";
-//------------------------------- mamba
+ echo "<td class='even'>" . $icons_radio->render();
+ echo "</td>";
+ echo "</tr>";
echo "<tr style='vertical-align:top;'><td style='width:25%;' class='head txtright'>" . _PM_MESSAGEC . "</td>";
echo "<td class='even'>";
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/readpmsg.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/readpmsg.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/readpmsg.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -9,14 +9,14 @@
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
- * @copyright The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @package core
* @since 2.0.0
* @version $Id$
*/
-include dirname(__FILE__) . DIRECTORY_SEPARATOR . 'mainfile.php';
+include __DIR__ . DIRECTORY_SEPARATOR . 'mainfile.php';
$xoopsPreload =& XoopsPreload::getInstance();
$xoopsPreload->triggerEvent('core.readpmsg.start');
@@ -80,14 +80,12 @@
} else {
echo $xoopsConfig['anonymous']; // we need to do this for deleted users
}
-//------------- mamba
- $iconName=$pm_arr[0]->getVar("msg_image", "E");
+ $iconName=htmlspecialchars($pm_arr[0]->getVar("msg_image", "E"), ENT_QUOTES);
if ($iconName != '') {
- echo "</td><td><img src='images/subject/" .$iconName . "' alt='' /> " . _PM_SENTC . "" . formatTimestamp($pm_arr[0]->getVar("msg_time"));
+ echo "</td><td><img src='images/subject/" .$iconName . "' alt='' /> " . _PM_SENTC . "" . formatTimestamp($pm_arr[0]->getVar("msg_time"));
} else {
- echo "</td><td>" . _PM_SENTC . "" . formatTimestamp($pm_arr[0]->getVar("msg_time"));
+ echo "</td><td>" . _PM_SENTC . "" . formatTimestamp($pm_arr[0]->getVar("msg_time"));
}
-//------------- mamba
echo "<hr /><br /><strong>" . $pm_arr[0]->getVar("subject") . "</strong><br /><br />\n";
echo $pm_arr[0]->getVar("msg_text") . "<br /><br /></td></tr><tr class='foot'><td class='width20 txtleft' colspan='2'>";
Modified: XoopsCore/branches/2.5.x/2.5.7.1/htdocs/viewpmsg.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.7.1/htdocs/viewpmsg.php 2014-11-27 19:24:24 UTC (rev 12876)
+++ XoopsCore/branches/2.5.x/2.5.7.1/htdocs/viewpmsg.php 2014-11-27 20:15:53 UTC (rev 12877)
@@ -9,14 +9,14 @@
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
- * @copyright The XOOPS Project http://sourceforge.net/projects/xoops/
+ * @copyright (c) 2000-2014 XOOPS Project (www.xoops.org)
* @license GNU GPL 2 (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
* @package core
* @since 2.0.0
* @version $Id$
*/
-include dirname(__FILE__) . DIRECTORY_SEPARATOR . 'mainfile.php';
+include __DIR__ . DIRECTORY_SEPARATOR . 'mainfile.php';
$xoopsPreload =& XoopsPreload::getInstance();
$xoopsPreload->triggerEvent('core.viewpmsg.start');
@@ -27,23 +27,23 @@
redirect_header("user.php", 2, $errormessage);
} else {
$pm_handler =& xoops_gethandler('privmessage');
- if (isset($_POST['delete_messages']) && isset($_POST['msg_id'])) {
+ if (isset($_POST['delete_messages']) && (isset($_POST['msg_id']) || isset($_POST['msg_ids']))) {
if (!$GLOBALS['xoopsSecurity']->check()) {
echo implode('<br />', $GLOBALS['xoopsSecurity']->getErrors());
exit();
} elseif (empty($_REQUEST['ok'])) {
include $GLOBALS['xoops']->path('header.php');
- xoops_confirm(array('ok' => 1, 'delete_messages' => 1, 'msg_id'=> json_encode(array_map("intval", $_POST['msg_id']))), $_SERVER['REQUEST_URI'], _PM_SURE_TO_DELETE);
+ xoops_confirm(array('ok' => 1, 'delete_messages' => 1, 'msg_ids'=> json_encode(array_map("intval", $_POST['msg_id']))), $_SERVER['REQUEST_URI'], _PM_SURE_TO_DELETE);
include $GLOBALS['xoops']->path('footer.php');
exit();
}
- $clean_msg_id = json_decode($_POST['msg_id'], true, 2);
+ $clean_msg_id = json_decode($_POST['msg_ids'], true, 2);
if (!empty($clean_msg_id)) {
$clean_msg_id = array_map("intval", $clean_msg_id);
}
$size = count($clean_msg_id);
$msg =& $clean_msg_id;
- for ($i = 0; $i < $size; $i++) {
+ for ($i = 0; $i < $size; ++$i) {
$pm =& $pm_handler->get(intval($msg[$i]));
if ($pm->getVar('to_userid') == $xoopsUser->getVar('uid')) {
$pm_handler->delete($pm);
@@ -68,7 +68,7 @@
} else {
$display = 1;
}
- for ($i = 0; $i < $total_messages; $i++) {
+ for ($i = 0; $i < $total_messages; ++$i) {
$class = ($i % 2 == 0) ? 'even' : 'odd';
echo "<tr class='$class txtleft'><td class='aligntop width2 txtcenter'><input type='checkbox' id='msg_id[]' name='msg_id[]' value='" . $pm_arr[$i]->getVar("msg_id") . "' /></td>\n";
...
[truncated message content] |
