function svenk_check_whitelisted_domain($success, $url, $keyword, $title) { /* This filter works like that: Return $success if everything is fine, return something else or die if not. Unfortunately the filter is called *before* the URL is escaped properly, so we have to do this twice (https://github.com/YOURLS/YOURLS/blob/master/includes/functions.php#L185). */ $url = yourls_escape(yourls_sanitize_url(yourls_encodeURI($url))); $url_host = parse_url($url, PHP_URL_HOST); if (!$url_host) { // we cannot even determine the host part of the $url, fail silently. // This more or less replaces Line191 in the functions.php file. # yourls_die('During Whitelist check, cannot determine host of URL', 'Forbidden', 403); return array('status' => 'fail', 'code' => 'error:nourl', 'message' => 'During whitelist check, cannot determine host of URL. Probably missing or malformed URL', 'errorCode' => 400); } /* make sure this is present: The configuration of whitelisted domains */ global $allowed_domains; foreach ($allowed_domains as $allowed_domain) { if (isset($allowed_domain['regexp'])) { // check if this whitelist entry catches the $url_host by regexp if (preg_match($allowed_domain['regexp'], $url_host)) { return $success; } } elseif (isset($allowed_domain['domain'])) { // check if this whitelist entry allows the $url_host by domain end test if (svenk_endsWith($url_host, $allowed_domain['domain'])) { return $success; } } } /* URL is not whitelisted. Fail verbosely */ return array('status' => 'fail', 'code' => 'error:whitelist', 'message' => 'This domain is not whitelisted.', 'errorCode' => 400); #yourls_die('This domain is not whitelisted', 'Forbidden', 403); }
function yourls_get_remote_content($url, $maxlen = 4096, $timeout = 5) { $url = yourls_sanitize_url($url); $transport = yourls_get_http_transport($url); if ($transport) { $content = call_user_func('yourls_get_remote_content_' . $transport, $url, $maxlen, $timeout); } else { $content = false; } return yourls_apply_filter('get_remote_content', $content, $url, $maxlen, $timeout); }
function ozh_yourls_antispam_check_add($false, $url) { // Sanitize URL and make sure there's a protocol $url = yourls_sanitize_url($url); // only check for 'http(s)' if (!in_array(yourls_get_protocol($url), array('http://', 'https://'))) { return false; } if (ozh_yourls_antispam_is_blacklisted($url) != false) { return array('status' => 'fail', 'code' => 'error:spam', 'message' => 'This domain is blacklisted', 'errorCode' => '403'); } // All clear, not interrupting the normal flow of events return false; }
function mu_table_add_row($keyword, $url, $title = '', $ip, $clicks, $timestamp) { $keyword = yourls_sanitize_string($keyword); $display_keyword = htmlentities($keyword); $url = yourls_sanitize_url($url); $display_url = htmlentities(yourls_trim_long_string($url)); $title_url = htmlspecialchars($url); $title = yourls_sanitize_title($title); $display_title = yourls_trim_long_string($title); $title = htmlspecialchars($title); $id = yourls_string2htmlid($keyword); // used as HTML #id $date = date('M d, Y H:i', $timestamp + YOURLS_HOURS_OFFSET * 3600); $clicks = number_format($clicks, 0, '', ''); $shorturl = YOURLS_SITE . '/' . $keyword; $statlink = $shorturl . '+'; if (yourls_is_ssl()) { $statlink = str_replace('http://', 'https://', $statlink); } if ($title) { $display_link = "<a href=\"{$url}\" title=\"{$title}\">{$display_title}</a><br/><small><a href=\"{$url}\" title=\"{$title_url}\">{$display_url}</a></small>"; } else { $display_link = "<a href=\"{$url}\" title=\"{$title_url}\">{$display_url}</a>"; } $delete_link = yourls_nonce_url('delete-link_' . $id, yourls_add_query_arg(array('id' => $id, 'action' => 'delete', 'keyword' => $keyword), muAdminUrl('admin-ajax.php'))); $edit_link = yourls_nonce_url('edit-link_' . $id, yourls_add_query_arg(array('id' => $id, 'action' => 'edit', 'keyword' => $keyword), muAdminUrl('admin-ajax.php'))); $actions = <<<ACTION <a href="{$statlink}" id="statlink-{$id}" title="Stats" class="button button_stats">Stats</a><a href="" id="share-button-{$id}" name="share-button" title="Share" class="button button_share" onclick="toggle_share('{$id}');return false;">Share</a><a href="{$edit_link}" id="edit-button-{$id}" name="edit-button" title="Edit" class="button button_edit" onclick="edit('{$id}');return false;">Edit</a><a href="{$delete_link}" id="delete-button-{$id}" name="delete-button" title="Delete" class="button button_delete" onclick="remove('{$id}');return false;">Delete</a> ACTION; $actions = yourls_apply_filter('action_links', $actions, $keyword, $url, $ip, $clicks, $timestamp); $row = <<<ROW <tr id="id-{$id}"><td id="keyword-{$id}" class="keyword"><a href="{$shorturl}">{$display_keyword}</a></td><td id="url-{$id}" class="url">{$display_link}</td><td id="timestamp-{$id}" class="timestamp">{$date}</td><td id="ip-{$id}" class="ip">{$ip}</td><td id="clicks-{$id}" class="clicks">{$clicks}</td><td class="actions" id="actions-{$id}">{$actions}<input type="hidden" id="keyword_{$id}" value="{$keyword}"/></td></tr> ROW; $row = yourls_apply_filter('table_add_row', $row, $keyword, $url, $title, $ip, $clicks, $timestamp); return $row; }
break; case 'url': $search_in_text = yourls__('URL'); $search_in = 'url'; break; case 'title': $search_in_text = yourls__('Title'); $search_in = 'title'; break; case 'ip': $search_in_text = yourls__('IP Address'); $search_in = 'ip'; break; } $search_sentence = yourls_s('Searching for <strong>%1$s</strong> in <strong>%2$s</strong>.', yourls_esc_html($search), yourls_esc_html($search_in_text)); $search_url = yourls_sanitize_url("&search={$search}&search_in={$search_in}"); $search_text = $search; $search = str_replace('*', '%', '*' . yourls_escape($search) . '*'); if ($search_in == 'all') { $where .= " AND CONCAT_WS('',`keyword`,`url`,`title`,`ip`) LIKE ('{$search}')"; // Search across all fields. The resulting SQL will be something like: // SELECT * FROM `yourls_url` WHERE CONCAT_WS('',`keyword`,`url`,`title`,`ip`) LIKE ("%ozh%") // CONCAT_WS because CONCAT('foo', 'bar’, NULL) = NULL. NULL wins. Not sure if values can be NULL now or in the future, so better safe. // TODO: pay attention to this bit when the DB schema changes } else { $where .= " AND `{$search_in}` LIKE ('{$search}')"; } } // Time span if (!empty($_GET['date_filter'])) { switch ($_GET['date_filter']) {
if (preg_match("@^([{$pattern}]+)/?\$@", $request, $matches)) { $keyword = isset($matches[1]) ? $matches[1] : ''; $keyword = yourls_sanitize_keyword($keyword); yourls_do_action('load_template_go', $keyword); require_once YOURLS_ABSPATH . '/yourls-go.php'; exit; } // Stats: if (preg_match("@^([{$pattern}]+)\\+(all)?/?\$@", $request, $matches)) { $keyword = isset($matches[1]) ? $matches[1] : ''; $keyword = yourls_sanitize_keyword($keyword); $aggregate = isset($matches[2]) ? (bool) $matches[2] && yourls_allow_duplicate_longurls() : false; yourls_do_action('load_template_infos', $keyword); require_once YOURLS_ABSPATH . '/yourls-infos.php'; exit; } // Prefix-n-Shorten sends to bookmarklet (doesn't work on Windows) if (preg_match("@^[a-zA-Z]+://.+@", $request, $matches)) { $url = yourls_sanitize_url($matches[0]); if ($parse = yourls_get_protocol_slashes_and_rest($url, array('up', 'us', 'ur'))) { yourls_do_action('load_template_redirect_admin', $url); $parse = array_map('rawurlencode', $parse); // Redirect to /admin/index.php?up=<url protocol>&us=<url slashes>&ur=<url rest> yourls_redirect(yourls_add_query_arg($parse, yourls_admin_url('index.php')), 302); exit; } } // Past this point this is a request the loader could not understand yourls_do_action('loader_failed', $request); yourls_redirect(YOURLS_SITE, 302); exit;
<?php include 'header.php'; $url = isset($_REQUEST['url']) ? yourls_sanitize_url($_REQUEST['url']) : ''; $keyword = isset($_REQUEST['keyword']) ? yourls_sanitize_keyword($_REQUEST['keyword']) : ''; $title = isset($_REQUEST['title']) ? yourls_sanitize_title($_REQUEST['title']) : ''; ?> <div class="content"> <h2><?php yourls_e('Enter a new URL to shorten', 'isq_translation'); ?> </h2> <form method="post" action="result.php" class="newurl"> <div class="form-item full-width"> <p><label for="url" class="primary"><?php yourls_e('Long URL', 'isq_translation'); ?> </label></p> <p><label for="url" class="secondary"><?php yourls_e('Paste the long URL here. This is required.', 'isq_translation'); ?> </label></p> <input type="url" id="url" name="url" value="<?php echo $url; ?> " autofocus> </div> <div class="halves">
/** * Get relative URL (eg 'abc' from 'http://sho.rt/abc') * * Treat indifferently http & https. If a URL isn't relative to the YOURLS install, return it as is * or return empty string if $strict is true * * @since 1.6 * @param string $url URL to relativize * @param bool $strict if true and if URL isn't relative to YOURLS install, return empty string * @return string URL */ function yourls_get_relative_url($url, $strict = true) { $url = yourls_sanitize_url($url); // Remove protocols to make it easier $noproto_url = str_replace('https:', 'http:', $url); $noproto_site = str_replace('https:', 'http:', YOURLS_SITE); // Trim URL from YOURLS root URL : if no modification made, URL wasn't relative $_url = str_replace($noproto_site . '/', '', $noproto_url); if ($_url == $noproto_url) { $_url = $strict ? '' : $url; } return yourls_apply_filter('get_relative_url', $_url, $url); }
function audiomark_create_keyword($keyword) { // Use URL instead the handed over keyword (unfortuately yourls does not hand it over) return create_short_url(yourls_sanitize_url($_REQUEST['url'])); }
$sort_order_sql = 'desc'; break; } } // Get URLs Count for current filter, total links in DB & total clicks list($total_urls, $total_clicks) = array_values(yourls_get_db_stats()); if ($where) { list($total_items, $total_items_clicks) = array_values(yourls_get_db_stats($where)); } else { $total_items = $total_urls; $total_items_clicks = false; } // This is a bookmarklet if (isset($_GET['u'])) { $is_bookmark = true; $url = yourls_sanitize_url($_GET['u']); $keyword = isset($_GET['k']) ? yourls_sanitize_keyword($_GET['k']) : ''; $title = isset($_GET['t']) ? yourls_sanitize_title($_GET['t']) : ''; $return = yourls_add_new_link($url, $keyword, $title); // If fails because keyword already exist, retry with no keyword if (isset($return['status']) && $return['status'] == 'fail' && isset($return['code']) && $return['code'] == 'error:keyword') { $msg = $return['message']; $return = yourls_add_new_link($url, '', $ydb); $return['message'] .= ' (' . $msg . ')'; } // Stop here if bookmarklet with a JSON callback function if (isset($_GET['jsonp']) && $_GET['jsonp'] == 'yourls') { $short = $return['shorturl'] ? $return['shorturl'] : ''; $message = $return['message']; header('Content-type: application/json'); echo "yourls_callback({'short_url':'{$short}','message':'{$message}'});";
function yourls_get_duplicate_keywords($longurl) { if (!yourls_allow_duplicate_longurls()) { return NULL; } global $ydb; $longurl = yourls_escape(yourls_sanitize_url($longurl)); $table = YOURLS_DB_TABLE_URL; return $ydb->get_col("SELECT `keyword` FROM `{$table}` WHERE `url` = '{$longurl}'"); }
function yourls_get_remote_title($url) { require_once YOURLS_INC . '/functions-http.php'; $url = yourls_sanitize_url($url); $title = $charset = false; $content = yourls_get_remote_content($url); // If false, return url as title. // Todo: improve this with temporary title when shorturl_meta available? if (false === $content) { return $url; } if ($content !== false) { // look for <title> if (preg_match('/<title>(.*?)<\\/title>/is', $content, $found)) { $title = $found[1]; unset($found); } // look for charset // <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> if (preg_match('/<meta[^>]*?charset=([^>]*?)\\/?>/is', $content, $found)) { $charset = trim($found[1], '"\' '); unset($found); } } // if title not found, guess if returned content was actually an error message if ($title == false && strpos($content, 'Error') === 0) { $title = $content; } if ($title == false) { $title = $url; } /* if( !yourls_seems_utf8( $title ) ) $title = utf8_encode( $title ); */ // Charset conversion. We use @ to remove warnings (mb_ functions are easily bitching about illegal chars) if (function_exists('mb_convert_encoding')) { if ($charset) { $title = @mb_convert_encoding($title, 'UTF-8', $charset); } else { $title = @mb_convert_encoding($title, 'UTF-8'); } } // Remove HTML entities $title = html_entity_decode($title, ENT_QUOTES, 'UTF-8'); // Strip out evil things $title = yourls_sanitize_title($title); return yourls_apply_filter('get_remote_title', $title, $url); }
/** * Updates the configuration in the YOURLS database */ function itfs_piwik_admin_settings_update() { //We make sure we've received a configuration update if (isset($_POST['piwik_config'])) { $piwik_config = array(); /** * There will be 2 additional modules. One for people who have donated above a certain amount and a professional version */ if (file_exists(dirname(__FILE__) . '/donations.php')) { $piwik_config[SKU] = 'donations'; } else { if (file_exists(dirname(__FILE__) . '/pro.php')) { $piwik_config[SKU] = 'pro'; } else { $piwik_config[SKU] = 'free'; } } // We sanitize each parameter. if (is_array($_POST['piwik_config'])) { foreach ($_POST['piwik_config'] as $k => $v) { if ($k == 'site_id') { $piwik_config[$k] = @intval($v); } else { if ($k == 'piwik_url') { // Site URL must end with a slash. Stolen as-is from wp-piwik if (substr($v, -1, 1) != '/' && substr($v, -10, 10) != '/index.php') { $v .= '/'; } $piwik_config[$k] = yourls_sanitize_url($v); } else { $piwik_config[$k] = yourls_sanitize_title($v); } } } try { yourls_update_option('piwik_config', $piwik_config); } catch (Exception $e) { $message = "ITFS_PIWIK: Error when trying to save settings. " . $e->getMessage(); error_log($message, 0); echo yourls_add_notice($message, 'message_error'); return false; } } } }