function openlevel($thread, $mod, $begin, $end, $thispage, $blog_thread, $lastlink, $ord) { require_once $_SERVER['DOCUMENT_ROOT'] . "/classes/blogs.php"; global $session; session_start(); $uid = $_SESSION['uid']; $objResponse = new xajaxResponse(); $blog = new blogs(); $ret = ''; $cur_user_msgs = array(); list($gr_name, $gr_id, $gr_base) = $blog->GetThread($thread, $err, $mod, get_uid(false)); $blog->GetThreeId($begin, $threearr, 0); $parent_login = $blog->login; while ($blog->GetNext()) { $stopwrite = true; foreach ($threearr as $temp) { if ($blog->id == $temp) { $stopwrite = false; break; } } if ($stopwrite) { continue; } $msg_num++; $allow_del = 0; if ($last_id == $blog->id) { print "<a name=\"post\" id=\"post\"></a>"; } if ($blog->id == $edit_id && $blog->login == $_SESSION['login']) { print "<a name=\"edit\" id=\"edit\"></a>"; } if ($blog->attach) { $str = viewattachLeft($blog->login, $blog->attach, "upload", $file, 1000, 600, 307200, !$blog->small, $blog->small == 2 ? 1 : 0); } $padding = $blog->level > 19 ? 380 : $blog->level * 20; if (in_array($blog->reply, $cur_user_msgs)) { $allow_del = 1; } if ($blog->login == $_SESSION['login']) { $cur_user_msgs[] = $blog->id; } $ret .= '<table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr valign="top" '; $ret .= '><td style="'; if ($blog->level) { $ret .= 'padding-left: ' . $padding . 'px;'; } $ret .= 'padding-right: 10px;">' . view_avatar($blog->login, $blog->photo) . ' </td> <td class="bl_text" width="100%">'; if ($winner == $blog->id) { $ret .= '<a name="winner" id="winner"></a> '; } if ($blog->payed) { $ret .= view_pro(); } $ret .= $session->view_online_status($blog->login); $ret .= '<font class="' . $blog->cnt_role . 'name11"><a href="/users/' . $blog->login . '" class="' . $blog->cnt_role . 'name11" title="' . ($blog->uname . " " . $blog->usurname) . '">' . ($blog->uname . " " . $blog->usurname) . '</a> [<a href="/users/' . $blog->login . '" class="' . $blog->cnt_role . 'name11" title="' . $blog->login . '">' . $blog->login . '</a>]</font> ' . date("[d.m.Y | H:i]", strtotimeEx($blog->post_time)); if ($blog->deleted) { if (isset($blog->thread) && is_array($blog->thread) && count($blog->thread) > 0) { $buser_id = $blog->thread; $buser_id = array_pop($buser_id); $buser_id = $buser_id['fromuser_id']; } if ($blog->deluser_id == $blog->fromuser_id) { $ret .= '<br><br>Комментарий удален автором ' . date("[d.m.Y | H:i]", strtotimeEx($blog->deleted)); } elseif ($blog->deluser_id == $buser_id) { $ret .= '<br><br>Комментарий удален автором темы ' . date("[d.m.Y | H:i]", strtotimeEx($blog->deleted)); } else { $ret .= '<br><br>Комментарий удален модератором'; if (!$mod) { $ret .= '( '; $del_user = $user->GetName($blog->deluser_id, $err); $ret .= $del_user['login'] . ' : ' . $del_user['usurname'] . ' ' . $del_user['uname']; $ret .= ' ) '; } $ret .= date("[d.m.Y | H:i]", strtotimeEx($blog->deleted)); } $ret .= '<br><br>'; } else { if ($blog->modified) { $ret .= ' '; if ($blog->modified_id == $blog->fromuser_id) { $ret .= '[внесены изменения: ' . date("d.m.Y | H:i]", strtotimeEx($blog->modified)); } else { $ret .= 'Отредактировано модератором'; if (!$mod) { $ret .= '( '; $mod_user = $user->GetName($blog->modified_id, $err); $ret .= $mod_user['login'] . ' : ' . $mod_user['usurname'] . ' ' . $mod_user['uname']; $ret .= ' ) '; } $ret .= ' ' . date("[d.m.Y | H:i]", strtotimeEx($blog->modified)); } } $ret .= '<br>'; if ($winner == $blog->id) { $ret .= '<font color="#000099" style="font-size:20px">Победитель</font>'; } $ret .= '<br>'; if ($blog->new == 't') { $ret .= '<img src="/images/ico_new_blog.gif" alt="" width="44" height="12" border="0"><br>'; } if ($blog->title) { $ret .= ' <font class="bl_name">'; if ($blog->login == "Anonymous") { list($name, $mail) = sscanf($blog->title, "%s @@@: %s"); $ret .= $name . " " . $mail; } else { $ret .= reformat($blog->title, 30); } $ret .= '</font><br>'; } $ret .= reformat($blog->msgtext, 50) . '<br>'; if ($blog->attach) { if ($file) { $ret .= "<br>" . $str . "<br>"; } else { $ret .= "</td></tr><tr class=\"qpr\"><td colspan=\"2\"><br>" . $str; } } $ret .= '<br>'; if ($gr_base == 5 && !$winner && $parent_login == $_SESSION['login']) { $ret .= "<input type=\"submit\" name=\"btn\" value=\"Это победитель\" onClick=\"if (warning(0)) window.location.replace('./view.php?tr=" . $thread . "&ord='.{$ord}.'&winner=" . $blog->id . "'); else return false;\">"; } $ret .= '<div style="color: #D75A29;font-size:9px;'; if ($blog->attach && !$file) { $ret .= ' padding-left: ' . ($padding + 60) . 'px;'; } $ret .= '">'; if ($blog->login == $_SESSION['login'] || $parent_login == $_SESSION['login'] || $allow_del || !$mod) { $ret .= ' <a href="' . $form_uri . '?id=' . $blog->id . '&action=delete&ord=' . $ord . '" style="color: #D75A29;" onclick="return warning(1);">Удалить</a> |'; } if ($blog->login == $_SESSION['login'] || !$mod) { $ret .= '<a href="' . $form_uri . '?id=' . $blog->id . '&action=edit&ord=' . $ord . '&tr=' . $thread . '" style="color: #D75A29;">Редактировать</a> |'; } $ret .= "<a href=\"javascript: void(0);\" onclick=\"javascript: answer('" . $blog->id . "', '" . ($blog->attach ? $blog->attach : '') . "', '" . get_login($_SESSION["uid"]) . "'); document.getElementById('frm').olduser.value = '" . $_SESSION["uid"] . "'; \" "; $ret .= 'style="color: #D75A29">Комментировать</a> | <a href="/blogs/view.php' . "?tr=" . $blog_thread . ($thispage ? "&pagefrom=" . $thispage : "") . "&openlevel=" . $blog->id . "&ord=" . $ord . "#o" . $blog->id . '" style="color: #D75A29">Ссылка</a> </div> </td> </tr> <tr'; if (!$blog->level || $lastlink == $blog->id) { $ret .= ' class="qpr"'; } $ret .= '><td colspan="2" ><br></td></tr> </table> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr class="n_qpr"><td colspan="3" id="form' . $blog->id . '">'; if ($blog->id == $edit_id && ($blog->login == $_SESSION['login'] || !$mod)) { $ret .= "\n\t\t\t<script language=\"JavaScript\" type=\"text/javascript\">\n\t\t\t<!--\n\t\t\tanswer(" . $blog->id . ", '" . ($blog->attach ? $blog->attach : '') . "', '" . get_login($_SESSION["uid"]) . "');\n\t\t\tdocument.getElementById('frm').olduser.value = '" . $_SESSION["uid"] . "';\n\t\t\tdocument.getElementById('frm').msg_name.value = '" . $error_flag ? input_ref_scr($msg_name) : input_ref_scr($blog->title) . "';\n\t\t\tdocument.getElementById('frm').msg.value = '" . $error_flag ? input_ref_scr($msg) : input_ref_scr($blog->msgtext) . "';\n\t\t\tdocument.getElementById('frm').btn.value = 'Сохранить';\n\t\t\tdocument.getElementById('frm').action.value = 'change';\n\t\t\t//-->\n\t\t\t</script>"; } } $ret .= "</td></tr>\n\t\t</table>"; } $objResponse->assign($begin, "innerHTML", $ret); return $objResponse; }
<form action=""> <input type="hidden" name="rating" id="note_rating" value="<?php echo (int) $aNote['rating']; ?> "> <div class="b-textarea"> <textarea class="b-textarea__textarea" id="header_note" name="header_note" cols="70" rows="5" onkeyup="(checknote(this))"></textarea> </div> <div class="b-buttons b-buttons_padtop_10"> <a href="javascript:void(0);" onclick="xajax_saveHeaderNote('<?php echo $name; ?> ',$('header_note').get('value'), $('note_rating').get('value'));" class="b-button b-button_flat b-button_flat_grey">Сохранить</a>    или  <a href="javascript:void(0);" onclick="headerNoteText();" class="b-layout__link b-layout__link_fontsize_11">отменить</a> </div> </form> </div> <script type="text/javascript"> <?php // !!! тут нужен htmlspecialchars_decode - эта переменная хранит исходный код заметки который в текстарию подставляется // !!! изза htmlspecialchars_decode на странице появляется XSS см. http://beta.free-lance.ru/mantis/view.php?id=12887 // @todo Необходимо привести все заметки на сайте к общей системе отображения, сохранения ?> var headerNote = '<?php echo input_ref_scr($aNote['n_text']); ?> '; </script>
function EditNote($login, $action, $text, $rating = 0) { session_start(); $objResponse = new xajaxResponse(); $nuid = get_uid(false); //$text = str_replace('&', '&', $text); //$text = stripslashes($text); $text = strip_only(trim($text), '<script>'); $text = change_q_x($text, FALSE, TRUE, "", false, false); // !! кол-во символов также указано в /scripts/note.js if (strlen($text) > 200) { $text = substr($text, 0, 200); } switch ($action) { case "add": if ($text) { $error = notes::Add($nuid, $login, $text, 0, "?"); } break; case "update": if ($text) { $error = notes::Update($nuid, $login, $text, $rating, "?"); } else { $error = notes::DeleteNote($nuid, $login, "?"); $action = 'delete'; } break; } if ($error) { return false; } $text_src = input_ref_scr(stripslashes($text)); $text_src = str_replace('&', '&', $text_src); $text = reformat($text, 54, 0, 0, 1, 54); //$text = addslashes($text); switch ($action) { case 'add': case 'update': if (is_empty_html($text)) { $s = "\n document.getElement('div.form-templ').setStyle('display', 'none');\n document.getElement('div.form-templ input').set('disabled', false);\n cancelNote();\n "; break; } $s = "\n n = \$('note_{$login}');\n n.getElement('.uprj-note-cnt>p').set('html', '{$text}');\n n.setStyle('display', 'block');\n\n document.getElement('div.form-templ').setStyle('display', 'none');\n document.getElement('div.form-templ input').set('disabled', false);\n\n if(\$('team_{$login}')) \$('team_{$login}').getElement('.uprj-st3').setStyle('display', 'none');\n cancelNote();\n "; break; case 'delete': $s = "\n n = \$('note_{$login}');\n n.getElement('.uprj-note-cnt>p').set('html', '');\n n.setStyle('display', 'none');\n\n if(\$('team_{$login}')) \$('team_{$login}').getElement('.uprj-st3').setStyle('display', 'inline-block');\n document.getElement('div.uprj-note.form-templ').store('action', false);\n cancelNote();\n "; break; } $objResponse->script($s); return $objResponse; }
?> "; _frm2.v_pcost.value = "<?php echo $cost; ?> "; _frm2.v_ptime.value = "<?php echo $time_value; ?> "; _frm2.v_ptimeei.value = "<?php echo $time_type; ?> "; _frm2.v_video_link.value = "<?php echo str_replace('"', '\\"', input_ref_scr($video_link)); ?> "; _frm2.v_descr.value = "<?php echo str_replace('"', '\\"', htmlspecialchars_decode(str_replace("\n", '\\n', $descr))); ?> "; if(<?php echo $in_shop; ?> ==1) { _frm.in_shop.checked = true; } else { _frm.in_shop.checked = false;
prjid = new Array(); prjprevtype = new Array(); prof_ids = new Array(); profnames = new Array(); prjinprof = new Array(); <?php $ilast = $i = 0; $lastprof = -1; $j = 0; if ($prjs) { foreach ($prjs as $ikey => $prj) { if ($prj['id']) { print 'prjn[' . $prj['id'] . "] = '" . $i . "';\nprjid[{$i}] = '" . $prj['id'] . "';\nprjname[{$i}] = '" . input_ref_scr($prj['name']) . "';\nprjlink[{$i}] = '" . input_ref_scr($prj['link']) . "';\nprjdescr[{$i}] = '" . input_ref_scr($prj['descr']) . "';\nprjprevtype[{$i}] = '" . $prj['prj_prev_type'] . "';\n\n"; ++$i; } $curprof = $prj['prof_id']; if ($lastprof != $curprof) { if ($lastprof != -1 && $i - $ilast > 1) { print 'prjinprof[' . ($j - 1) . "] = '" . ($i - $ilast) . "';\n"; } print "prof_ids[{$j}] = '" . $prof['prof_id'] . "';\nprofnames[{$j}] = '" . $prof['name'] . "';\n\n"; ++$j; $ilast = $i; $lastprof = $curprof; } } } if ($i - $ilast > 0) {
?> , ''); answer(<?php echo $reply; ?> , null, ''); document.getElementById('frm').msg_name.value = "<?php echo stripslashes(input_ref_scr($msg_name)); ?> "; document.getElementById('frm').msg.value = "<?php echo input_ref_scr($msg); ?> "; if(document.getElementById('frm').yt_link != undefined) document.getElementById('frm').yt_link.value = "<?php echo preg_replace("/\\//", '\\/', stripslashes(input_ref_scr($yt_link))); ?> "; <?php if ($yt_link) { ?> yt_link = true; if(document.getElementById('frm').yt_link != undefined) $('yt_link').style.display = 'block'; <?php } else { ?> yt_link = false; if(document.getElementById('frm').yt_link != undefined) $('yt_link').style.display = 'none'; <?php } ?>
} // срок окончания ПРО - только для админов if (hasPermissions('users') && $user->is_pro === 't') { $proLast = payed::ProLast($user->login); $proDate = $proLast['cnt'] ? date('d-m-Y в h:i', strtotime($proLast['cnt'])) : null; } $access_favorite = $_SESSION['login'] && $user->login != $_SESSION['login']; $access_contacts = ($user->isCurrent() || is_view_contacts($user->uid) || hasPermissions('users')) && is_contacts_not_empty($user); $show_contacts_col = $access_favorite || $access_contacts; ?> <?php if ($user->login == $_SESSION['login'] || hasPermissions('users')) { ?> <script type="text/javascript"> statusTxt="<?php echo ref_scr(input_ref_scr($user->status_text)); ?> "; statusTxtSrc= <?php echo json_encode(array('data' => iconv('CP1251', 'UTF8', $user->status_text))); ?> ; statusType=<?php echo $user->status_type; ?> ; statstr=new Array(); <?php for ($i = -1; $ststr = $user->statusToStr($i); $i++) { ?> statstr[<?php