function xthreads_phptpl_eval_text($s) { require_once MYBB_ROOT . 'inc/xthreads/xt_phptpl_lib.php'; xthreads_sanitize_eval($s); return eval_str($s); }
function xthreads_input_generate(&$data, &$threadfields, $fid, $tid = 0) { global $tfinput, $tfinputrow, $extra_threadfields, $lang, $xthreads_threadin_tabindex_shift, $mybb; if (!$lang->xthreads_attachfile) { $lang->load('xthreads'); } // if a thread ID is supplied, grab the current values if ($tid) { static $tfd_cache = null; if (!isset($tfd_cache)) { $tfd_cache = array(); } if (!isset($tfd_cache[$tid])) { // we should only ever have one thread, but we'll be flexible... global $db; $tfd_cache[$tid] = $db->fetch_array($db->simple_select('threadfields_data', '*', 'tid=' . $tid)); } $tfd =& $tfd_cache[$tid]; } $tfinput = $tfinputrow = array(); $extra_threadfields = ''; foreach ($threadfields as $k => $tf) { $tf['title'] = htmlspecialchars_uni($tf['title']); $tf['field'] = htmlspecialchars_uni($tf['field']); $tf['desc'] = htmlspecialchars_uni($tf['desc']); $vars = array('KEY' => $tf['field'], 'NAME_PROP' => ' name="xthreads_' . $tf['field'] . '"', 'MAXLEN' => (int) $tf['maxlen'], 'WIDTH' => (int) $tf['fieldwidth'], 'HEIGHT' => (int) $tf['fieldheight'], 'TABINDEX' => '', 'TABINDEX_PROP' => '', 'REQUIRED' => $tf['editable'] == XTHREADS_EDITABLE_REQ, 'MULTIPLE' => xthreads_empty($tf['multival']) ? '' : 1, 'MULTIPLE_LIMIT' => $tf['multival_limit'], 'MULTIPLE_PROP' => ''); if ($vars['MAXLEN']) { $vars['MAXLEN_PROP'] = ' maxlength="' . $vars['MAXLEN'] . '"'; } if ($vars['WIDTH']) { $vars['WIDTH_PROP_SIZE'] = ' size="' . $vars['WIDTH'] . '"'; $vars['WIDTH_CSS'] = 'width: ' . $vars['WIDTH'] / 2 . 'em;'; // only used for select box [in Firefox, seems we need to divide by 2 to get the equivalent width] $vars['WIDTH_PROP_COLS'] = ' cols="' . $vars['WIDTH'] . '"'; } if (!$vars['HEIGHT'] && !xthreads_empty($tf['multival'])) { $vars['HEIGHT'] = 5; } if ($vars['HEIGHT']) { $vars['HEIGHT_PROP_SIZE'] = ' size="' . $vars['HEIGHT'] . '"'; $vars['HEIGHT_CSS'] = 'height: ' . $vars['HEIGHT'] / 2 . 'em;'; $vars['HEIGHT_PROP_ROWS'] = ' rows="' . $vars['HEIGHT'] . '"'; } if ($vars['MULTIPLE']) { $vars['MULTIPLE_PROP'] = ' multiple="multiple"'; } if ($vars['REQUIRED']) { $vars['REQUIRED_PROP'] = ' required="required"'; } $using_default = false; if (!isset($data)) { // no threadfield data set for this thread $defval = ''; } elseif (isset($data[$k])) { $defval = $data[$k]; } elseif ($tid) { // currently set value $defval = $tfd[$k]; } elseif ($tf['inputtype'] != XTHREADS_INPUT_FILE) { $defval = eval_str($tf['defaultval']); // we don't want $defval to be an array for textual inputs, so split it later $using_default = true; } unset($defvals); switch ($tf['inputtype']) { case XTHREADS_INPUT_SELECT: case XTHREADS_INPUT_RADIO: case XTHREADS_INPUT_CHECKBOX: $vals = $tf['vallist']; if (!xthreads_empty($tf['multival'])) { if ($using_default) { $defval = explode("\n", str_replace("\r", '', $defval)); } if (is_array($defval)) { $defvals =& $defval; } else { $defvals = explode("\n", str_replace("\r", '', $defval)); } $defvals = array_map('htmlspecialchars_uni', $defvals); unset($vals['']); } elseif ($tf['editable'] != XTHREADS_EDITABLE_REQ && $tf['inputtype'] != XTHREADS_INPUT_CHECKBOX) { if (!isset($vals[''])) { // can't array_unshift with a key... $vals = array('' => '<span style="font-style: italic;">' . $lang->xthreads_val_blank . '</span>') + $vals; } } else { unset($vals['']); } break; case XTHREADS_INPUT_FILE: if (!xthreads_empty($tf['multival']) && !is_array($defval)) { $defval = explode(',', $defval); } } if (!isset($defvals) && ($tf['inputtype'] != XTHREADS_INPUT_FILE && $tf['inputtype'] != XTHREADS_INPUT_FILE_URL)) { $defval = htmlspecialchars_uni($defval); } if ($tf['tabstop']) { $vars['TABINDEX'] = ++$xthreads_threadin_tabindex_shift + 1; $vars['TABINDEX_PROP'] = ' tabindex="__xt_' . $vars['TABINDEX'] . '"'; xthreads_fix_tabindexes(); } if ($tf['formhtml']) { $evalfunc = 'xthreads_evalcache_' . $tf['field']; } else { $evalfunc = 'xthreads_input_generate_defhtml_' . $tf['inputtype']; } switch ($tf['inputtype']) { case XTHREADS_INPUT_TEXTAREA: $vars['VALUE'] =& $defval; break; case XTHREADS_INPUT_SELECT: if (!xthreads_empty($tf['multival'])) { $vars['NAME_PROP'] = ' name="xthreads_' . $tf['field'] . '[]"'; } $vars['ITEMS'] = ''; foreach ($vals as $val => $valdisp) { if ((!$tid || $tfd[$k] != $val) && !xthreads_tfvalue_settable($tf, $val)) { continue; } $val = htmlspecialchars_uni($val); $vars['VALUE'] =& $val; $vars['SELECTED'] = isset($defvals) && in_array($val, $defvals) || $defval === $val ? ' selected="selected"' : ''; if (preg_match('~^\\<span style\\="([^"]*?)"\\>(.*)\\</span\\>$~is', $valdisp, $style)) { $vars['LABEL'] = $style[2]; $vars['STYLECSS'] = $style[1]; $vars['STYLE'] = ' style="' . $vars['STYLECSS'] . '"'; } else { $vars['LABEL'] = $valdisp; $vars['STYLE'] = $vars['STYLECSS'] = ''; } $vars['LABEL'] = htmlspecialchars_uni($vars['LABEL']); $vars['ITEMS'] .= $evalfunc('formhtml_item', $vars); } break; case XTHREADS_INPUT_CHECKBOX: $vars['NAME_PROP'] = ' name="xthreads_' . $tf['field'] . '[]"'; // fall through // fall through case XTHREADS_INPUT_RADIO: $vars['ITEMS'] = ''; foreach ($vals as $val => &$valdisp) { if ((!$tid || $tfd[$k] != $val) && !xthreads_tfvalue_settable($tf, $val)) { continue; } $val = htmlspecialchars_uni($val); if (isset($defvals) && in_array($val, $defvals) || $defval === $val) { $vars['SELECTED'] = ' selected="selected"'; $vars['CHECKED'] = ' checked="checked"'; } else { $vars['SELECTED'] = $vars['CHECKED'] = ''; } $vars['VALUE'] =& $val; $vars['LABEL'] =& $valdisp; $vars['ITEMS'] .= $evalfunc('formhtml_item', $vars); $vars['TABINDEX_PROP'] = ''; // or maybe make each thing tabbable? } break; case XTHREADS_INPUT_FILE: if (!xthreads_empty($tf['multival'])) { $vars['NAME_PROP'] = ' name="xthreads_' . $tf['field'] . '[]"'; // lame language hack $GLOBALS['lang_xthreads_attachfile'] = $lang->xthreads_attachfile_plural; $GLOBALS['lang_xthreads_attachurl'] = $lang->xthreads_attachurl_plural; } else { $GLOBALS['lang_xthreads_attachfile'] = $lang->xthreads_attachfile; $GLOBALS['lang_xthreads_attachurl'] = $lang->xthreads_attachurl; } $vars['MAXSIZE'] = $tf['filemaxsize']; $vars['RESTRICT_TYPE'] = $tf['fileimage'] ? 'image' : ''; $vars['ACCEPT_PROP'] = $vars['RESTRICT_TYPE'] ? ' accept="' . $vars['RESTRICT_TYPE'] . '/*"' : ''; if (XTHREADS_ALLOW_URL_FETCH) { // TODO: test if this environment can really fetch URLs $vars['VALUE_URL'] = htmlspecialchars_uni($mybb->input['xtaurl_' . $tf['field']]); if (xthreads_empty($vars['VALUE_URL'])) { $vars['VALUE_URL'] = 'http://'; } if ($vars['VALUE_URL'] != 'http://' || $mybb->input['xtasel_' . $tf['field']] == 'url') { $vars['CHECKED_UPLOAD'] = ''; $vars['SELECTED_UPLOAD'] = ''; $vars['CHECKED_URL'] = ' checked="checked"'; $vars['SELECTED_URL'] = ' selected="selected"'; } else { $vars['CHECKED_UPLOAD'] = ' checked="checked"'; $vars['SELECTED_UPLOAD'] = ' selected="selected"'; $vars['CHECKED_URL'] = ''; $vars['SELECTED_URL'] = ''; } } $vars['ITEMS'] = ''; global $xta_cache, $db; if ($defval) { foreach (is_array($defval) ? $defval : array($defval) as $aid) { if (!$aid || !is_numeric($aid)) { continue; } if (!isset($xta_cache[$aid])) { static $done_xta_cache = false; // need to cache them if (!$done_xta_cache) { $done_xta_cache = true; $qextra = ''; if ($mybb->input['posthash']) { $qextra .= ' OR posthash="' . $db->escape_string($mybb->input['posthash']) . '"'; } if ($GLOBALS['thread']['tid']) { $qextra .= ' OR tid=' . $GLOBALS['thread']['tid']; } $query = $db->simple_select('xtattachments', '*', 'aid IN(' . (is_array($defval) ? implode(',', $defval) : $defval) . ')' . $qextra); while ($xta = $db->fetch_array($query)) { $xta_cache[$xta['aid']] = $xta; } $db->free_result($query); unset($xta); } } xthreads_sanitize_disp_set_xta_fields($vars['ATTACH'], $aid, $tf); if (isset($vars['ATTACH']['md5hash'])) { $vars['ATTACH_MD5_TITLE'] = ' title="' . $lang->sprintf($lang->xthreads_md5hash, $vars['ATTACH']['md5hash']) . '" '; } if (is_array($mybb->input['xtarm_' . $tf['field']])) { if ($mybb->input['xtarm_' . $tf['field']][$aid]) { $vars['REMOVE_CHECKED'] = ' checked="checked"'; } } else { if ($mybb->input['xtarm_' . $tf['field']]) { $vars['REMOVE_CHECKED'] = ' checked="checked"'; } } $vars['ITEMS'] .= $evalfunc('formhtml_item', $vars); } } break; case XTHREADS_INPUT_FILE_URL: // TODO: break; default: // text $vars['VALUE'] =& $defval; if (!xthreads_empty($tf['multival'])) { $defval = str_replace("\n", ', ', $defval); } break; } $tfinput[$k] = $evalfunc('formhtml', $vars); $altbg = alt_trow(); $inputfield =& $tfinput[$k]; eval('$tfinputrow[$k] = "' . $GLOBALS['templates']->get('post_threadfields_inputrow') . '";'); if (!($tf['hidefield'] & XTHREADS_HIDE_INPUT)) { $extra_threadfields .= $tfinputrow[$k]; } } }
function xthreads_moderation_custom_do(&$tids, $editstr) { if (!$editstr) { return; } $edits = array(); // caching stuff static $threadfields = null; if (!isset($threadfields)) { $threadfields = xthreads_gettfcache(); } // grab all threadfields require_once MYBB_ROOT . 'inc/xthreads/xt_phptpl_lib.php'; foreach (explode("\n", str_replace("{\n}", "\r", str_replace("\r", '', $editstr))) as $editline) { $editline = trim(str_replace("\r", "\n", $editline)); list($n, $v) = explode('=', $editline, 2); if (!isset($v)) { continue; } // don't allow editing of file fields if (!isset($threadfields[$n]) || $threadfields[$n]['inputtype'] == XTHREADS_INPUT_FILE) { continue; } // we don't do much validation here as we trust admins, right? // this is just a prelim check (speed optimisation) - we'll need to check this again after evaluating conditionals $upperv = strtoupper($v); if (($upperv === '' || $upperv == 'NULL' || $upperv == 'NUL') && $threadfields[$n]['datatype'] != XTHREADS_DATATYPE_TEXT) { $edits[$n] = null; } else { $edits[$n] = $v; xthreads_sanitize_eval($edits[$n], array('VALUE' => null, 'TID' => null)); } } if (empty($edits)) { return; } $modfields = array_keys($edits); global $db; $query = $db->query(' SELECT t.tid, tfd.`' . implode('`, tfd.`', $modfields) . '` FROM ' . TABLE_PREFIX . 'threads t LEFT JOIN ' . TABLE_PREFIX . 'threadfields_data tfd ON t.tid=tfd.tid WHERE t.tid IN (' . implode(',', $tids) . ') '); //$query = $db->simple_select('threadfields_data', 'tid,`'.implode('`,`', $modfields).'`', 'tid IN ('.implode(',', $tids).')'); while ($thread = $db->fetch_array($query)) { $updates = array(); foreach ($edits as $n => $v) { if ($v !== null) { // TODO: allowing conditionals direct access to multivals? $v = trim(eval_str($v, array('VALUE' => $thread[$n], 'TID' => $thread['tid']))); if ($threadfields[$n]['datatype'] != XTHREADS_DATATYPE_TEXT) { $upperv = strtoupper($v); if ($upperv == '' || $upperv == 'NULL' || $upperv == 'NUL') { $v = null; } // TODO: intval/floatval here? } } if ($v !== $thread[$n]) { // we'll do some basic validation for multival fields if (!xthreads_empty($threadfields[$n]['multival'])) { $d = "\n"; if ($threadfields[$n]['inputtype'] == XTHREADS_INPUT_TEXT) { $d = ','; } $v = array_unique(array_map('trim', explode($d, str_replace("\r", '', $v)))); foreach ($v as $key => &$val) { if (xthreads_empty($val)) { unset($v[$key]); } } $v = implode($d, $v); } $updates[$n] = $v; } } if (!empty($updates)) { xthreads_db_update_replace('threadfields_data', $updates, 'tid', $thread['tid']); } } $db->free_result($query); }