コード例 #1
0
ファイル: Transclude.php プロジェクト: pombredanne/tuleap
 function run($dbi, $argstr, &$request, $basepage)
 {
     global $WikiTheme;
     $args = $this->getArgs($argstr, $request);
     extract($args);
     if (!$src) {
         return $this->error(fmt("%s parameter missing", "'src'"));
     }
     // FIXME: Better recursion detection.
     // FIXME: Currently this doesnt work at all.
     if ($src == $request->getURLtoSelf()) {
         return $this->error(fmt("recursive inclusion of url %s", $src));
     }
     if (!IsSafeURL($src)) {
         return $this->error(_("Bad url in src: remove all of <, >, \""));
     }
     $params = array('title' => _("Transcluded page"), 'src' => $src, 'width' => "100%", 'height' => $height, 'marginwidth' => 0, 'marginheight' => 0, 'class' => 'transclude', "onload" => "adjust_iframe_height(this);");
     $noframe_msg[] = fmt("See: %s", HTML::a(array('href' => $src), $src));
     $noframe_msg = HTML::div(array('class' => 'transclusion'), HTML::p(array(), $noframe_msg));
     $iframe = HTML::div(HTML::iframe($params, $noframe_msg));
     /* This doesn't work very well...  maybe because CSS screws up NS4 anyway...
        $iframe = new HtmlElement('ilayer', array('src' => $src), $iframe);
        */
     return HTML(HTML::p(array('class' => 'transclusion-title'), fmt("Transcluded from %s", LinkURL($src))), $this->_js(), $iframe);
 }
コード例 #2
0
ファイル: PhotoAlbum.php プロジェクト: neymanna/fusionforge
 /**
  * fromFile - read pictures & descriptions (separated by ;)
  *            from $src and return it in array $photos
  *
  * @param string $src path to dir or textfile (local or remote)
  * @param array $photos
  * @return string Error when bad url or file couldn't be opened
  */
 function fromFile($src, &$photos, $webpath = '')
 {
     $src_bak = $src;
     //there has a big security hole... as loading config/config.ini !
     if (!preg_match('/(\\.csv|\\.jpg|\\.jpeg|\\.png|\\.gif|\\/)$/', $src)) {
         return $this->error(_("File extension for csv file has to be '.csv'"));
     }
     if (!IsSafeURL($src)) {
         return $this->error(_("Bad url in src: remove all of <, >, \""));
     }
     if (preg_match('/^(http|ftp|https):\\/\\//i', $src)) {
         $contents = url_get_contents($src);
         $web_location = 1;
     } else {
         $web_location = 0;
     }
     if (!file_exists($src) and @file_exists(PHPWIKI_DIR . "/{$src}")) {
         $src = PHPWIKI_DIR . "/{$src}";
     }
     // check if src is a directory
     if (file_exists($src) and filetype($src) == 'dir') {
         //all images
         $list = array();
         foreach (array('jpeg', 'jpg', 'png', 'gif') as $ext) {
             $fileset = new fileSet($src, "*.{$ext}");
             $list = array_merge($list, $fileset->getFiles());
         }
         // convert dirname($src) (local fs path) to web path
         natcasesort($list);
         if (!$webpath) {
             // assume relative src. default: "themes/Hawaiian/images/pictures"
             $webpath = DATA_PATH . '/' . $src_bak;
         }
         foreach ($list as $file) {
             // convert local path to webpath
             $photos[] = array("src" => $file, "name" => $webpath . "/{$file}", "name_tile" => $src . "/{$file}", "src" => $src . "/{$file}", "desc" => "");
         }
         return;
     }
     // check if $src is an image
     foreach (array('jpeg', 'jpg', 'png', 'gif') as $ext) {
         if (preg_match("/\\.{$ext}\$/", $src)) {
             if (!file_exists($src) and @file_exists(PHPWIKI_DIR . "/{$src}")) {
                 $src = PHPWIKI_DIR . "/{$src}";
             }
             if ($web_location == 1 and !empty($contents)) {
                 $photos[] = array("src" => $src, "name" => $src, "name_tile" => $src, "src" => $src, "desc" => "");
                 return;
             }
             if (!file_exists($src)) {
                 return $this->error(fmt("Unable to find src='%s'", $src));
             }
             $photos[] = array("src" => $src, "name" => "../" . $src, "name_tile" => $src, "src" => $src, "desc" => "");
             return;
         }
     }
     if ($web_location == 0) {
         $fp = @fopen($src, "r");
         if (!$fp) {
             return $this->error(fmt("Unable to read src='%s'", $src));
         }
         while ($data = fgetcsv($fp, 1024, ';')) {
             if (count($data) == 0 || empty($data[0]) || preg_match('/^#/', $data[0]) || preg_match('/^[[:space:]]*$/', $data[0])) {
                 continue;
             }
             if (empty($data[1])) {
                 $data[1] = '';
             }
             $photos[] = array("name" => dirname($src) . "/" . trim($data[0]), "location" => "../" . dirname($src) . "/" . trim($data[0]), "desc" => trim($data[1]), "name_tile" => dirname($src) . "/" . trim($data[0]));
         }
         fclose($fp);
     } elseif ($web_location == 1) {
         //TODO: checks if the file is an image
         $contents = preg_split('/\\n/', $contents);
         while (list($key, $value) = each($contents)) {
             $data = preg_split('/\\;/', $value);
             if (count($data) == 0 || empty($data[0]) || preg_match('/^#/', $data[0]) || preg_match('/^[[:space:]]*$/', $data[0])) {
                 continue;
             }
             if (empty($data[1])) {
                 $data[1] = '';
             }
             $photos[] = array("name" => dirname($src) . "/" . trim($data[0]), "src" => dirname($src) . "/" . trim($data[0]), "desc" => trim($data[1]), "name_tile" => dirname($src) . "/" . trim($data[0]));
         }
     }
 }
コード例 #3
0
ファイル: stdlib.php プロジェクト: hugcoday/wiki
/**
 * Inline Images
 *
 * Syntax: [image.png size=50% border=n align= hspace= vspace= width= height=]
 * Disallows sizes which are too small.
 * Spammers may use such (typically invisible) image attributes to raise their GoogleRank.
 *
 * Handle embeddable objects, like svg, class, vrml, swf, svgz, pdf, avi, wmv especially.
 */
function LinkImage($url, $alt = "")
{
    $force_img = "png|jpg|gif|jpeg|bmp|pl|cgi";
    // Disallow tags in img src urls. Typical CSS attacks.
    // FIXME: Is this needed (or sufficient?)
    // FIXED: This was broken for moniker:TP30 test/image.png => url="moniker:TP30" attr="test/image.png"
    $ori_url = $url;
    // support new syntax: [prefix/image.jpg size=50% border=n]
    if (empty($alt)) {
        $alt = "";
    }
    // Extract URL
    $arr = explode(' ', $url);
    if (!empty($arr)) {
        $url = $arr[0];
    }
    if (!IsSafeURL($url)) {
        $link = HTML::span(array('class' => 'error'), _("BAD URL -- remove all of <, >, \""));
        return $link;
    }
    // spaces in inline images must be %20 encoded!
    $link = HTML::img(array('src' => $url));
    // Extract attributes
    $arr = parse_attributes(strstr($ori_url, " "));
    foreach ($arr as $attr => $value) {
        // These attributes take strings: lang, id, title, alt
        if ($attr == "lang" || $attr == "id" || $attr == "title" || $attr == "alt") {
            $link->setAttr($attr, $value);
        } elseif ($attr == "align" && ($value == "bottom" || $value == "middle" || $value == "top" || $value == "left" || $value == "right")) {
            $link->setAttr($attr, $value);
        } elseif (($attr == "border" || $attr == "hspace" || $attr == "vspace") && is_numeric($value)) {
            $link->setAttr($attr, (int) $value);
        } elseif (($attr == "height" || $attr == "width") && preg_match('/\\d+[%p]?x?/', $value)) {
            $link->setAttr($attr, $value);
        } elseif ($attr == "size") {
            if (preg_match('/(\\d+%)/', $value, $m)) {
                $link->setAttr('width', $m[1]);
                $link->setAttr('height', $m[1]);
            } elseif (preg_match('/(\\d+)x(\\d+)/', $value, $m)) {
                $link->setAttr('width', $m[1]);
                $link->setAttr('height', $m[2]);
            }
        } else {
            $link = HTML::span(array('class' => 'error'), sprintf(_("Invalid image attribute \"%s\" %s=%s"), $url, $attr, $value));
            return $link;
        }
    }
    // Correct silently the most common error
    if ($url != $ori_url and empty($arr) and !preg_match("/^http/", $url)) {
        // space belongs to the path
        $file = NormalizeLocalFileName($ori_url);
        if (file_exists($file)) {
            $link = HTML::img(array('src' => $ori_url));
            trigger_error(sprintf(_("Invalid image link fixed %s => %s. Spaces must be quoted with %%20."), $url, $ori_url), E_USER_WARNING);
        } elseif (string_starts_with($ori_url, getUploadDataPath())) {
            $file = substr($file, strlen(getUploadDataPath()));
            $path = getUploadFilePath() . $file;
            if (file_exists($path)) {
                trigger_error(sprintf(_("Invalid image link fixed \"%s\" => \"%s\".\n Spaces must be quoted with %%20."), $url, $ori_url), E_USER_WARNING);
                $link->setAttr('src', getUploadDataPath() . $file);
                $url = $ori_url;
            }
        }
    }
    if (!$link->getAttr('alt')) {
        $link->setAttr('alt', $alt);
    }
    // Check width and height as spam countermeasure
    if ($width = $link->getAttr('width') and $height = $link->getAttr('height')) {
        //$width  = (int) $width; // px or % or other suffix
        //$height = (int) $height;
        if ($width < 3 and $height < 10 or $height < 3 and $width < 20 or $height < 7 and $width < 7) {
            $link = HTML::span(array('class' => 'error'), _("Invalid image size"));
            return $link;
        }
    } else {
        $size = 0;
        // Prepare for getimagesize($url)
        // $url only valid for external urls, otherwise local path
        if (DISABLE_GETIMAGESIZE) {
        } elseif (!preg_match("/\\.{$force_img}\$/i", $url)) {
        } elseif (preg_match("/^http/", $url)) {
            // external url
            $size = @getimagesize($url);
        } else {
            // local file
            if (file_exists($file = NormalizeLocalFileName($url))) {
                // here
                $size = @getimagesize($file);
            } elseif (file_exists(NormalizeLocalFileName(urldecode($url)))) {
                $size = @getimagesize($file);
                $link->setAttr('src', rawurldecode($url));
            } elseif (string_starts_with($url, getUploadDataPath())) {
                // there
                $file = substr($file, strlen(getUploadDataPath()));
                $path = getUploadFilePath() . rawurldecode($file);
                $size = @getimagesize($path);
                $link->setAttr('src', getUploadDataPath() . rawurldecode($file));
            } else {
                // elsewhere
                global $request;
                $size = @getimagesize($request->get('DOCUMENT_ROOT') . urldecode($url));
            }
        }
        if ($size) {
            $width = $size[0];
            $height = $size[1];
            if ($width < 3 and $height < 10 or $height < 3 and $width < 20 or $height < 7 and $width < 7) {
                $link = HTML::span(array('class' => 'error'), _("Invalid image size"));
                return $link;
            }
        }
    }
    $link->setAttr('class', 'inlineimage');
    /* Check for inlined objects. Everything allowed in INLINE_IMAGES besides
     * png|jpg|gif|jpeg|bmp|pl|cgi.  If no image it is an object to embed.
     * Note: Allow cgi's (pl,cgi) returning images.
     */
    if (!preg_match("/\\.(" . $force_img . ")/i", $url)) {
        // HTML::img(array('src' => $url, 'alt' => $alt, 'title' => $alt));
        // => HTML::object(array('src' => $url)) ...;
        return ImgObject($link, $ori_url);
    }
    return $link;
}
コード例 #4
0
ファイル: stdlib.php プロジェクト: neymanna/fusionforge
/**
 * Inline Images
 *
 * Syntax: [image.png size=50% border=n align= hspace= vspace= width= height=]
 * Disallows sizes which are too small. 
 * Spammers may use such (typically invisible) image attributes to higher their GoogleRank.
 *
 * Handle embeddable objects, like svg, class, vrml, swf, svgz, pdf, avi, wmv especially.
 */
function LinkImage($url, $alt = false)
{
    $force_img = "png|jpg|gif|jpeg|bmp|pl|cgi";
    // Disallow tags in img src urls. Typical CSS attacks.
    // FIXME: Is this needed (or sufficient?)
    if (!IsSafeURL($url)) {
        $link = HTML::strong(HTML::u(array('class' => 'baduri'), _("BAD URL -- remove all of <, >, \"")));
    } else {
        // support new syntax: [image.jpg size=50% border=n]
        if (!preg_match("/\\.(" . $force_img . ")/i", $url)) {
            $ori_url = $url;
        }
        $arr = split(' ', $url);
        if (count($arr) > 1) {
            $url = $arr[0];
        }
        if (empty($alt)) {
            $alt = basename($url);
        }
        $link = HTML::img(array('src' => $url, 'alt' => $alt, 'title' => $alt));
        if (count($arr) > 1) {
            array_shift($arr);
            foreach ($arr as $attr) {
                if (preg_match('/^size=(\\d+%)$/', $attr, $m)) {
                    $link->setAttr('width', $m[1]);
                    $link->setAttr('height', $m[1]);
                }
                if (preg_match('/^size=(\\d+)x(\\d+)$/', $attr, $m)) {
                    $link->setAttr('width', $m[1]);
                    $link->setAttr('height', $m[2]);
                }
                if (preg_match('/^border=(\\d+)$/', $attr, $m)) {
                    $link->setAttr('border', $m[1]);
                }
                if (preg_match('/^align=(\\w+)$/', $attr, $m)) {
                    $link->setAttr('align', $m[1]);
                }
                if (preg_match('/^hspace=(\\d+)$/', $attr, $m)) {
                    $link->setAttr('hspace', $m[1]);
                }
                if (preg_match('/^vspace=(\\d+)$/', $attr, $m)) {
                    $link->setAttr('vspace', $m[1]);
                }
            }
        }
        // Check width and height as spam countermeasure
        if ($width = $link->getAttr('width') and $height = $link->getAttr('height')) {
            //$width  = (int) $width; // px or % or other suffix
            //$height = (int) $height;
            if ($width < 3 and $height < 10 or $height < 3 and $width < 20 or $height < 7 and $width < 7) {
                trigger_error(_("Invalid image size"), E_USER_WARNING);
                return '';
            }
        } else {
            // Older php versions crash here with certain png's:
            // confirmed for 4.1.2, 4.1.3, 4.2.3; 4.3.2 and 4.3.7 are ok
            //   http://phpwiki.sourceforge.net/demo/themes/default/images/http.png
            // See http://bugs.php.net/search.php?cmd=display&search_for=getimagesize
            if (!check_php_version(4, 3) and preg_match("/^http.+\\.png\$/i", $url)) {
            } elseif (!DISABLE_GETIMAGESIZE and $size = @getimagesize($url)) {
                $width = $size[0];
                $height = $size[1];
                if ($width < 3 and $height < 10 or $height < 3 and $width < 20 or $height < 7 and $width < 7) {
                    trigger_error(_("Invalid image size"), E_USER_WARNING);
                    return '';
                }
            }
        }
    }
    $link->setAttr('class', 'inlineimage');
    /* Check for inlined objects. Everything allowed in INLINE_IMAGES besides
     * png|jpg|gif|jpeg|bmp|pl|cgi
     * Note: Allow cgi's (pl,cgi) returning images.
     */
    if (!preg_match("/\\.(" . $force_img . ")/i", $url)) {
        //HTML::img(array('src' => $url, 'alt' => $alt, 'title' => $alt));
        // => HTML::object(array('src' => $url)) ...;
        return ImgObject($link, $ori_url);
    }
    return $link;
}