function html_to_text($html)
{
$text = sanitize_html($html);
$text = wp_kses($text, array(), array());
$text = html_entity_decode($text, ENT_QUOTES, 'UTF-8');
return $text;
}
function show_list($list)
{
start_table();
echo "\n <tr>\n <th>" . tra("Team name") . "</th>\n <th>" . tra("Description") . "</th>\n <th>" . tra("Average credit") . "</th>\n <th>" . tra("Type") . "</th>\n <th>" . tra("Country") . "</th>\n </tr>\n ";
$i = 0;
foreach ($list as $team) {
$type = team_type_name($team->type);
$j = $i++ % 2;
echo "<tr class=row{$j}>\n <td><a href=team_display.php?teamid={$team->id}>{$team->name}</a></td>\n <td><span class=note>" . sanitize_html($team->description) . "</span></td>\n <td>" . format_credit($team->expavg_credit) . "</td>\n <td>{$type}</td>\n <td>{$team->country}</td>\n </tr>\n ";
}
echo "</table>";
}
function hunterslodge_customtitle_run()
{
require_once "lib/sanitize.php";
require_once "lib/names.php";
global $session;
$op = httpget("op");
$free = httpget("free");
page_header("Choose your Custom Title");
switch ($op) {
case "change":
output("Ready to change your Title? No problem. Enter your desired Title in the box below. You've got 25 characters to play with, including colour codes.`n`n");
titlechange_form();
addnav("Cancel");
addnav("Don't change colours, just go back to the Lodge", "runmodule.php?module=iitems_hunterslodge&op=start");
break;
case "confirm":
$ntitle = rawurldecode(httppost('newname'));
$ntitle = newline_sanitize($ntitle);
if ($ntitle == "") {
$ntitle = "`0";
}
$ntitle = preg_replace("/[`][cHw]/", "", $ntitle);
$ntitle = sanitize_html($ntitle);
$nname = get_player_basename();
output("`0Your new title will look like this: %s`0`n", $ntitle);
output("`0Your entire name will look like: %s %s`0`n`n", $ntitle, $nname);
output("Do you want to set the new title now?`n`n");
output("`0Try a different title below, if you like.`n`n");
titlechange_form();
addnav("Confirm");
addnav("Set the new Title", "runmodule.php?module=hunterslodge_customtitle&op=set&free={$free}&newname=" . rawurlencode($ntitle));
addnav("Cancel");
addnav("Don't change your Title, just go back to the Lodge", "runmodule.php?module=iitems_hunterslodge&op=start");
break;
case "set":
$ntitle = rawurldecode(httpget('newname'));
$fromname = $session['user']['name'];
$newname = change_player_ctitle($ntitle);
$session['user']['ctitle'] = $ntitle;
$session['user']['name'] = $newname;
output("You are now known as %s!`0`n`n", $session['user']['name']);
if (!$free) {
$id = has_item("hunterslodge_customtitle");
delete_item($id);
}
addnav("Return");
addnav("Return to the Lodge", "runmodule.php?module=iitems_hunterslodge&op=start");
break;
}
page_footer();
}
function show_list($list)
{
start_table();
echo "<tr>\n\t\t<th>Team name</th>\n\t\t<th>Description</th>\n\t\t<th>Average credit</th>\n\t\t<th>Type</th>\n\t\t<th>Country</th>\n\t\t</tr>";
$i = 0;
foreach ($list as $team) {
$type = team_type_name($team->type);
$j = $i++ % 2;
echo '<tr class="row$j">
<td><a href="team_display.php?teamid=$team->id">$team->name</a></td>
<td><span class="note">' . sanitize_html($team->description) . '</span></td>
<td>' . format_credit($team->expavg_credit) . '</td>
<td>$type</td>
<td>$team->country</td>
</tr>
';
}
echo "</table>";
}
$user = get_logged_in_user();
$teamid = post_int("teamid");
$team = BoincTeam::lookup_id($teamid);
if (!$team) {
error_page("no such team");
}
require_admin($user, $team);
$team_url = BoincDb::escape_string(strip_tags(post_str("url", true)));
$x = strstr($team_url, "http://");
if ($x) {
$team_url = substr($team_url, 7);
}
$team_name = BoincDb::escape_string(strip_tags(post_str("name")));
$team_name_lc = strtolower($team_name);
$tnh = post_str("name_html", true);
$team_name_html = sanitize_html($tnh);
$team_name_html = BoincDb::escape_string($team_name_html);
$team_description = BoincDb::escape_string(post_str("description", true));
$type = BoincDb::escape_string(post_str("type", true));
$country = BoincDb::escape_string(post_str("country", true));
if ($country == "") {
$country = "International";
}
if (!is_valid_country($country)) {
error_page("bad country");
}
$joinable = post_str('joinable', true) ? 1 : 0;
$t = BoincTeam::lookup("name='{$team_name}'");
if ($t && $t->id != $teamid) {
error_page("The name '{$team_name}' is being used by another team.");
}
function fix_text($text)
{
$text = sanitize_html($text);
$text = image_as_bb($text);
$text = link_as_bb($text);
$text = formatting_as_bb($text);
return $text;
}
/**
* Sanitizes a comment.
*/
private function sanitize()
{
global $is_index, $index, $content;
// Sanitize user input
$this->message = sanitize_html($_POST['comment-message']);
$this->name = sanitize_string($_POST['comment-name']);
$this->email = $_POST['comment-email'];
$this->website = sanitize_url($_POST['comment-website']);
// Get date, time
$this->date = current_date();
$this->time = current_time();
}
function show_list($list)
{
start_table();
echo "\n <tr>\n <th>" . tra("Team name") . "</th>\n ";
if (defined("SHOW_NONVALIDATED_TEAMS")) {
echo "<th>Validated?</th>\n";
}
echo "\n <th>" . tra("Description") . "</th>\n <th>" . tra("Average credit") . "</th>\n <th>" . tra("Type") . "</th>\n <th>" . tra("Country") . "</th>\n </tr>\n ";
$i = 0;
foreach ($list as $team) {
$type = team_type_name($team->type);
$j = $i++ % 2;
echo "<tr class=row{$j}>\n <td><a href=team_display.php?teamid={$team->id}>{$team->name}</a></td>\n ";
if (defined("SHOW_NONVALIDATED_TEAMS")) {
$user = BoincUser::lookup_id($team->userid);
echo "<td>";
echo $user->email_validated ? "Yes" : "No";
echo "</td>\n";
}
echo "\n <td><p class=\"text-muted\">" . sanitize_html($team->description) . "</p></td>\n <td>" . format_credit($team->expavg_credit) . "</td>\n <td>{$type}</td>\n <td>{$team->country}</td>\n </tr>\n ";
}
echo "</table>";
}
/**
* Convert from Events Manager event to a event format defined
* by ShoutEm Data Exchange Protocol @link http://fiveminutes.jira.com/wiki/display/SE/Data+Exchange+Protocol
*/
private function convert_to_se_event($event)
{
$new_em_plugin = property_exists($event, 'event_id');
if (!$new_em_plugin) {
$remaped_event = self::convert_old_em_event_to_se_event($event);
} else {
//new event manager
$remaped_event = array('post_id' => $event->event_id, 'start_time' => $event->event_start_date . ' ' . $event->event_start_time, 'end_time' => $event->event_end_date . ' ' . $event->event_end_time, 'name' => $event->name, 'description' => $event->post_content, 'image_url' => $event->image_url);
$user_id = $event->event_owner;
if ($user_id > 0) {
$user = get_userdata($user_id);
$remaped_event['owner'] = array('id' => $user_id, 'name' => $user->user_nicename);
}
$venue = array();
$location = EM_Locations::get(array($event->location_id));
if (is_array($location) && count($location) > 0) {
$location = $location[$event->location_id];
$venue = array('id' => '', 'name' => $location->location_name, 'street' => $location->location_address, 'city' => $location->location_town, 'state' => $location->location_state, 'country' => $location->location_country, 'latitude' => $location->location_latitude, 'longitude' => $location->location_longitude);
}
$remaped_event['place'] = $venue;
}
$striped_attachments = array();
$remaped_event['description'] = sanitize_html($remaped_event['description'], $striped_attachments);
if (property_exists($event, 'post_id')) {
$this->include_leading_image_in_attachments($striped_attachments, $event->post_id);
}
$remaped_event['body'] = $remaped_event['description'];
$remaped_event['summary'] = html_to_text($remaped_event['description']);
$remaped_event['attachments'] = $striped_attachments;
return $remaped_event;
}
private function get_post($post, $params)
{
$attachments = array('images' => array(), 'videos' => array(), 'audio' => array());
$this->attachments =& $attachments;
$is_user_logged_in = isset($params['session_id']);
$include_raw_post = isset($params['include_raw_post']);
$is_reqistration_required = '1' == get_option('comment_registration');
$remaped_post = $this->array_remap_keys($post, array('ID' => 'post_id', 'post_date_gmt' => 'published_at', 'post_title' => 'title', 'post_excerpt' => 'summary', 'post_content' => 'body', 'comment_status' => 'commentable', 'comment_count' => 'comments_count'));
$post_categories = wp_get_post_categories($remaped_post['post_id']);
$categories = array();
$tags = array();
foreach ($post_categories as $category) {
$cat = get_category($category);
$categories[] = array('id' => $cat->cat_ID, 'name' => $cat->name);
}
$remaped_post['categories'] = $categories;
//*** ACTION shoutem_get_post_start ***//
//Integration with external plugins will usually hook to this action to
//substitute shortcodes or generate appropriate attachments from the content.
//For example: @see ShoutemNGGDao, @see ShoutemFlaGalleryDao.
do_action('shoutem_get_post_start', array('wp_post' => $post, 'attachments_ref' => &$attachments));
$body = apply_filters('the_content', do_shortcode($remaped_post['body']));
if ($include_raw_post) {
$remaped_post['raw_post'] = $body;
}
$striped_attachments = array();
$remaped_post['body'] = sanitize_html($body, $striped_attachments);
$user_data = get_userdata($post->post_author);
$remaped_post['author'] = $user_data->display_name;
$remaped_post['likeable'] = 0;
$remaped_post['likes_count'] = 0;
$remaped_post['link'] = get_permalink($remaped_post['post_id']);
$this->include_leading_image_in_attachments($attachments, $post->ID);
$attachments['images'] = array_merge($attachments['images'], $striped_attachments['images']);
$attachments['videos'] = array_merge($attachments['videos'], $striped_attachments['videos']);
$attachments['audio'] = array_merge($attachments['audio'], $striped_attachments['audio']);
sanitize_attachments($attachments);
$remaped_post['attachments'] = $attachments;
$remaped_post['image_url'] = '';
$images = $attachments['images'];
if (count($images) > 0) {
$remaped_post['image_url'] = $images[0]['src'];
}
$post_commentable = $remaped_post['commentable'] == 'open';
if (!$this->options['enable_wp_commentable']) {
$remaped_post['commentable'] = 'no';
} else {
if (array_key_exists('commentable', $params)) {
$remaped_post['commentable'] = $params['commentable'];
} else {
$remaped_post['commentable'] = $this->get_commentable($post_commentable, $is_user_logged_in, $is_reqistration_required);
}
}
if ($this->options['enable_fb_commentable']) {
$remaped_post['fb_commentable'] = 'yes';
}
if (!$remaped_post['summary']) {
$remaped_post['summary'] = wp_trim_excerpt(apply_filters('the_excerpt', get_the_excerpt()));
$remaped_post['summary'] = html_to_text($remaped_post['summary']);
}
$remaped_post['title'] = html_to_text($remaped_post['title']);
$remaped_posts[] = $remaped_post;
return $remaped_post;
}
function titlechange_run()
{
require_once "lib/sanitize.php";
require_once "lib/names.php";
global $session;
$op = httpget("op");
page_header("Hunter's Lodge");
$pointsavailable = $session['user']['donation'] - $session['user']['donationspent'];
$permcost = get_module_setting("permanent");
if ($op == "permanent") {
page_header("Unlimited Title Changes");
output("For %s Donator Points, you can change your Title as often as you like without paying again.`n`n", $permcost);
addnav("Unlimited Changes");
if ($pointsavailable >= $permcost) {
addnav(array("Get permanent free Title changes (%s Points)", $permcost), "runmodule.php?module=titlechange&op=permanentconfirm");
} else {
addnav(array("Sorry, but you need %s more Donator Points for this option.", $permcost - $pointsavailable), "");
}
addnav("Cancel", "lodge.php");
page_footer();
}
if ($op == "permanentconfirm") {
page_header("Unlimited Title Changes");
output("You've got unlimited Title Changes!");
addnav("Back to the Lodge", "lodge.php");
set_module_pref("permanent", 1);
$session['user']['donationspent'] += $permcost;
page_footer();
}
if ($op == "titlechange") {
if (get_module_pref("timespurchased")) {
$cost = get_module_setting("extrapoints");
} else {
$cost = get_module_setting("initialpoints");
}
if (get_module_pref("permanent")) {
$cost = 0;
}
if ($cost <= $session['user']['donation'] - $session['user']['donationspent']) {
output("`3`bCustomize Title`b`0`n`n");
output("`7Because you have earned sufficient points, you have been granted the ability to set a custom title of your choosing.");
output("The title must be appropriate, and the admin of the game can reset if it isn't (as well as penalize you for abusing the game).");
output("The title may not be more than 25 characters long including any characters used for colorization!.`n`n");
$otitle = get_player_title();
if ($otitle == "`0") {
$otitle = "";
}
output("`7Your title is currently`^ ");
rawoutput($otitle);
output_notl("`0`n");
output("`7which looks like %s`n`n", $otitle);
if (httpget("err") == 1) {
output("`\$Please enter a title.`n");
}
output("`7How would you like your title to look?`n");
rawoutput("<form action='runmodule.php?module=titlechange&op=titlepreview' method='POST'>");
rawoutput("<input id='input' name='newname' width='25' maxlength='25' value='" . htmlentities($otitle, ENT_COMPAT, getsetting("charset", "ISO-8859-1")) . "'>");
rawoutput("<input type='submit' class='button' value='Preview'>");
rawoutput("</form>");
addnav("", "runmodule.php?module=titlechange&op=titlepreview");
} else {
output("Sorry, but you don't have enough points to do that!`n`n");
}
} elseif ($op == "titlepreview") {
$ntitle = rawurldecode(httppost('newname'));
$ntitle = newline_sanitize($ntitle);
if ($ntitle == "") {
if (get_module_setting("blank")) {
$ntitle = "`0";
} else {
redirect("runmodule.php?module=titlechange&op=titlechange&err=1");
}
}
if (!get_module_setting("bold")) {
$ntitle = str_replace("`b", "", $ntitle);
}
if (!get_module_setting("italics")) {
$ntitle = str_replace("`i", "", $ntitle);
}
$ntitle = sanitize_colorname(get_module_setting("spaceinname"), $ntitle);
$ntitle = preg_replace("/[`][cHw]/", "", $ntitle);
$ntitle = sanitize_html($ntitle);
$nname = get_player_basename();
output("`7Your new title will look like this: %s`0`n", $ntitle);
output("`7Your entire name will look like: %s %s`0`n`n", $ntitle, $nname);
output("`7Is this how you wish it to look?");
addnav("`bConfirm Custom Title`b");
addnav("Yes", "runmodule.php?module=titlechange&op=changetitle&newname=" . rawurlencode($ntitle));
addnav("No", "runmodule.php?module=titlechange&op=titlechange");
} elseif ($op == "changetitle") {
$ntitle = rawurldecode(httpget('newname'));
$fromname = $session['user']['name'];
$newname = change_player_ctitle($ntitle);
$session['user']['ctitle'] = $ntitle;
$session['user']['name'] = $newname;
addnews("%s`^ has become known as %s.", $fromname, $session['user']['name']);
// modifications by sixf00t4
if (!get_module_pref("permanent")) {
if (get_module_setting("take")) {
$cost = 0;
if (get_module_pref("timespurchased")) {
$cost = get_module_setting("extrapoints");
debuglog("bought another custom title for {$cost} points");
} else {
$cost = get_module_setting("initialpoints");
debuglog("bought first custom title for {$cost} points");
}
$session['user']['donationspent'] += $cost;
}
}
set_module_pref("timespurchased", get_module_pref("timespurchased") + 1);
output("Your custom title has been set.");
modulehook("namechange", array());
}
addnav("L?Return to the Lodge", "lodge.php");
page_footer();
}
function process_create_profile($user, $profile)
{
global $config;
$response1 = post_str('response1', true);
$response2 = post_str('response2', true);
$language = post_str('language', true);
$privatekey = parse_config($config, "<recaptcha_private_key>");
if ($privatekey) {
$recaptcha = new ReCaptcha($privatekey);
$resp = $recaptcha->verifyResponse($_SERVER["REMOTE_ADDR"], $_POST["g-recaptcha-response"]);
if (!$resp->success) {
$profile->response1 = $response1;
$profile->response2 = $response2;
show_profile_form($profile, tra("Your ReCaptcha response was not correct. Please try again."));
return;
}
}
if (!akismet_check($user, $response1)) {
$profile->response1 = $response1;
$profile->response2 = $response2;
show_profile_form($profile, tra("Your first response was flagged as spam by the Akismet anti-spam system. Please modify your text and try again."));
return;
}
if (!akismet_check($user, $response2)) {
$profile->response1 = $response1;
$profile->response2 = $response2;
show_profile_form($profile, tra("Your second response was flagged as spam by the Akismet anti-spam system. Please modify your text and try again."));
return;
}
if (isset($_POST['delete_pic'])) {
$delete_pic = $_POST['delete_pic'];
} else {
$delete_pic = "off";
}
if (strlen($response1) == 0 && strlen($response2) == 0 && $delete_pic != "on" && !is_uploaded_file($_FILES['picture']['tmp_name'])) {
error_page(tra("Your profile submission was empty."));
exit;
}
if ($delete_pic == "on") {
delete_user_pictures($profile->userid);
$profile->has_picture = false;
$profile->verification = 0;
}
$profile ? $has_picture = $profile->has_picture : ($has_picture = false);
if (is_uploaded_file($_FILES['picture']['tmp_name'])) {
$has_picture = true;
if ($profile) {
$profile->verification = 0;
}
// echo "<br>Name: " . $_FILES['picture']['name'];
// echo "<br>Type: " . $_FILES['picture']['type'];
// echo "<br>Size: " . $_FILES['picture']['size'];
// echo "<br>Temp name: " . $_FILES['picture']['tmp_name'];
$images = getImages($_FILES['picture']['tmp_name']);
// Write the original image file to disk.
// TODO: define a constant for image quality.
ImageJPEG($images[0], IMAGE_PATH . $user->id . '.jpg');
ImageJPEG($images[1], IMAGE_PATH . $user->id . '_sm.jpg');
}
$response1 = sanitize_html($response1);
$response2 = sanitize_html($response2);
$has_picture = $has_picture ? 1 : 0;
if ($profile) {
$query = " response1 = '" . BoincDb::escape_string($response1) . "'," . " response2 = '" . BoincDb::escape_string($response2) . "'," . " language = '" . BoincDb::escape_string($language) . "'," . " has_picture = {$has_picture}," . " verification = {$profile->verification}" . " WHERE userid = {$user->id}";
$result = BoincProfile::update_aux($query);
if (!$result) {
error_page(tra("Could not update the profile: database error"));
}
} else {
$query = 'SET ' . " userid={$user->id}," . " language = '" . BoincDb::escape_string($language) . "'," . " response1 = '" . BoincDb::escape_string($response1) . "'," . " response2 = '" . BoincDb::escape_string($response2) . "'," . " has_picture = {$has_picture}," . " recommend=0, " . " reject=0, " . " posts=0, " . " uotd_time=0, " . " verification=0";
$result = BoincProfile::insert($query);
if (!$result) {
error_page(tra("Could not create the profile: database error"));
}
}
$user->update("has_profile=1");
page_head(tra("Profile saved"));
echo tra("Congratulations! Your profile was successfully entered into our database.") . "<br><br>" . "<a href=\"view_profile.php?userid=" . $user->id . "\">" . tra("View your profile") . "</a><br>";
page_tail();
}
/**
* Render shaare contents through Markdown parser.
* 1. Remove HTML generated by Shaarli core.
* 2. Reverse the escape function.
* 3. Generate markdown descriptions.
* 4. Sanitize sensible HTML tags for security.
* 5. Wrap description in 'markdown' CSS class.
*
* @param string $description input description text.
*
* @return string HTML processed $description.
*/
function process_markdown($description)
{
$parsedown = new Parsedown();
$processedDescription = $description;
$processedDescription = reverse_text2clickable($processedDescription);
$processedDescription = reverse_nl2br($processedDescription);
$processedDescription = reverse_space2nbsp($processedDescription);
$processedDescription = unescape($processedDescription);
$processedDescription = $parsedown->setMarkupEscaped(false)->setBreaksEnabled(true)->text($processedDescription);
$processedDescription = sanitize_html($processedDescription);
if (!empty($processedDescription)) {
$processedDescription = '<div class="markdown">' . $processedDescription . '</div>';
}
return $processedDescription;
}
function logd_error_notify($errno, $errstr, $errfile, $errline, $backtrace)
{
global $session;
$sendto = explode(";", getsetting("notify_address", ""));
$howoften = getsetting("notify_every", 30);
reset($sendto);
$data = datacache("error_notify", 86400);
if (!is_array($data)) {
$data = array('firstrun' => true, 'errors' => array());
} else {
$data['firstrun'] = false;
}
$do_notice = false;
if (!array_key_exists($errstr, $data['errors'])) {
$do_notice = true;
} elseif (strtotime("now") - $data['errors'][$errstr] > $howoften * 60) {
$do_notice = true;
}
if ($data['firstrun']) {
debug("First run, not notifying users.");
} else {
if ($do_notice) {
/***
* Set up the mime bits
**/
require_once "sanitize.php";
$notice_text = "This is a multi-part message in MIME format.";
$userstr = "";
if ($session && isset($session['user']['name']) && isset($sesson['user']['acctid'])) {
$userstr = "Error triggered by user " . $session['user']['name'] . " (" . $session['user']['acctid'] . ")\n";
}
$plain_text = "{$userstr}{$errstr} in {$errfile} ({$errline})\n" . sanitize_html($backtrace);
$html_text = "<html><body>{$errstr} in {$errfile} ({$errline})<hr>{$backtrace}</body></html>";
$semi_rand = md5(time());
$mime_boundary = "==MULTIPART_BOUNDARY_{$semi_rand}";
$mime_boundary_header = chr(34) . $mime_boundary . chr(34);
$subject = "{$_SERVER['HTTP_HOST']} {$level}";
$body = "{$notice_text}\r\n\r\n--{$mime_boundary}\r\nContent-Type: text/plain; charset=us-ascii\r\nContent-Transfer-Encoding: 7bit\r\n\r\n{$plain_text}\r\n\r\n--{$mime_boundary}\r\nContent-Type: text/html; charset=us-ascii\r\nContent-Transfer-Encoding: 7bit\r\n\r\n{$html_text}\r\n\r\n--{$mime_boundary}--";
/***
* Mime bits are set up,
**/
while (list($key, $email) = each($sendto)) {
debug("Notifying {$email} of this error.");
mail($email, $subject, $body, "From: " . $from . "\n" . "MIME-Version: 1.0\n" . "Content-Type: multipart/alternative;\n" . " boundary=" . $mime_boundary_header);
}
//mark the time that notice was last sent for this error.
$data['errors'][$errstr] = strtotime("now");
} else {
debug("Not notifying users for this error, it's only been " . round((strtotime("now") - $data['errors'][$errstr]) / 60, 2) . " minutes.");
}
}
updatedatacache("error_notify", $data);
debug($data);
}
$sql .= "name = \"" . addslashes($newname) . "\",";
output("Changed player name to %s`0 due to changed dragonkill title`n", $newname);
debuglog($session['user']['name'] . "`0 changed player name to {$newname}`0 due to changed dragonkill title", $userid);
$oldvalues['name'] = $newname;
if ($session['user']['acctid'] == $userid) {
$session['user']['name'] = $newname;
}
}
if ($session['user']['acctid'] == $userid) {
$session['user']['title'] = $tmp;
}
} elseif ($key == "ctitle" && stripslashes($val) != $oldvalues[$key]) {
$updates++;
$tmp = sanitize_colorname(true, stripslashes($val), true);
$tmp = preg_replace("/[`][cHw]/", "", $tmp);
$tmp = sanitize_html($tmp);
if ($tmp != stripslashes($val)) {
output("`\$Illegal characters removed from custom title!`0`n");
}
if (soap($tmp) != $tmp) {
output("`^The new custom title doesn't pass the bad word filter!`0");
}
$newname = change_player_ctitle($tmp, $oldvalues);
$sql .= "{$key} = \"{$val}\",";
output("Changed player ctitle from %s`0 to %s`0`n", $oldvalues['ctitle'], $tmp);
$oldvalues[$key] = $tmp;
if ($newname != $oldvalues['name']) {
$sql .= "name = \"" . addslashes($newname) . "\",";
output("Changed player name to %s`0 due to changed custom title`n", $newname);
debuglog($session['user']['name'] . "`0 changed player name to {$newname}`0 due to changed custom title", $userid);
$oldvalues['name'] = $newname;
c
r
i
p
t
:
a
l
e
r
t
(
'
X
S
S
'
)
"
>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>
<IMG SRC="javascript:alert('XSS')"
<A HREF="h
tt\tp://6	6.000146.0x7.147/">XSS</A>
EOT;
echo sanitize_html($html) . "\n\n";
?>
</body>
</html>
/**
* Sanitizes a comment.
*/
private function sanitize()
{
// Sanitize user input
$this->message = sanitize_html($_POST['cf-message']);
$this->name = sanitize_string($_POST['cf-name']);
$this->email = $_POST['cf-email'];
$this->website = sanitize_url($_POST['cf-website']);
}
function modulehook($hookname, $args = false, $allowinactive = false, $only = false)
{
global $navsection, $mostrecentmodule;
global $blocked_modules, $block_all_modules, $unblocked_modules;
global $output, $session, $modulehook_queries;
global $currenthook;
$lasthook = $currenthook;
$currenthook = $hookname;
static $hookcomment = array();
if ($args === false) {
$args = array();
}
$active = "";
if (!$allowinactive) {
$active = " " . db_prefix("modules") . ".active=1 AND";
}
if (!is_array($args)) {
$where = $mostrecentmodule;
if (!$where) {
global $SCRIPT_NAME;
$where = $SCRIPT_NAME;
}
debug("Args parameter to modulehook {$hookname} from {$where} is not an array.");
}
if ($session['user']['superuser'] & SU_DEBUG_OUTPUT && !isset($hookcomment[$hookname])) {
rawoutput("<!--Module Hook: {$hookname}; allow inactive: " . ($allowinactive ? "true" : "false") . "; only this module: " . ($only !== false ? $only : "any module"));
if (!is_array($args)) {
$arg = $args . " (NOT AN ARRAY!)";
rawoutput(" arg: {$arg}");
} else {
reset($args);
while (list($key, $val) = each($args)) {
$arg = $key . " = ";
if (is_array($val)) {
$arg .= "array(" . count($val) . ")";
} elseif (is_object($val)) {
$arg .= "object(" . get_class($val) . ")";
} else {
$arg .= htmlentities(substr($val, 0, 25), ENT_COMPAT, getsetting("charset", "ISO-8859-1"));
}
rawoutput(" arg: {$arg}");
}
}
rawoutput(" -->");
$hookcomment[$hookname] = true;
}
if (isset($modulehook_queries[$hookname]) && $allowinactive == false) {
$result = $modulehook_queries[$hookname];
} else {
$sql = "SELECT\n\t\t\t\t" . db_prefix("module_hooks") . ".modulename,\n\t\t\t\t" . db_prefix("module_hooks") . ".location,\n\t\t\t\t" . db_prefix("module_hooks") . ".function,\n\t\t\t\t" . db_prefix("module_hooks") . ".whenactive\n\t\t\tFROM\n\t\t\t\t" . db_prefix("module_hooks") . "\n\t\t\tINNER JOIN\n\t\t\t\t" . db_prefix("modules") . "\n\t\t\tON\t" . db_prefix("modules") . ".modulename = " . db_prefix("module_hooks") . ".modulename\n\t\t\tWHERE\n\t\t\t\t{$active}\n\t\t\t\t" . db_prefix("module_hooks") . ".location='{$hookname}'\n\t\t\tORDER BY\n\t\t\t\t" . db_prefix("module_hooks") . ".priority,\n\t\t\t\t" . db_prefix("module_hooks") . ".modulename";
$result = db_query_cached($sql, "hook-" . $hookname);
}
// $args is an array passed by value and we take the output and pass it
// back through
// Try at least and fix up a bogus arg so it doesn't cause additional
// problems later.
if (!is_array($args)) {
$args = array('bogus_args' => $args);
}
// Save off the mostrecent module since having that change can change
// behaviour especially if a module calls modulehooks itself or calls
// library functions which cause them to be called.
$mod = $mostrecentmodule;
while ($row = db_fetch_assoc($result)) {
// If we are only running hooks for a specific module, skip all
// others.
if ($only !== false && $row['modulename'] != $only) {
continue;
}
// Skip any module invocations which should be blocked.
if (!array_key_exists($row['modulename'], $blocked_modules)) {
$blocked_modules[$row['modulename']] = false;
}
if (!array_key_exists($row['modulename'], $unblocked_modules)) {
$unblocked_modules[$row['modulename']] = false;
}
if (($block_all_modules || $blocked_modules[$row['modulename']]) && !$unblocked_modules[$row['modulename']]) {
continue;
}
if (injectmodule($row['modulename'], $allowinactive)) {
$oldnavsection = $navsection;
tlschema("module-{$row['modulename']}");
// Pass the args into the function and reassign them to the
// result of the function.
// Note: each module gets the previous module's modified return
// value if more than one hook here.
// Order of operations could become an issue, modules are called
// in alphabetical order by their module name (not display name).
// Test the condition code
if (!array_key_exists('whenactive', $row)) {
$row['whenactive'] = '';
}
$cond = trim($row['whenactive']);
if ($cond == "" || module_condition($cond) == true) {
// call the module's hook code
$outputbeforehook = $output;
$output = "";
/*******************************************************/
$starttime = getmicrotime();
/*******************************************************/
if (function_exists($row['function'])) {
$res = $row['function']($hookname, $args);
} else {
trigger_error("Unknown function {$row['function']} for hoookname {$hookname} in module {$row['module']}.", E_USER_WARNING);
}
/*******************************************************/
$endtime = getmicrotime();
if ($endtime - $starttime >= 1.0 && $session['user']['superuser'] & SU_DEBUG_OUTPUT) {
debug("Slow Hook (" . round($endtime - $starttime, 2) . "s): {$hookname} - {$row['modulename']}`n");
}
/*******************************************************/
$outputafterhook = $output;
$output = $outputbeforehook;
// test to see if we had any output and if the module allows
// us to collapse it
$testout = trim(sanitize_html($outputafterhook));
if (!is_array($res)) {
trigger_error("<b>{$row['function']}</b> did not return an array in the module <b>{$row['modulename']}</b> for hook <b>{$hookname}</b>.", E_USER_WARNING);
$res = $args;
}
if ($testout > "" && $hookname != "collapse{" && $hookname != "}collapse" && $hookname != "collapse-nav{" && $hookname != "}collapse-nav" && !array_key_exists('nocollapse', $res)) {
//restore the original output's reference
modulehook("collapse{", array("name" => 'a-' . $row['modulename']));
$output .= $outputafterhook;
modulehook("}collapse");
} else {
$output .= $outputafterhook;
}
// Clear the collapse flag
unset($res['nocollapse']);
//handle return arguments.
if (is_array($res)) {
$args = $res;
}
}
//revert the translation namespace
tlschema();
//revert nav section after we're done here.
$navsection = $oldnavsection;
}
}
$mostrecentmodule = $mod;
$currenthook = $lasthook;
// And hand them back so they can be used.
return $args;
}
function display_parts($structure)
{
global $lang;
global $smarty;
$primary = strtolower(trim($structure->ctype_primary));
$secondary = strtolower(trim($structure->ctype_secondary));
$ctype = $primary . "/" . $secondary;
$messagepart = "";
$message_charset = get_charset($structure);
switch ($primary) {
case "multipart":
if (!array_key_exists('parts', $structure)) {
$ret = "[" . $lang['text_invalid'] . "]<br>";
break;
}
// Recursively decode each of the sub-parts of this
// part in turn.
foreach ($structure->parts as $part) {
$messagepart .= display_parts($part);
}
$smarty->assign("messagepart", $messagepart);
$smarty->assign("contenttype", $ctype);
$ret = $smarty->fetch("view-message.tpl");
break;
case "text":
switch ($secondary) {
// Simple text, just word-wrap it to keep it to
// a sane width.
case "plain":
$messagepart = "<pre>" . sanitize_html(wordwrap(iconv($message_charset, 'utf-8', $structure->body), 70)) . "</pre>";
$smarty->assign("messagepart", $messagepart);
$smarty->assign("contenttype", $ctype);
$ret = $smarty->fetch("view-message.tpl");
break;
// HTML content, clean it up a bit and display it.
// HTML content, clean it up a bit and display it.
case "html":
$messagepart = sanitize_html(iconv($message_charset, 'utf-8', $structure->body));
$smarty->assign("messagepart", $messagepart);
$smarty->assign("contenttype", $ctype);
$ret = $smarty->fetch("view-message.tpl");
break;
// Some other odd text format we don't support, ignore it.
// Some other odd text format we don't support, ignore it.
default:
$ret = "[" . $lang['text_unsupported'] . ": " . $ctype . "]<br>";
}
break;
default:
// An unsupported content type, ignore it.
$ret = "[" . $lang['text_unsupported'] . ": " . $ctype . "]<br>";
}
return $ret;
}
