if (isset($engine->cleanGet['MYSQL']['ajax'])) { $result = array(); if (isset($engine->cleanPost['MYSQL']['action'])) { switch ($engine->cleanPost['MYSQL']['action']) { case 'updateUserProjects': $result = users::updateUserProjects(); break; default: break; } } else { if (isset($engine->cleanGet['MYSQL']['action'])) { switch ($engine->cleanGet['MYSQL']['action']) { case 'selectChoices': $field = forms::getField($engine->cleanGet["MYSQL"]['formID'], $engine->cleanGet["MYSQL"]['fieldName']); $fieldChoices = forms::getFieldChoices($field); $result = forms::drawFieldChoices($field, $fieldChoices); die($result); break; case 'searchFormFields': die(mfcsSearch::formFieldOptions($engine->cleanGet["MYSQL"]['formID'])); break; case 'paginationPerPage': $result = users::setField('pagination', $engine->cleanGet["MYSQL"]['perPage']); die(json_encode($result ? "TRUE" : "FALSE")); break; case 'paginationJumpToIDNO': $objects = objects::getAllObjectsForForm($engine->cleanGet['MYSQL']['formID'], "idno"); for ($I = 0; $I < count($objects); $I++) { if (strtolower($objects[$I]['idno']) == strtolower($engine->cleanGet['MYSQL']['idno'])) { header('Location: ' . localvars::get("siteroot") . "dataView/list.php?listType=form&formID=" . $engine->cleanGet['MYSQL']['formID'] . "&page=" . ceil($I / 25));
public static function build($formID, $objectID = NULL, $error = FALSE) { $engine = EngineAPI::singleton(); // Get the current Form $form = self::get($formID); if ($form === FALSE) { return FALSE; } $fields = $form['fields']; if (usort($fields, 'sortFieldsByPosition') !== TRUE) { errorHandle::newError(__METHOD__ . "() - usort", errorHandle::DEBUG); errorHandle::errorMsg("Error retrieving form."); return FALSE; } if (!isnull($objectID)) { $object = objects::get($objectID, TRUE); if ($object === FALSE) { errorHandle::errorMsg("Error retrieving object."); return FALSE; } } else { if (isnull($objectID) && $error === TRUE) { $object = array(); $object['data'] = array(); } } $output = sprintf('<form action="%s?formID=%s%s" method="%s" name="insertForm" data-formid="%s">', $_SERVER['PHP_SELF'], htmlSanitize($formID), !isnull($objectID) ? '&objectID=' . $objectID : "", "post", mfcs::$engine->openDB->escape($formID)); $output .= sessionInsertCSRF(); if (isset($engine->cleanGet['HTML']['parentID'])) { $output .= sprintf('<input type="hidden" name="parentID" value="%s">', $engine->cleanGet['HTML']['parentID']); } // $output .= sprintf('<header><h1>%s</h1><h2>%s</h2></header>', // htmlSanitize($form['title']), // htmlSanitize($form['description'])); $currentFieldset = ""; foreach ($fields as $field) { if ($field['type'] == "fieldset") { continue; } if ($field['type'] == "idno" && (strtolower($field['managedBy']) == "system" && isnull($objectID))) { continue; } // deal with field sets if ($field['fieldset'] != $currentFieldset) { if ($currentFieldset != "") { $output .= "</fieldset>"; } if (!isempty($field['fieldset'])) { $output .= sprintf('<fieldset><legend>%s</legend>', $field['fieldset']); } $currentFieldset = $field['fieldset']; } if ($error === TRUE) { // This is RAW because it is post data being displayed back out to the user who submitted it // during a submission error. we don't want to corrupt the data by sanitizing it and then // sanitizing it again on submissions // // it should not be a security issue because it is being displayed back out to the user that is submissing the data. // this will likely cause issues with security scans // // @SECURITY False Positive 1 if (isset($engine->cleanPost['RAW'][$field['name']])) { $object['data'][$field['name']] = $engine->cleanPost['RAW'][$field['name']]; if ($field['type'] == "select") { $field['choicesDefault'] = $engine->cleanPost['RAW'][$field['name']]; } } } // build the actual input box $output .= '<div class="">'; // Handle disabled on insert form if (isset($field['disabledInsert']) && $field['disabledInsert'] == "true" && isnull($objectID)) { $field['disabled'] = "true"; } // Handle Read Only on Update form if (isset($field['disabledUpdate']) && $field['disabledUpdate'] == "true" && !isnull($objectID)) { $field['readonly'] = "true"; } // @TODO There is excessive logic here. We have already continued/skipped passed IDNOs that we aren't displaying at this point. // version 2.0 cleanup. if ($field['type'] != "idno" || $field['type'] == "idno" && isset($field['managedBy']) && strtolower($field['managedBy']) != "system" || $field['type'] == "idno" && isset($field['managedBy']) && strtolower($field['managedBy']) == "system" && !isnull($objectID)) { $output .= sprintf('<label for="%s" class="formLabel %s">%s:</label>', htmlSanitize($field['id']), strtolower($field['required']) == "true" ? "requiredField" : "", htmlSanitize($field['label'])); } if ($field['type'] == "textarea" || $field['type'] == "wysiwyg") { $output .= sprintf('<textarea name="%s" placeholder="%s" id="%s" class="%s" %s %s %s %s>%s</textarea>', htmlSanitize($field['name']), htmlSanitize($field['placeholder']), htmlSanitize($field['id']), htmlSanitize($field['class']), !isempty($field['style']) ? 'style="' . htmlSanitize($field['style']) . '"' : "", strtoupper($field['required']) == "TRUE" ? "required" : "", strtoupper($field['readonly']) == "TRUE" ? "readonly" : "", strtoupper($field['disabled']) == "TRUE" ? "disabled" : "", self::getFieldValue($field, isset($object) ? $object : NULL)); if ($field['type'] == "wysiwyg") { $output .= sprintf('<script type="text/javascript">window.CKEDITOR_BASEPATH="%sincludes/js/CKEditor/"</script>', localvars::get("siteRoot")); $output .= sprintf('<script type="text/javascript" src="%sincludes/js/CKEditor/ckeditor.js"></script>', localvars::get("siteRoot")); $output .= '<script type="text/javascript">'; $output .= sprintf('if (CKEDITOR.instances["%s"]) { CKEDITOR.remove(CKEDITOR.instances["%s"]); }', htmlSanitize($field['id']), htmlSanitize($field['id'])); $output .= sprintf('CKEDITOR.replace("%s");', htmlSanitize($field['id'])); $output .= 'htmlParser = "";'; $output .= 'if (CKEDITOR.instances["' . $field['name'] . '"].dataProcessor) {'; $output .= sprintf(' htmlParser = CKEDITOR.instances["%s"].dataProcessor.htmlFilter;', htmlSanitize($field['id'])); $output .= '}'; $output .= '</script>'; } } else { if ($field['type'] == "checkbox" || $field['type'] == "radio") { if (($fieldChoices = forms::getFieldChoices($field)) === FALSE) { return FALSE; } $output .= sprintf('<div data-type="%s" data-formid="%s" data-fieldname="%s" %s>', $field['type'], $formID, htmlSanitize($field['name']), isset($field['choicesForm']) && !isempty($field['choicesForm']) ? 'data-choicesForm="' . $field['choicesForm'] . '"' : ""); $output .= self::drawFieldChoices($field, $fieldChoices); $output .= '</div>'; } else { if ($field['type'] == "select") { if (($fieldChoices = forms::getFieldChoices($field)) === FALSE) { return FALSE; } $output .= sprintf('<select name="%s" id="%s" data-type="%s" data-formid="%s" data-fieldname="%s" %s>', htmlSanitize($field['name']), htmlSanitize($field['name']), $field['type'], $formID, htmlSanitize($field['name']), isset($field['choicesForm']) && !isempty($field['choicesForm']) ? 'data-choicesForm="' . $field['choicesForm'] . '"' : ""); $output .= self::drawFieldChoices($field, $fieldChoices, isset($object['data'][$field['name']]) ? $object['data'][$field['name']] : NULL); $output .= "</select>"; } else { if ($field['type'] == 'multiselect') { $output .= '<div class="multiSelectContainer">'; $output .= sprintf('<select name="%s[]" id="%s" size="5" multiple="multiple">', htmlSanitize($field['name']), htmlSanitize($field['name'])); if (isset($object['data'][$field['name']]) && is_array($object['data'][$field['name']])) { foreach ($object['data'][$field['name']] as $selectedItem) { $tmpObj = objects::get($selectedItem); $output .= sprintf('<option value="%s">%s</option>', htmlSanitize($selectedItem), htmlSanitize($tmpObj['data'][$field['choicesField']])); } } $output .= '</select><br />'; if (isset($field['choicesType']) && !isempty($field['choicesType']) && $field['choicesType'] == "manual") { if (($fieldChoices = forms::getFieldChoices($field)) === FALSE) { return FALSE; } $output .= sprintf('<select name="%s_available" id="%s_available" data-type="%s" data-formid="%s" data-fieldname="%s" %s onchange="addItemToID(\'%s\', this.options[this.selectedIndex]);">%s</select>', htmlSanitize($field['name']), htmlSanitize($field['name']), $field['type'], $formID, htmlSanitize($field['name']), isset($field['choicesForm']) && !isempty($field['choicesForm']) ? 'data-choicesForm="' . $field['choicesForm'] . '"' : "", htmlSanitize($field['name']), self::drawFieldChoices($field, $fieldChoices)); } else { $output .= sprintf('<input type="hidden" name="%s_available" id="%s_available" data-type="%s" data-formid="%s" data-fieldname="%s" %s>', htmlSanitize($field['name']), htmlSanitize($field['name']), $field['type'], $formID, htmlSanitize($field['name']), isset($field['choicesForm']) && !isempty($field['choicesForm']) ? 'data-choicesForm="' . $field['choicesForm'] . '"' : "", htmlSanitize($field['name'])); $output .= sprintf("<script charset=\"utf-8\">\n\t\t\t\t\t\t\t\$(function() {\n\t\t\t\t\t\t\t\t\$('#%s_available')\n\t\t\t\t\t\t\t\t\t.select2({\n\t\t\t\t\t\t\t\t\t\tminimumResultsForSearch: 10,\n\t\t\t\t\t\t\t\t\t\tplaceholder: 'Make a Selection',\n\t\t\t\t\t\t\t\t\t\tajax: {\n\t\t\t\t\t\t\t\t\t\t\turl: 'retrieveOptions.php',\n\t\t\t\t\t\t\t\t\t\t\tdataType: 'json',\n\t\t\t\t\t\t\t\t\t\t\tquietMillis: 300,\n\t\t\t\t\t\t\t\t\t\t\tdata: function(term, page) {\n\t\t\t\t\t\t\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\t\t\t\t\t\t\tq: term,\n\t\t\t\t\t\t\t\t\t\t\t\t\tpage: page,\n\t\t\t\t\t\t\t\t\t\t\t\t\tpageSize: 1000,\n\t\t\t\t\t\t\t\t\t\t\t\t\tformID: '%s',\n\t\t\t\t\t\t\t\t\t\t\t\t\tfieldName: '%s'\n\t\t\t\t\t\t\t\t\t\t\t\t};\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tresults: function(data, page) {\n\t\t\t\t\t\t\t\t\t\t\t\tvar more = (page * data.pageSize) < data.total;\n\n\t\t\t\t\t\t\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\t\t\t\t\t\t\tresults: data.options,\n\t\t\t\t\t\t\t\t\t\t\t\t\tmore: more\n\t\t\t\t\t\t\t\t\t\t\t\t};\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t})\n\t\t\t\t\t\t\t\t\t.on('select2-selecting', function(e) {\n\t\t\t\t\t\t\t\t\t\taddToID('%s', e.val, e.choice.text);\n\t\t\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t</script>", htmlSanitize($field['name']), htmlSanitize($field['choicesForm']), htmlSanitize($field['choicesField']), htmlSanitize($field['name'])); } $output .= "<br />"; $output .= sprintf('<button type="button" onclick="removeFromList(\'%s\')" class="btn">Remove Selected</button>', htmlSanitize($field['name'])); $output .= "</div>"; } else { if ($field['type'] == 'file') { $formHasFiles = true; $output .= '<div style="display: inline-block;">'; if (!isnull($objectID)) { $output .= empty($object['data'][$field['name']]) ? '<span style="color: #666;font-style: italic;">No file uploaded</span><br>' : '<a href="javascript:;" onclick="$(\'#filesTab\').click();">Click to view files tab</a><br>'; } $uploadID = md5($field['name'] . mt_rand()); $output .= sprintf('<div class="fineUploader" data-multiple="%s" data-upload_id="%s" data-allowed_extensions="%s" style="display: inline-block;"></div><input type="hidden" name="%s" value="%s">', htmlSanitize($field['multipleFiles']), $uploadID, htmlSanitize(implode(',', $field['allowedExtensions'])), htmlSanitize($field['name']), $uploadID); $output .= '</div>'; } else { // populate the idno field if ($field['type'] == "idno") { $field['type'] = "text"; if (isset($object) && !isset($object['data'][$field['name']])) { $object['data'][$field['name']] = $object['idno']; } } // get the field value, if the object exists $fieldValue = self::getFieldValue($field, isset($object) ? $object : NULL); $output .= sprintf('<input type="%s" name="%s" value="%s" placeholder="%s" %s id="%s" class="%s" %s %s %s %s />', htmlSanitize($field['type']), htmlSanitize($field['name']), $fieldValue, htmlSanitize($field['placeholder']), $field['type'] == "number" ? buildNumberAttributes($field) : "", htmlSanitize($field['id']), htmlSanitize($field['class']), !isempty($field['style']) ? 'style="' . htmlSanitize($field['style']) . '"' : "", strtoupper($field['required']) == "TRUE" ? "required" : "", strtoupper($field['readonly']) == "TRUE" ? "readonly" : "", strtoupper($field['disabled']) == "TRUE" ? "disabled" : ""); } } } } } // Output field's help (if needed) if (isset($field['help']) && $field['help']) { list($helpType, $helpValue) = explode('|', $field['help'], 2); switch ($helpType) { case 'text': $output .= sprintf(' <a href="javascript:;" rel="tooltip" class="icon-question-sign" data-placement="right" data-title="%s"></a>', $helpValue); break; case 'html': $output .= sprintf(' <a href="javascript:;" rel="popover" class="icon-question-sign" data-html="true" data-placement="right" data-trigger="hover" data-content="%s"></a>', $helpValue); break; case 'web': $output .= sprintf(' <a href="javascript:;" title="Click for help" class="icon-question-sign" onclick="$(\'#helpModal_%s\').modal(\'show\');"></a>', $field['id']); $output .= sprintf('<div id="helpModal_%s" rel="modal" class="modal hide fade" data-show="false">', $field['id']); $output .= ' <div class="modal-header">'; $output .= ' <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>'; $output .= ' <h3 id="myModalLabel">Field Help</h3>'; $output .= ' </div>'; $output .= ' <div class="modal-body">'; $output .= sprintf(' <iframe src="%s" seamless="seamless" style="width: 100%%; height: 100%%;"></iframe>', $helpValue); $output .= ' </div>'; $output .= '</div>'; break; } } $output .= "</div>"; } if (!isempty($currentFieldset)) { $output .= "</fieldset>"; } $output .= sprintf('<input type="submit" value="%s" name="%s" id="objectSubmitBtn" class="btn" />', isnull($objectID) ? htmlSanitize($form["submitButton"]) : htmlSanitize($form["updateButton"]), $objectID ? "updateForm" : "submitForm"); if (isset($formHasFiles) and $formHasFiles) { $output .= '<div class="alert alert-block" id="objectSubmitProcessing"><strong>Processing Files</strong><br>Please Wait...</div>'; } $output .= "</form>"; return $output; }