function xthreads_phptpl_eval_expr($s) { require_once MYBB_ROOT . 'inc/xthreads/xt_phptpl_lib.php'; return eval('return (' . xthreads_phptpl_expr_parse($s) . ');'); }
function xthreads_buildtfcache_parseitem(&$tf) { require_once MYBB_ROOT . 'inc/xthreads/xt_phptpl_lib.php'; // remove unnecessary fields if ($tf['editable_gids']) { $tf['editable'] = 0; } if (!$tf['viewable_gids']) { unset($tf['unviewableval']); } switch ($tf['inputtype']) { case XTHREADS_INPUT_FILE_URL: unset($tf['multival'], $tf['multival_limit'], $tf['dispitemformat']); case XTHREADS_INPUT_FILE: unset($tf['editable_values'], $tf['formatmap'], $tf['textmask'], $tf['inputformat'], $tf['maxlen'], $tf['vallist'], $tf['sanitize'], $tf['allowfilter'], $tf['defaultval'], $tf['fieldheight']); if (!$tf['fileimage']) { unset($tf['fileimgthumbs']); } $tf['datatype'] = XTHREADS_DATATYPE_TEXT; break; case XTHREADS_INPUT_TEXTAREA: unset($tf['allowfilter']); // fall through // fall through case XTHREADS_INPUT_TEXT: unset($tf['vallist']); break; case XTHREADS_INPUT_RADIO: unset($tf['multival'], $tf['multival_limit']); // fall through // fall through case XTHREADS_INPUT_CHECKBOX: case XTHREADS_INPUT_SELECT: unset($tf['textmask'], $tf['maxlen']); } switch ($tf['inputtype']) { case XTHREADS_INPUT_FILE: case XTHREADS_INPUT_FILE_URL: break; case XTHREADS_INPUT_TEXT: case XTHREADS_INPUT_CHECKBOX: unset($tf['fieldheight']); // fall through // fall through default: unset($tf['filemagic'], $tf['fileexts'], $tf['filemaxsize'], $tf['fileimage'], $tf['fileimgthumbs']); } if (xthreads_empty($tf['multival'])) { unset($tf['dispitemformat'], $tf['multival_limit']); } else { $tf['datatype'] = XTHREADS_DATATYPE_TEXT; } if ($tf['datatype'] != XTHREADS_DATATYPE_TEXT) { // disable santizer for a free speed boost if (($tf['sanitize'] & XTHREADS_SANITIZE_MASK) != XTHREADS_SANITIZE_PARSER) { $tf['sanitize'] = XTHREADS_SANITIZE_NONE; } } // preformat stuff to save time later if ($tf['formatmap']) { $tf['formatmap'] = @unserialize($tf['formatmap']); } else { $tf['formatmap'] = null; } if (!xthreads_empty($tf['vallist'])) { $vallist = $tf['vallist']; $tf['vallist'] = array(); foreach (array_map('trim', explode("\n", str_replace("\r", '', $vallist))) as $vallistitem) { if (($p = strpos($vallistitem, '{|}')) !== false) { $tf['vallist'][substr($vallistitem, 0, $p)] = substr($vallistitem, $p + 3); } else { $tf['vallist'][$vallistitem] = $vallistitem; } } } // TODO: explode forums, fileexts? if ($tf['editable_gids']) { $tf['editable_gids'] = array_unique(explode(',', $tf['editable_gids'])); } if ($tf['viewable_gids']) { $tf['viewable_gids'] = array_unique(explode(',', $tf['viewable_gids'])); } if ($tf['fileimgthumbs']) { $thumbarray = array_unique(explode('|', $tf['fileimgthumbs'])); $tf['fileimgthumbs'] = array(); foreach ($thumbarray as &$thumb) { if (preg_match('~^([a-zA-Z0-9_]+)\\=~', $thumb, $m)) { $chain = substr($thumb, strlen($m[0])); // add additionally allowed funcs require_once MYBB_ROOT . 'inc/xthreads/xt_image.php'; $extra_funcs =& $GLOBALS['phptpl_additional_functions']; $extra_funcs = array('newXTImg'); foreach (get_class_methods('XTImageTransform') as $meth) { if ($meth[0] != '_') { // this is ugly, but should be good enough // problem is that it's difficult to see the source object for method calls, so just allow any object $extra_funcs[] = '->' . $meth; } } // TODO: put in extra functions $fitk =& $tf['fileimgthumbs'][strtolower($m[1])]; //$fitk = '$img->'.$chain; $fitk = xthreads_phptpl_expr_parse('->' . $chain, array('WIDTH' => '$img->WIDTH', 'OWIDTH' => '$img->OWIDTH', 'HEIGHT' => '$img->HEIGHT', 'OHEIGHT' => '$img->OHEIGHT', 'TYPE' => '$img->TYPE', 'FILENAME' => '$img->FILENAME')); if ($fitk && $fitk != 'false') { $fitk = '$img' . $fitk; } // prevents transform to $GLOBALS['img'] unset($GLOBALS['phptpl_additional_functions']); } elseif (preg_match('~^\\d+x\\d+$~', $thumb)) { $tf['fileimgthumbs'][$thumb] = false; } } } if (!xthreads_empty($tf['filemagic'])) { $tf['filemagic'] = array_map('urldecode', array_unique(explode('|', $tf['filemagic']))); } // fix sanitize switch ($tf['inputtype']) { case XTHREADS_INPUT_TEXT: //if($tf['sanitize'] == XTHREADS_SANITIZE_HTML_NL) // $tf['sanitize'] = XTHREADS_SANITIZE_HTML; break; case XTHREADS_INPUT_SELECT: $tf['sanitize'] = XTHREADS_SANITIZE_HTML; break; case XTHREADS_INPUT_CHECKBOX: case XTHREADS_INPUT_RADIO: $tf['sanitize'] = XTHREADS_SANITIZE_NONE; break; } // santize -> separate mycode stuff? if ($tf['allowfilter']) { $tf['ignoreblankfilter'] = $tf['editable'] == XTHREADS_EDITABLE_REQ; if ($tf['ignoreblankfilter'] && !empty($tf['vallist'])) { $tf['ignoreblankfilter'] = !isset($tf['vallist']['']); } } if (!xthreads_empty($tf['editable_values'])) { if ($tf['editable'] == XTHREADS_EDITABLE_NONE) { unset($tf['editable_values']); } else { $tf['editable_values'] = @unserialize($tf['editable_values']); } } // sanitise eval'd stuff if ($tf['inputtype'] == XTHREADS_INPUT_FILE) { $sanitise_fields = array('DOWNLOADS', 'DOWNLOADS_FRIENDLY', 'FILENAME', 'UPLOADMIME', 'URL', 'FILESIZE', 'FILESIZE_FRIENDLY', 'MD5HASH', 'UPLOAD_TIME', 'UPLOAD_DATE', 'UPDATE_TIME', 'UPDATE_DATE', 'THUMBS', 'DIMS'); $validate_fields = array('FILENAME', 'FILESIZE', 'NUM_FILES'); } else { $sanitise_fields = array('VALUE', 'RAWVALUE'); $tf['regex_tokens'] = $tf['unviewableval'] && preg_match('~\\{(?:RAW)?VALUE\\$\\d+\\}~', $tf['unviewableval']) || $tf['dispformat'] && preg_match('~\\{(?:RAW)?VALUE\\$\\d+\\}~', $tf['dispformat']) || $tf['dispitemformat'] && preg_match('~\\{(?:RAW)?VALUE\\$\\d+\\}~', $tf['dispitemformat']); $validate_fields = array('VALUE'); } if ($tf['defaultval']) { xthreads_sanitize_eval($tf['defaultval']); } if (!empty($tf['formatmap']) && is_array($tf['formatmap'])) { foreach ($tf['formatmap'] as &$fm) { xthreads_sanitize_eval($fm); } } foreach (array('inputformat', 'inputvalidate', 'unviewableval', 'dispformat', 'dispitemformat', 'blankval') as $field) { if (isset($tf[$field])) { if ($field == 'blankval' || $field == 'defaultval') { xthreads_sanitize_eval($tf[$field]); } elseif ($field == 'inputformat') { xthreads_sanitize_eval($tf[$field], array('VALUE' => null)); } elseif ($field == 'inputvalidate') { xthreads_sanitize_eval($tf[$field], xthreads_eval_flipfields($validate_fields)); } elseif ($tf['inputtype'] == XTHREADS_INPUT_FILE && !xthreads_empty($tf['multival']) && ($field == 'unviewableval' || $field == 'dispformat')) { // special case for multi file inputs xthreads_sanitize_eval($tf[$field], array('VALUE' => null)); } else { xthreads_sanitize_eval($tf[$field], xthreads_eval_flipfields($sanitise_fields)); } } } $formhtml = xthreads_default_threadfields_formhtml($tf['inputtype']); if ($tf['formhtml'] !== '') { switch ($tf['inputtype']) { case XTHREADS_INPUT_SELECT: case XTHREADS_INPUT_CHECKBOX: case XTHREADS_INPUT_RADIO: case XTHREADS_INPUT_FILE: // item block extraction $tf['formhtml_item'] = ''; $GLOBALS['__xt_formhtml_item'] =& $tf['formhtml_item']; $GLOBALS['__xt_formhtml_sanitise_fields'] =& $formhtml[1]; $tf['formhtml'] = preg_replace_callback('~\\<\\!\\[ITEM\\[(.*?)\\]\\]\\>~is', 'xthreads_buildcache_parseitem_formhtml_pr', $tf['formhtml'], 1); unset($GLOBALS['__xt_formhtml_item'], $GLOBALS['__xt_formhtml_sanitise_fields']); $formhtml[1][] = 'ITEMS'; } xthreads_sanitize_eval($tf['formhtml'], xthreads_eval_flipfields($formhtml[1])); } }
function _xthreads_phptpl_expr_parse2($str, $fields = array()) { if (!$str && $str !== '0') { return ''; } // unescapes the slashes added by xthreads_sanitize_eval $str = strtr($str, array('\\$' => '$', '\\"' => '"', '\\\\' => '\\')); return xthreads_phptpl_expr_parse($str, $fields); }