/**
* Prevent XSS attacks for logged in users by making sure the request contains a valid nonce
*
*/
function CheckPosts($session_id)
{
if (count($_POST) == 0) {
return;
}
if (!isset($_POST['verified'])) {
gpsession::StripPost('XSS Verification Parameter Not Set');
return;
}
if (empty($_POST['verified'])) {
gpsession::StripPost('XSS Verification Parameter Empty');
return;
}
if (!common::verify_nonce('post', $_POST['verified'], true) && $_POST['verified'] !== $session_id) {
gpsession::StripPost('XSS Verification Parameter Mismatch');
return;
}
}
/**
* Assign a layout to the $title. Child pages without a layout assigned will inherit this setting
* @param string $title
*/
function SetLayout()
{
global $gp_index, $gp_titles, $langmessage, $gpLayouts;
$index = $_POST['index'];
$title = common::IndexToTitle($index);
if (!$title) {
message($langmessage['OOPS']);
return;
}
$this->title = $title;
$layout = $_POST['layout'];
if (!isset($gpLayouts[$layout])) {
message($langmessage['OOPS']);
return;
}
if (!common::verify_nonce('use_' . $layout)) {
message($langmessage['OOPS']);
return;
}
//unset, then reset if needed
unset($gp_titles[$index]['gpLayout']);
$currentLayout = display::OrConfig($index, 'gpLayout');
if ($currentLayout != $layout) {
$gp_titles[$index]['gpLayout'] = $layout;
}
if (!admin_tools::SavePagesPHP()) {
message($langmessage['OOPS'] . '(3)');
return false;
}
message($langmessage['SAVED']);
}
/**
* Prevent XSS attacks for logged in users by making sure the request contains a valid nonce
*
*/
static function CheckPosts()
{
if (count($_POST) == 0) {
return;
}
if (empty($_POST['verified'])) {
self::StripPost('XSS Verification Parameter Error');
return;
}
if (!common::verify_nonce('post', $_POST['verified'], true)) {
self::StripPost('XSS Verification Parameter Mismatch');
return;
}
}
/**
* Save a user submitted comment
*
*/
function CommentAdd()
{
global $langmessage;
// check the nonce
// includes the comment count so resubmissions won't work
if (!common::verify_nonce('easy_comments:' . count($this->comment_data), $_POST['nonce'], true)) {
$message = gpOutput::GetAddonText('Sorry, your comment was not saved.');
message($message);
return false;
}
//check captcha
if ($this->config['comment_captcha'] && gp_recaptcha::isActive()) {
if (!gp_recaptcha::Check()) {
//recaptcha::check adds message on failure
return false;
}
}
if (empty($_POST['name'])) {
$field = gpOutput::SelectText('Name');
message($langmessage['OOPS_REQUIRED'], $field);
return false;
}
if (empty($_POST['comment'])) {
$field = gpOutput::SelectText('Comment');
message($langmessage['OOPS_REQUIRED'], $field);
return false;
}
$temp = array();
$temp['name'] = htmlspecialchars($_POST['name']);
$temp['comment'] = nl2br(strip_tags($_POST['comment']));
$temp['time'] = time();
if (!empty($_POST['website']) && $_POST['website'] !== 'http://') {
$website = $_POST['website'];
if (strpos($website, '://') === false) {
$website = false;
}
if ($website) {
$temp['website'] = $website;
}
}
$index = $this->NewIndex();
$this->comment_data[$index] = $temp;
//save to index file first
if (!$this->UpdateIndex()) {
$message = gpOutput::GetAddonText('Sorry, your comment was not saved.');
message($message);
return false;
}
//then save actual comment
if ($this->SaveCommentData()) {
$message = gpOutput::GetAddonText('Your comment has been saved.');
message($message);
return true;
} else {
$message = gpOutput::GetAddonText('Sorry, your comment was not saved.');
message($message);
return false;
}
}
function MoveUp()
{
global $langmessage;
$move_key =& $_REQUEST['section'];
if (!isset($this->file_sections[$move_key])) {
message($langmessage['OOPS']);
return false;
}
if (!common::verify_nonce('move_up' . $move_key)) {
message($langmessage['OOPS']);
return false;
}
$move_content = $this->file_sections[$move_key];
$file_keys = array_keys($this->file_sections);
$file_values = array_values($this->file_sections);
$insert_key = array_search($move_key, $file_keys);
if ($insert_key === null || $insert_key === false || $insert_key === 0) {
message($langmessage['OOPS']);
return false;
}
$prev_key = $insert_key - 1;
if (!isset($file_keys[$prev_key])) {
message($langmessage['OOPS']);
return false;
}
$old_sections = $this->file_sections;
//rebuild
$new_sections = array();
foreach ($file_values as $temp_key => $file_value) {
if ($temp_key === $prev_key) {
$new_sections[] = $move_content;
} elseif ($temp_key === $insert_key) {
//moved section
continue;
}
$new_sections[] = $file_value;
}
$this->file_sections = $new_sections;
if (!$this->SaveThis()) {
$this->file_sections = $old_sections;
message($langmessage['OOPS'] . '(4)');
return;
}
}
function SendMessage()
{
global $langmessage, $config, $gp_mailer;
includeFile('tool/email_mailer.php');
$headers = array();
$_POST += array('subject' => '', 'contact_nonce' => '', 'message' => '');
if (empty($_POST['message'])) {
msg($langmessage['OOPS'] . '(Invalid Message)');
return;
}
//check nonce
if (!common::verify_nonce('contact_post', $_POST['contact_nonce'], true)) {
msg($langmessage['OOPS'] . '(Invalid Nonce)');
return;
}
if (!empty($_POST['contact_void'])) {
msg($langmessage['OOPS'] . '(Robot Detected)');
return;
}
//captcha
if (!gp_recaptcha::Check()) {
return;
}
if (!gpPlugin::Filter('contact_form_check', array(true))) {
return;
}
//subject
$_POST['subject'] = strip_tags($_POST['subject']);
//message
$tags = '<p><div><span><font><b><i><tt><em><i><a><strong><blockquote>';
$message = nl2br(strip_tags($_POST['message'], $tags));
//reply name
if (!empty($_POST['email'])) {
//check format
if (!$this->ValidEmail($_POST['email'])) {
msg($langmessage['invalid_email']);
return false;
}
$replyName = str_replace(array("\r", "\n"), array(' '), $_POST['name']);
$replyName = strip_tags($replyName);
$replyName = htmlspecialchars($replyName);
$gp_mailer->AddReplyTo($_POST['email'], $replyName);
if (common::ConfigValue('from_use_user', false)) {
$gp_mailer->SetFrom($_POST['email'], $replyName);
}
}
//check for required values
$require_email =& $config['require_email'];
if (strpos($require_email, 'email') !== false) {
if (empty($_POST['email'])) {
$field = gpOutput::SelectText('your_email');
msg($langmessage['OOPS_REQUIRED'], $field);
return false;
}
}
if (strpos($require_email, 'none') === false) {
if (empty($_POST['subject'])) {
$field = gpOutput::SelectText('subject');
msg($langmessage['OOPS_REQUIRED'], $field);
return false;
}
if (empty($message)) {
$field = gpOutput::SelectText('message');
msg($langmessage['OOPS_REQUIRED'], $field);
return false;
}
}
if ($gp_mailer->SendEmail($config['toemail'], $_POST['subject'], $message)) {
msg($langmessage['message_sent']);
return true;
}
msg($langmessage['OOPS'] . ' (Send Failed)');
return false;
}
/**
* Delete a single file or folder
*
*/
function DeleteConfirmed()
{
global $langmessage, $page;
if ($this->isThumbDir) {
return false;
}
if (!common::verify_nonce('delete')) {
message($langmessage['OOPS'] . ' (Invalid Nonce)');
return;
}
$file = $this->CheckFile();
if (!$file) {
return;
}
$full_path = $this->currentDir . '/' . $file;
$rel_path = common::GetDir('/data/_uploaded' . $this->subdir . '/' . $file);
if (!gpFiles::RmAll($full_path)) {
message($langmessage['OOPS']);
return;
}
$page->ajaxReplace[] = array('img_deleted', '', $rel_path);
return;
}
