function beautify($str) { $str = strip_specialchars($str, '-'); $str = trim($str); $str = str_replace(' ', '-', $str); do { $str = str_replace('--', '-', $str, $r); } while ($r != 0); return strip_accents($str); }
<?php if (!isset($errorsChecked)) { if (!ereg('.+', $_POST['title'])) { $errors[] = $lang[103]; } if (dbq("SELECT * FROM {$cfg['db']['prefix']}_structure WHERE parent = {$record['parent']} AND id <> {$id} AND title = '" . addslashes($_POST['title']) . "' AND title <> ''")) { $errors[] = $lang[104]; } $uri = strtolower(ereg_replace('[^A-Za-z0-9]+', '-', strip_accents($_POST['title']))); if (!isset($errors) && dbq("SELECT * FROM {$cfg['db']['prefix']}_structure WHERE parent = {$record['parent']} AND id <> {$id} AND uri = '{$uri}' AND uri <> ''")) { $errors[] = $lang[105]; } $errorsChecked = true; } else { if ($record['position'] != $_POST['position']) { dbq("UPDATE {$cfg['db']['prefix']}_structure SET position = position + 1 WHERE position >= {$_POST['position']} ORDER BY position DESC"); } dbq("UPDATE\r\n {$cfg['db']['prefix']}_structure,\r\n {$cfg['db']['prefix']}_type\r\n SET\r\n title = '" . addslashes($_POST['title']) . "',\r\n uri = '{$uri}',\r\n online = {$online},\r\n sort = '{$_POST['sort']}',\r\n position = {$_POST['position']},\r\n type_id = '{$_POST['type_id']}',\r\n modified = '{$time}',\r\n viewRights = '{$viewRights}',\r\n createRights = '{$createRights}',\r\n editRights = '{$editRights}',\r\n deleteRights = '{$deleteRights}',\r\n description = '" . addslashes(preg_replace('/src="..\\//', 'src="', $_POST['description'])) . "'\r\n WHERE\r\n link = id AND\r\n id = {$id}"); }
function run($dbi, $argstr, &$request, $basepage) { $this->allowed_extensions = explode("\n", "7z\navi\nbmp\nbz2\nc\ncfg\ndiff\ndoc\ndocx\nflv\ngif\nh\nics\nini\njpeg\njpg\nkmz\nmp3\nodg\nodp\nods\nodt\nogg\npatch\npdf\npng\nppt\npptx\nrar\nsvg\ntar\ntar.gz\ntxt\nxls\nxlsx\nxml\nxsd\nzip"); $this->disallowed_extensions = explode("\n", "ad[ep]\nasd\nba[st]\nchm\ncmd\ncom\ncgi\ncpl\ncrt\ndll\neml\nexe\nhlp\nhta\nin[fs]\nisp\njse?\nlnk\nmd[betw]\nms[cipt]\nnws\nocx\nops\npcd\np[ir]f\nphp\\d?\nphtml\npl\npy\nreg\nsc[frt]\nsh[bsm]?\nswf\nurl\nvb[esx]?\nvxd\nws[cfh]"); //removed "\{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}" $args = $this->getArgs($argstr, $request); extract($args); $file_dir = getUploadFilePath(); $file_dir .= "/"; $form = HTML::form(array('action' => $request->getPostURL(), 'enctype' => 'multipart/form-data', 'method' => 'post')); $contents = HTML::div(array('class' => 'wikiaction')); $contents->pushContent(HTML::input(array('type' => 'hidden', 'name' => 'MAX_FILE_SIZE', 'value' => MAX_UPLOAD_SIZE))); $contents->pushContent(HTML::input(array('name' => 'userfile', 'type' => 'file', 'size' => $size))); if ($mode == 'edit') { $contents->pushContent(HTML::input(array('name' => 'action', 'type' => 'hidden', 'value' => 'edit'))); $contents->pushContent(HTML::raw(" ")); $contents->pushContent(HTML::input(array('value' => _("Upload"), 'name' => 'edit[upload]', 'type' => 'submit'))); } else { $contents->pushContent(HTML::raw(" ")); $contents->pushContent(HTML::input(array('value' => _("Upload"), 'type' => 'submit'))); } $form->pushContent($contents); $message = HTML(); if ($request->isPost() and $this->only_authenticated) { // Make sure that the user is logged in. $user = $request->getUser(); if (!$user->isAuthenticated()) { if (defined('FUSIONFORGE') and FUSIONFORGE) { $message->pushContent(HTML::div(array('class' => 'error'), HTML::p(_("You cannot upload files.")), HTML::ul(HTML::li(_("Check you are logged in.")), HTML::li(_("Check you are in the right project.")), HTML::li(_("Check you are a member of the current project."))))); } else { $message->pushContent(HTML::div(array('class' => 'error'), HTML::p(_("ACCESS DENIED: You must log in to upload files.")))); } $result = HTML(); $result->pushContent($form); $result->pushContent($message); return $result; } } $userfile = $request->getUploadedFile('userfile'); if ($userfile) { $userfile_name = $userfile->getName(); $userfile_name = trim(basename($userfile_name)); if (UPLOAD_USERDIR) { $file_dir .= $request->_user->_userid; if (!file_exists($file_dir)) { mkdir($file_dir, 0775); } $file_dir .= "/"; $u_userfile = $request->_user->_userid . "/" . $userfile_name; } else { $u_userfile = $userfile_name; } $u_userfile = preg_replace("/ /", "%20", $u_userfile); $userfile_tmpname = $userfile->getTmpName(); $err_header = HTML::div(array('class' => 'error'), HTML::p(fmt("ERROR uploading '%s'", $userfile_name))); if (preg_match("/(\\." . join("|\\.", $this->disallowed_extensions) . ")(\\.|\$)/i", $userfile_name)) { $message->pushContent($err_header); $message->pushContent(HTML::p(fmt("Files with extension %s are not allowed.", join(", ", $this->disallowed_extensions)))); } elseif (!DISABLE_UPLOAD_ONLY_ALLOWED_EXTENSIONS and !preg_match("/(\\." . join("|\\.", $this->allowed_extensions) . ")\$/i", $userfile_name)) { $message->pushContent($err_header); $message->pushContent(HTML::p(fmt("Only files with the extension %s are allowed.", join(", ", $this->allowed_extensions)))); } elseif (preg_match("/[^._a-zA-Z0-9- ]/", strip_accents($userfile_name))) { $message->pushContent($err_header); $message->pushContent(HTML::p(_("Invalid filename. File names may only contain alphanumeric characters and dot, underscore, space or dash."))); } elseif (file_exists($file_dir . $userfile_name)) { $message->pushContent($err_header); $message->pushContent(HTML::p(fmt("There is already a file with name %s uploaded.", $u_userfile))); } elseif ($userfile->getSize() > MAX_UPLOAD_SIZE) { $message->pushContent($err_header); $message->pushContent(HTML::p(_("Sorry but this file is too big."))); } elseif (move_uploaded_file($userfile_tmpname, $file_dir . $userfile_name) or IsWindows() and rename($userfile_tmpname, $file_dir . $userfile_name)) { $interwiki = new PageType_interwikimap(); $link = $interwiki->link("Upload:{$u_userfile}"); $message->pushContent(HTML::div(array('class' => 'feedback'), HTML::p(_("File successfully uploaded.")), HTML::p($link))); // the upload was a success and we need to mark this event in the "upload log" if ($logfile) { $upload_log = $file_dir . basename($logfile); $this->log($userfile, $upload_log, $message); } if ($autolink) { require_once "lib/loadsave.php"; $pagehandle = $dbi->getPage($page); if ($pagehandle->exists()) { // don't replace default contents $current = $pagehandle->getCurrentRevision(); $version = $current->getVersion(); $text = $current->getPackedContent(); $newtext = $text . "\n* Upload:{$u_userfile}"; // don't inline images $meta = $current->_data; $meta['summary'] = sprintf(_("uploaded %s"), $u_userfile); $pagehandle->save($newtext, $version + 1, $meta); } } } else { $message->pushContent($err_header); $message->pushContent(HTML::br(), _("Uploading failed."), HTML::br()); } } else { $message->pushContent(HTML::br(), _("No file selected. Please select one."), HTML::br()); } //$result = HTML::div( array( 'class' => 'wikiaction' ) ); $result = HTML(); $result->pushContent($form); $result->pushContent($message); return $result; }
<?php if (!isset($errorsChecked)) { echo "?"; exit; if (!ereg('.+', $_POST['title'])) { $errors[] = $lang[103]; } if (dbq("SELECT *\r\n\t\tFROM {$cfg['db']['prefix']}_structure\r\n\t\tWHERE parent = {$record['parent']}\r\n\t\tAND id <> {$id}\r\n\t\tAND title = '" . addslashes($_POST['title']) . "'\r\n\t\tAND title <> ''")) { $errors[] = $lang[104]; } $fileName = strtolower(ereg_replace('[^A-Za-z0-9]+', '-', strip_accents($_POST['fileName']))); if (!isset($_POST['fileName']) || $_POST['fileName'] == '') { $errors[] = 'File name must be entered'; } if (!isset($errors) && dbq("SELECT *\r\n\t\tFROM {$cfg['db']['prefix']}_structure\r\n\t\tWHERE parent = {$record['parent']}\r\n\t\tAND id <> {$id}\r\n\t\tAND uri = '{$uri}'\r\n\t\tAND uri <> ''")) { $errors[] = $lang[105]; } if (!is_file($cfg['data'] . "{$id}" . "." . $record['extension']) && !is_uploaded_file($_FILES['fileId']['tmp_name'])) { $errors[] = $lang[106]; } $errorsChecked = true; } else { if (is_uploaded_file($_FILES['fileId']['tmp_name'])) { if ($record['extension'] != '') { unlink($cfg['data'] . "{$id}" . "." . $record['extension']); } $extension = strtolower(ereg_replace('.*\\.([A-Za-z0-9_-]+)$', '\\1', $_FILES['fileId']['name'])); move_uploaded_file($_FILES['fileId']['tmp_name'], $cfg['data'] . "{$id}.{$extension}"); } else { $extension = $record['extension'];
<?php if (!isset($errorsChecked)) { if (dbq("SELECT * FROM {$cfg['db']['prefix']}_structure WHERE parent = {$record['parent']} AND id <> {$id} AND title = '" . addslashes($_POST['home_name'] . ' - ' . $_POST['facade_name']) . "' AND title <> ''")) { $errors[] = $lang[104]; } $uri = strtolower(preg_replace('/[^A-Za-z0-9]+/', '-', strip_accents($_POST['home_name'] . ' - ' . $_POST['facade_name']))); if (!isset($errors) && dbq("SELECT * FROM {$cfg['db']['prefix']}_structure WHERE parent = {$record['parent']} AND id <> {$id} AND uri = '{$uri}' AND uri <> ''")) { $errors[] = $lang[105]; } $errorsChecked = true; } else { if ($record['position'] != $_POST['position']) { dbq("UPDATE {$cfg['db']['prefix']}_structure SET position = position + 1 WHERE position >= {$_POST['position']} ORDER BY position DESC"); } dbq("UPDATE\r\n {$cfg['db']['prefix']}_structure,\r\n {$cfg['db']['prefix']}_homes_dc\r\n SET\r\n title = '" . addslashes($_POST['home_name'] . ' - ' . $_POST['facade_name']) . "',\r\n uri = '{$uri}',\r\n online = {$online},\r\n sort = '{$_POST['sort']}',\r\n position = {$_POST['position']},\r\n modified = '{$time}',\r\n viewRights = '{$viewRights}',\r\n createRights = '{$createRights}',\r\n editRights = '{$editRights}',\r\n deleteRights = '{$deleteRights}',\r\n homes_id = '" . addslashes($_POST['home_id']) . "',\r\n facade_id = '" . addslashes($_POST['facade_id']) . "'\r\n WHERE\r\n link = id AND\r\n id = {$id}"); }