function comment_save(&$page)
{
// check if we need to save a comment
if (!isset($_POST['comment'])) {
return;
}
global $__FROG_CONN__;
if ($page->comment_status != Comment::OPEN) {
return;
}
$data = $_POST['comment'];
if (is_null($data)) {
return;
}
if (!isset($data['author_name']) or trim($data['author_name']) == '') {
return;
}
if (!isset($data['author_email']) or trim($data['author_email']) == '') {
return;
}
if (!isset($data['body']) or trim($data['body']) == '') {
return;
}
use_helper('Kses');
$allowed_tags = array('a' => array('href' => array(), 'title' => array()), 'abbr' => array('title' => array()), 'acronym' => array('title' => array()), 'b' => array(), 'blockquote' => array('cite' => array()), 'br' => array(), 'code' => array(), 'em' => array(), 'i' => array(), 'p' => array(), 'strike' => array(), 'strong' => array());
// get the setting for comments moderations
//$sql = 'SELECT value FROM '.TABLE_PREFIX.'setting WHERE name=\'auto_approve_comment\'';
//$stmt = $__FROG_CONN__->prepare($sql);
//$stmt->execute();
//$auto_approve_comment = (int) $stmt->fetchColumn();
$auto_approve_comment = 1;
$sql = 'INSERT INTO ' . TABLE_PREFIX . 'comment (page_id, author_name, author_email, author_link, body, is_approved, created_on) VALUES (' . '\'' . $page->id . '\', ' . $__FROG_CONN__->quote(strip_tags($data['author_name'])) . ', ' . $__FROG_CONN__->quote(strip_tags($data['author_email'])) . ', ' . $__FROG_CONN__->quote(strip_tags($data['author_link'])) . ', ' . $__FROG_CONN__->quote(kses($data['body'], $allowed_tags)) . ', ' . $__FROG_CONN__->quote($auto_approve_comment) . ', ' . $__FROG_CONN__->quote(date('Y-m-d H:i:s')) . ')';
$__FROG_CONN__->exec($sql);
Observer::notify('comment_after_add');
}
public function update_event()
{
if (!isset($_POST['save'])) {
Flash::set('error', __('Could not update this event!'));
} else {
use_helper('Kses');
/* Prepare the data */
$data = $_POST['event'];
if (isset($data['id'])) {
$data['id'] = kses(trim($data['id']), array());
}
$event = new CalendarEvent();
if (isset($data['id'])) {
$event->id = $data['id'];
$event->created_by_id = $data['created_by_id'];
}
$event->title = $data['title'];
$event->date_from = $data['date_from'];
$event->date_to = $data['date_to'];
$event->description = $data['description'];
/* Check data and, if correct, save to DB */
if ($event->checkData() && $event->save()) {
if (isset($data['id'])) {
Flash::set('success', __('The event has been updated.'));
} else {
Flash::set('success', __('A new event has been created.'));
}
redirect(get_url('plugin/calendar/events'));
} else {
Flash::setNow('error', __('There are errors in the form.'));
$this->display(CALENDAR_VIEWS . '/update', array('event' => $event));
}
}
}
/**
* Saves the settings.
*/
private final function _save()
{
$data = $_POST['setting'];
// CSRF checks
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'setting')) {
Flash::set('error', __('Invalid CSRF token found!'));
Observer::notify('csrf_token_invalid', AuthUser::getUserName());
redirect(get_url('setting'));
}
} else {
Flash::set('error', __('No CSRF token found!'));
Observer::notify('csrf_token_not_found', AuthUser::getUserName());
redirect(get_url('setting'));
}
if (!isset($data['allow_html_title'])) {
$data['allow_html_title'] = 'off';
}
use_helper('Kses');
$allowed = array('img' => array('src' => array()), 'abbr' => array('title' => array()), 'acronym' => array('title' => array()), 'b' => array(), 'blockquote' => array('cite' => array()), 'br' => array(), 'code' => array(), 'em' => array(), 'i' => array(), 'p' => array(), 'strike' => array(), 'strong' => array());
$data['admin_title'] = kses(trim($data['admin_title']), $allowed);
Setting::saveFromData($data);
Flash::set('success', __('Settings have been saved!'));
redirect(get_url('setting'));
}
function __mobile_strip_images($i)
{
static $allowed;
if (!$allowed) {
$allowed = getConfig('rss.input.allowed');
if (isset($allowed['img'])) {
unset($allowed['img']);
}
}
$i->description = kses($i->description, $allowed);
return $i;
}
function onetest($htmlbefore, $htmlafter, &$score, &$max, $allowed)
{
$max++;
$htmlkses = kses($htmlbefore, $allowed);
# echo "htmlkses --".htmlspecialchars($htmlkses)."--<br>\n";
if ($htmlkses == $htmlafter) {
echo 'OK';
$score++;
} else {
echo 'not OK';
}
echo "<br>\n";
}
function ConvertToPlain_UTF8(&$html)
{
//$string = strip_tags($html);
// replace numeric entities
//$string = preg_replace('~&#x([0-9a-f]+);~ei', 'chr(hexdec("\\1"))', $string);
//$string = preg_replace('~&#([0-9]+);~e', 'chr("\\1")', $string);
// replace literal entities
//return strtr($string, $this->utf8_trans_tbl);
$tags = array();
$res = kses($html, $tags);
// strip all tags
$res = str_replace('&', '&', $res);
return $res;
}
function kses_filter($text, $hook)
{
$allowed_html = array('b' => array(), 'i' => array(), 'a' => array('href' => array('maxlen' => 100), 'title' => 1), 'p' => array('align' => 1), 'font' => array('size' => array('maxval' => 20)), 'br' => array());
if (get_magic_quotes_gpc()) {
$text = stripslashes($text);
}
if ($text != "gettags") {
return kses($text, $allowed_html);
} else {
foreach ($allowed_html as $tag => $null) {
$kses_printtags .= "<{$tag}>, ";
}
return $kses_printtags;
}
}
function smarty_modifier_kses($in, $allowedtags = FALSE)
{
if ($allowedtags == 'nolinks') {
/* need some way to specify a multi dimentional array via a smarty modifer paramater. e.g. {$var|kses:"a(href,title),b,i,blockquote(cite)"}. How to do that?
$tags = array(explode(',',$allowedtags));
$allowed_html = array();
foreach($tags as $tag) {
$allowed_html[] = array($tag=>array());
}
.. for the mean time we'll just have a 'safe' list of things for unapproved comments
*/
$allowed_html = array('b' => array(), 'i' => array(), 'strong' => array(), 'code' => array(), 'acronym' => array('title'), 'abbr' => array('title'), 'blockquote' => array('cite' => array()));
} else {
$allowed_html = array('b' => array(), 'i' => array(), 'strong' => array(), 'code' => array(), 'acronym' => array('title'), 'abbr' => array('title'), 'a' => array('href' => array('maxlen' => 300), 'title', 'rel' => array('minlen' => 3, 'maxlen' => 250)), 'blockquote' => array('cite' => array()));
}
return kses($in, $allowed_html, array('http', 'https', 'ftp', 'mailto'));
}
/**
* Kses filtering of tags, called on a plugin hook
*
* @param mixed $var Variable to filter
* @return mixed
*/
function kses_filter_tags($hook, $entity_type, $returnvalue, $params)
{
$return = $returnvalue;
$var = $returnvalue;
if (@(include_once dirname(dirname(dirname(__FILE__))) . "/vendors/kses/kses.php")) {
global $CONFIG;
$allowedtags = $CONFIG->allowedtags;
$allowedprotocols = $CONFIG->allowedprotocols;
if (!is_array($var)) {
$return = "";
$return = kses($var, $allowedtags, $allowedprotocols);
} else {
$return = array();
foreach ($var as $key => $el) {
$return[$key] = kses($el, $allowedtags, $allowedprotocols);
}
}
}
return $return;
}
OpenTable();
echo "<div align=center class=title>" . _ENTRYADDED . "</div><br><br>";
echo "<div align=center> [ <a href=\"modules.php?name={$module_name}&file=edit\">" . _RETURNJOURNAL . "</a> ]</div>";
CloseTable();
$username = $cookie[1];
$user = filter($user, "nohtml");
$username = filter($username, "nohtml");
$sitename = filter($sitename, "nohtml");
$title = filter($title, "nohtml");
$title = addslashes($title);
if (isset($mood)) {
$mood = filter($mood, "nohtml");
} else {
$mood = "";
}
$jbodytext = kses(ADVT_stripslashes($jbodytext), $allowed);
$jbodytext = addslashes($jbodytext);
$sql = "INSERT INTO " . $prefix . "_journal (jid,aid,title,bodytext,mood,pdate,ptime,status,mtime,mdate) VALUES (NULL,'{$username}','{$title}','{$jbodytext}','{$mood}','{$pdate}','{$ptime}','{$status}','{$mtime}','{$ndate}')";
$db->sql_query($sql);
update_points(1);
$sql = "SELECT * FROM " . $prefix . "_journal_stats WHERE joid = '{$username}'";
$result = $db->sql_query($sql);
$row_count = $db->sql_numrows($result);
if ($row_count == 0) {
$query = "INSERT INTO " . $prefix . "_journal_stats (id,joid,nop,ldp,ltp,micro) VALUES ('','{$username}','1',now(),'{$mtime}',now())";
$db->sql_query($query);
} else {
$row = $db->sql_fetchrow($result);
$nnop = $row['nop'];
$nnnop = $nnop + 1;
$micro = date("U");
/**
* Cleans HTML text filter
* @param string $html HTML to clean
* @param int $mode (optional)
* @return string The cleaned HTML
*/
function html_filter($html, $mode = NO_HTML)
{
$allowed_tags = HTML_QuickForm_Rule_HTML::get_allowed_tags($mode);
$cleaned_html = kses($html, $allowed_tags);
return $cleaned_html;
}
function rmsViewHistory($id, $pp, $lenght = 10, $offset = 0)
{
global $sock;
$result = array();
$cmd = "HISTORY " . $id . "." . $pp . " " . $lenght . " " . $offset . "\r\n";
sendData($cmd);
$packet = socket_read($sock, 1024, PHP_NORMAL_READ);
if (substr($packet, 0, 3) >= 400) {
return false;
}
// kses input filtering
$allowed = array('b' => array(),
'i' => array(),
'a' => array('href' => 1, 'title' => 1),
'p' => array('align' => 1),
'br' => array(),
'font' => array('size' => 1, 'color' => 1, 'face' => 1)
);
while (!preg_match("/^231 /", $packet))
{
$msg = "";
preg_match("/from (.*)/", $packet, $header);
$from = $header[1];
$packet = socket_read($sock, 1024, PHP_NORMAL_READ);
$snttime = substr($packet, 12);
$packet = socket_read($sock, 1024, PHP_NORMAL_READ);
$packet = socket_read($sock, 1024, PHP_NORMAL_READ);
while (!preg_match("/^223 /", $packet))
{
$msg .= (($msg!="")?"<br/>":"").$packet;
$packet = socket_read($sock, 1024, PHP_NORMAL_READ);
}
if (get_magic_quotes_gpc())
$msg = stripslashes($msg);
$result[] = array('msg' => kses($msg, $allowed), 'time' => trim($snttime), 'from' => trim($from));
$packet = socket_read($sock, 1024, PHP_NORMAL_READ);
}
return $result;
}
private function _edit($id)
{
$data = $_POST['page'];
$page = Record::findByIdFrom('Page', $id);
$old_parts = PagePart::findByPageId($id);
// need to do this because the use of a checkbox
$data['is_protected'] = !empty($data['is_protected']) ? 1 : 0;
/**
* Make sure the title doesn't contain HTML
*
* @todo Replace this by HTML Purifier?
*/
if (Setting::get('allow_html_title') == 'off') {
use_helper('Kses');
$data['title'] = kses(trim($data['title']), array());
}
$page->setFromData($data);
if ($page->save()) {
// update parts
$page->parts = $_POST['part'];
// save tags
$page->setTags($_POST['page_tag']['tags']);
Flash::set('success', __('Page has been saved!'));
} else {
Flash::set('error', __('Page has not been saved!'));
redirect(get_url('page/edit/' . $id));
}
// save and quit or save and continue editing ?
if (isset($_POST['commit'])) {
redirect(get_url('page'));
} else {
redirect(get_url('page/edit/' . $id));
}
}
public static function htmlize_comment_text($text)
{
global $ratatoeskr_settings;
return kses(textprocessor_apply($text, $ratatoeskr_settings["comment_textprocessor"]), array("a" => array("href" => 1, "hreflang" => 1, "title" => 1, "rel" => 1, "rev" => 1), "b" => array(), "i" => array(), "u" => array(), "strong" => array(), "em" => array(), "p" => array("align" => 1), "br" => array(), "abbr" => array(), "acronym" => array(), "code" => array(), "pre" => array(), "blockquote" => array("cite" => 1), "h1" => array(), "h2" => array(), "h3" => array(), "h4" => array(), "h5" => array(), "h6" => array(), "img" => array("src" => 1, "alt" => 1, "width" => 1, "height" => 1), "s" => array(), "q" => array("cite" => 1), "samp" => array(), "ul" => array(), "ol" => array(), "li" => array(), "del" => array(), "ins" => array(), "dl" => array(), "dd" => array(), "dt" => array(), "dfn" => array(), "div" => array(), "dir" => array(), "kbd" => array("prompt" => 1), "strike" => array(), "sub" => array(), "sup" => array(), "table" => array("style" => 1), "tbody" => array(), "thead" => array(), "tfoot" => array(), "tr" => array(), "td" => array("colspan" => 1, "rowspan" => 1), "th" => array("colspan" => 1, "rowspan" => 1), "tt" => array(), "var" => array()));
}
function update($id)
{
$kses_allowed = getConfig('rss.input.allowed');
//getAllowedTags();
$updatedIds = array();
$sql = "select id, url, title, mode from " . getTable("channels");
if ($id != "" && is_numeric($id)) {
$sql .= " where id={$id}";
$sql .= " and not(mode & " . RSS_MODE_DELETED_STATE . ") ";
} else {
$sql .= " where not(mode & " . RSS_MODE_DELETED_STATE . ") ";
}
if (getConfig('rss.config.absoluteordering')) {
$sql .= " order by parent, position";
} else {
$sql .= " order by parent, title";
}
$res = rss_query($sql);
while (list($cid, $url, $title, $mode) = rss_fetch_row($res)) {
// suppress warnings because Magpie is rather noisy
$old_level = error_reporting(E_ERROR);
$rss = fetch_rss($url);
//reset
error_reporting($old_level);
if (!$rss && $id != "" && is_numeric($id)) {
return array(magpie_error(), array());
} elseif (!$rss || !($rss->rss_origin & MAGPIE_FEED_ORIGIN_HTTP_200)) {
continue;
// no need to do anything if we do not get a 200 OK from the feed
}
// base URL for items in this feed.
if (array_key_exists('link', $rss->channel)) {
$baseUrl = $rss->channel['link'];
} else {
$baseUrl = $url;
// The feed is invalid
}
// Keep track of guids we've handled, because some feeds (hello,
// Technorati!) have this insane habit of serving the same item
// twice in the same feed.
$guids = array();
// Allow updates in this feed?
$allowUpdates = getProperty($cid, 'rss.input.allowupdates');
if ($allowUpdates === null) {
$allowUpdates = getConfig('rss.input.allowupdates');
}
$itemIdsInFeed = array();
// This variable will store the item id's of the elements in the feed
foreach ($rss->items as $item) {
$item = rss_plugin_hook('rss.plugins.rssitem', $item);
// a plugin might delete this item
if (!isset($item)) {
continue;
}
// item title: strip out html tags
$title = array_key_exists('title', $item) ? strip_tags($item['title']) : "";
//$title = str_replace('& ', '& ', $title);
$description = "";
// item content, if any
if (array_key_exists('content', $item) && is_array($item['content']) && array_key_exists('encoded', $item['content'])) {
$description = $item['content']['encoded'];
} elseif (array_key_exists('description', $item)) {
$description = $item['description'];
} elseif (array_key_exists('atom_content', $item)) {
$description = $item['atom_content'];
} elseif (array_key_exists('summary', $item)) {
$description = $item['summary'];
} else {
$description = "";
}
$md5sum = "";
$guid = "";
if (array_key_exists('guid', $item) && $item['guid'] != "") {
$guid = $item['guid'];
} elseif (array_key_exists('id', $item) && $item['id'] != "") {
$guid = $item['id'];
}
$guid = trim($guid);
$guid = rss_real_escape_string($guid);
// skip this one if it's an in-feed-dupe
if ($guid && isset($guids[$guid])) {
continue;
} elseif ($guid) {
$guids[$guid] = true;
}
if ($description != "") {
$md5sum = md5($description);
$description = kses($description, $kses_allowed);
// strip out tags
if ($baseUrl != "") {
$description = relative_to_absolute($description, $baseUrl);
}
}
// Now let plugins modify the description
$description = rss_plugin_hook('rss.plugins.import.description', $description);
// link
if (array_key_exists('link', $item) && $item['link'] != "") {
$url = $item['link'];
} elseif (array_key_exists('guid', $item) && $item['guid'] != "") {
$url = $item['guid'];
} elseif (array_key_exists('link_', $item) && $item['link_'] != "") {
$url = $item['link_'];
} else {
// fall back to something basic
$url = md5($title);
}
// make sure the url is properly escaped
$url = htmlentities($url, ENT_QUOTES);
$url = rss_real_escape_string($url);
// author
if (array_key_exists('dc', $item) && array_key_exists('creator', $item['dc'])) {
// RSS 1.0
$author = $item['dc']['creator'];
} else {
if (array_key_exists('author_name', $item)) {
// Atom 0.3
$author = $item['author_name'];
} else {
$author = "";
}
}
$author = trim(strip_tags($author));
// pubdate
$cDate = -1;
if (array_key_exists('dc', $item) && array_key_exists('date', $item['dc'])) {
// RSS 1.0
$cDate = parse_w3cdtf($item['dc']['date']);
} elseif (array_key_exists('pubdate', $item)) {
// RSS 2.0 (?)
// We use the second param of strtotime here as a workaround
// of a PHP bug with strtotime. If the pubdate field doesn't
// contain seconds, the strtotime function will use the current
// time to fill in seconds in PHP4. This interferes with the
// update mechanism of gregarius. See ticket #328 for the full
// gory details. Giving a known date as a second param to
// strtotime fixes this problem, hence the 0 here.
$cDate = strtotime($item['pubdate'], 0);
} elseif (array_key_exists('published', $item)) {
// atom 1.0
$cDate = parse_iso8601($item['published']);
} elseif (array_key_exists('issued', $item)) {
//Atom, alternative
$cDate = parse_iso8601($item['issued']);
} elseif (array_key_exists('updated', $item)) {
//Atom, alternative
$cDate = parse_iso8601($item['updated']);
} elseif (array_key_exists('created', $item)) {
// atom 0.3
$cDate = parse_iso8601($item['created']);
}
// enclosure
if (array_key_exists('enclosure@url', $item)) {
$enclosure = $item['enclosure@url'];
// If the enclosure is an image, append it to the content
// but only if it isn't there yet
if ($enclosure && array_key_exists('enclosure@type', $item) && preg_match('#image/(png|gif|jpe?g)#', $item['enclosure@type']) && FALSE == strpos($description, $enclosure)) {
$description = '<img src="' . $enclosure . '" alt="" />' . $description;
$enclosure = '';
}
} else {
$enclosure = "";
}
// drop items with an url exceeding our column length: we couldn't provide a
// valid link back anyway.
if (strlen($url) >= 255) {
continue;
}
$dbtitle = rss_real_escape_string($title);
if (strlen($dbtitle) >= 255) {
$dbtitle = substr($dbtitle, 0, 254);
}
if ($cDate > 0) {
$sec = "FROM_UNIXTIME({$cDate})";
} else {
$sec = "null";
}
// check whether we already have this item
if ($guid) {
$sql = "select id,unread, md5sum, guid, pubdate from " . getTable("item") . " where cid={$cid} and guid='{$guid}'";
} else {
$sql = "select id,unread, md5sum, guid, pubdate from " . getTable("item") . " where cid={$cid} and url='{$url}' and title='{$dbtitle}'" . " and (pubdate is NULL OR pubdate={$sec})";
}
$subres = rss_query($sql);
list($indb, $state, $dbmd5sum, $dbGuid, $dbPubDate) = rss_fetch_row($subres);
if ($indb) {
$itemIdsInFeed[] = $indb;
if (!($state & RSS_MODE_DELETED_STATE) && $md5sum != $dbmd5sum) {
// the md5sums do not match.
if ($allowUpdates) {
// Are we allowed update items in the db?
list($cid, $indb, $description) = rss_plugin_hook('rss.plugins.items.updated', array($cid, $indb, $description));
$sql = "update " . getTable("item") . " set " . " description='" . rss_real_escape_string($description) . "', " . " unread = unread | " . RSS_MODE_UNREAD_STATE . ", md5sum='{$md5sum}'" . " where cid={$cid} and id={$indb}";
rss_query($sql);
$updatedIds[] = $indb;
continue;
}
}
} else {
// $indb = "" . This must be new item then. In you go.
list($cid, $dbtitle, $url, $description) = rss_plugin_hook('rss.plugins.items.new', array($cid, $dbtitle, $url, $description));
$sql = "insert into " . getTable("item") . " (cid, added, title, url, enclosure," . " description, author, unread, pubdate, md5sum, guid) " . " values (" . "{$cid}, now(), '{$dbtitle}', " . " '{$url}', '" . rss_real_escape_string($enclosure) . "', '" . rss_real_escape_string($description) . "', '" . rss_real_escape_string($author) . "', " . "{$mode}, {$sec}, '{$md5sum}', '{$guid}')";
rss_query($sql);
$newIid = rss_insert_id();
$itemIdsInFeed[] = $newIid;
$updatedIds[] = $newIid;
rss_plugin_hook('rss.plugins.items.newiid', array($newIid, $item, $cid));
}
// end handling of this item
}
// end handling of all the items in this feed
$sql = "update " . getTable("channels") . " set " . " itemsincache = '" . serialize($itemIdsInFeed) . "' where id={$cid}";
rss_query($sql);
}
// end handling all the feeds we were asked to handle
if ($id != "" && is_numeric($id)) {
if ($rss) {
// when everything went well, return the error code
// and numer of new items
return array($rss->rss_origin, $updatedIds);
} else {
return array(-1, array());
}
} else {
return array(-1, $updatedIds);
}
}
/**
* Returns truncated html formatted content
*
* @param string $articlecontent the source string
* @param int $shorten new size
* @param string $shortenindicator
* @param bool $forceindicator set to true to include the indicator no matter what
* @return string
*/
function shortenContent($articlecontent, $shorten, $shortenindicator, $forceindicator = false)
{
global $_user_tags;
if ($shorten && ($forceindicator || mb_strlen($articlecontent) > $shorten)) {
$allowed_tags = getAllowedTags('allowed_tags');
//remove script to be replaced later
$articlecontent = preg_replace('~<script.*?/script>~is', '', $articlecontent);
//remove HTML comments
$articlecontent = preg_replace('~<!--.*?-->~is', '', $articlecontent);
$short = mb_substr($articlecontent, 0, $shorten);
$short2 = kses($short . '</p>', $allowed_tags);
if (($l2 = mb_strlen($short2)) < $shorten) {
$c = 0;
$l1 = $shorten;
$delta = $shorten - $l2;
while ($l2 < $shorten && $c++ < 5) {
$open = mb_strrpos($short, '<');
if ($open > mb_strrpos($short, '>')) {
$l1 = mb_strpos($articlecontent, '>', $l1 + 1) + $delta;
} else {
$l1 = $l1 + $delta;
}
$short = mb_substr($articlecontent, 0, $l1);
preg_match_all('/(<p>)/', $short, $open);
preg_match_all('/(<\\/p>)/', $short, $close);
if (count($open) > count($close)) {
$short .= '</p>';
}
$short2 = kses($short, $allowed_tags);
$l2 = mb_strlen($short2);
}
$shorten = $l1;
}
$short = truncate_string($articlecontent, $shorten, '');
if ($short != $articlecontent) {
// we actually did remove some stuff
// drop open tag strings
$open = mb_strrpos($short, '<');
if ($open > mb_strrpos($short, '>')) {
$short = mb_substr($short, 0, $open);
}
if (class_exists('tidy')) {
$tidy = new tidy();
$tidy->parseString($short . $shortenindicator, array('show-body-only' => true), 'utf8');
$tidy->cleanRepair();
$short = trim($tidy);
} else {
$short = trim(cleanHTML($short . $shortenindicator));
}
}
$articlecontent = $short;
}
if (isset($matches)) {
//replace the script text
foreach ($matches[0] as $script) {
$articlecontent = $script . $articlecontent;
}
}
return $articlecontent;
}
/**
* Internal "helper" function to apply the tag removal
*
* @param string $input_string
* @param array $allowed_tags
* @return string
*/
function ksesProcess($input_string, $allowed_tags)
{
if (function_exists('kses')) {
return kses($input_string, $allowed_tags);
} else {
$input_string = preg_replace('~<script.*?/script>~is', '', $input_string);
$input_string = preg_replace('~<style.*?/style>~is', '', $input_string);
$input_string = preg_replace('~<!--.*?-->~is', '', $input_string);
$content = strip_tags($input_string);
$input_string = str_replace(' ', ' ', $input_string);
$input_string = html_decode($input_string);
return $input_string;
}
}
function sanitize_string($input_string, $sanitize_level)
{
if (get_magic_quotes_gpc()) {
$input_string = stripslashes($input_string);
}
if ($sanitize_level === 0) {
$input_string = str_replace(chr(0), " ", $input_string);
} else {
if ($sanitize_level === 1) {
$allowed_tags = "(" . getOption('allowed_tags') . ")";
$allowed = parseAllowedTags($allowed_tags);
if ($allowed === false) {
$allowed = array();
}
$input_string = kses($input_string, $allowed);
} else {
if ($sanitize_level === 2) {
$allowed = array();
$input_string = kses($input_string, $allowed);
// Full sanitation. Strips all code.
} else {
if ($sanitize_level === 3) {
$allowed_tags = array();
$input_string = kses($input_string, $allowed_tags);
}
}
}
}
return $input_string;
}
/**
* Executed through the Observer system each time a page is found.
*
* @global <type> $__CMS_CONN__
* @param Page $page The object instance for the page that was found.
* @return <type> Nothing.
*/
function comment_save(&$page)
{
// Check if we need to save a comment
if (!isset($_POST['comment'])) {
return;
}
$data = $_POST['comment'];
if (is_null($data)) {
return;
}
$captcha = Plugin::getSetting('use_captcha', 'comment');
if ($captcha && $captcha == '1') {
if (isset($data['secure'])) {
if ($data['secure'] == "" or empty($data['secure']) or $data['secure'] != $_SESSION['security_number']) {
return;
}
} else {
return;
}
}
if ($page->comment_status != Comment::OPEN) {
return;
}
if (!isset($data['author_name']) or trim($data['author_name']) == '') {
return;
}
if (!isset($data['author_email']) or trim($data['author_email']) == '') {
return;
}
if (!preg_match('/[^\\x00-\\x20()<>@,;:\\".[\\]\\x7f-\\xff]+(?:\\.[^\\x00-\\x20()<>@,;:\\".[\\]\\x7f-\\xff]+)*\\@[^\\x00-\\x20()<>@,;:\\".[\\]\\x7f-\\xff]+(?:\\.[^\\x00-\\x20()<>@,;:\\".[\\]\\x7f-\\xff]+)+/i', $data['author_email'])) {
return;
}
if (!isset($data['body']) or trim($data['body']) == '') {
return;
}
use_helper('Kses');
$allowed_tags = array('a' => array('href' => array(), 'title' => array()), 'abbr' => array('title' => array()), 'acronym' => array('title' => array()), 'b' => array(), 'blockquote' => array('cite' => array()), 'br' => array(), 'code' => array(), 'em' => array(), 'i' => array(), 'p' => array(), 'strike' => array(), 'strong' => array());
$auto_approve_comment = Plugin::getSetting('auto_approve_comment', 'comment');
// Check for and correct problems with website link
if (isset($data['author_link']) && $data['author_link'] !== '') {
if (strpos($data['author_link'], 'http://') !== 0 && strpos($data['author_link'], 'https://') !== 0) {
$data['author_link'] = 'http://' . $data['author_link'];
}
}
global $__CMS_CONN__;
$sql = 'INSERT INTO ' . TABLE_PREFIX . 'comment (page_id, author_name, author_email, author_link, ip, body, is_approved, created_on) VALUES (' . '\'' . $page->id . '\', ' . $__CMS_CONN__->quote(strip_tags($data['author_name'])) . ', ' . $__CMS_CONN__->quote(strip_tags($data['author_email'])) . ', ' . $__CMS_CONN__->quote(strip_tags($data['author_link'])) . ', ' . $__CMS_CONN__->quote($data['author_ip']) . ', ' . $__CMS_CONN__->quote(kses($data['body'], $allowed_tags)) . ', ' . $__CMS_CONN__->quote($auto_approve_comment) . ', ' . $__CMS_CONN__->quote(date('Y-m-d H:i:s')) . ')';
$__CMS_CONN__->exec($sql);
// @todo FIXME - If code above used Comment object for saving data there would be
// no need to reload it from database. Using lastInsertId() is unrealiable anyway.
$comment_id = Record::lastInsertId();
$comment = Comment::findById($comment_id);
Observer::notify('comment_after_add', $comment);
if (Plugin::isEnabled('statistics_api')) {
$event = array('event_type' => 'comment_added', 'description' => __('A comment was added.'), 'ipaddress' => $comment->ip, 'username' => $comment->author_name);
Observer::notify('stats_comment_after_add', $event);
}
}
/**
* Runs checks and stores a page.
*
* @param string $action What kind of action this is: add or edit.
* @param mixed $id Page to edit if any.
*/
private function _store($action, $id = false)
{
// Sanity checks
if ($action == 'edit' && !$id) {
throw new Exception('Trying to edit page when $id is false.');
}
use_helper('Validate');
$data = $_POST['page'];
$data['is_protected'] = !empty($data['is_protected']) ? 1 : 0;
Flash::set('post_data', (object) $data);
$pagesetting = array();
//For homepage info & about page info okstmtcc
if ($id == 1 || $id == 4) {
$upload = $_POST['upload'];
$pagesetting = $_POST['pagesetting'];
//Flash::set('post_settingdata', (object) $pagesetting);
}
// Add pre-save checks here
$errors = false;
$error_fields = false;
// CSRF checks
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
$csrf_id = '';
if ($action === 'edit') {
$csrf_id = '/' . $id;
}
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'page/' . $action . $csrf_id)) {
$errors[] = __('Invalid CSRF token found!');
}
} else {
$errors[] = __('No CSRF token found!');
}
$data['title'] = trim($data['title']);
if (empty($data['title'])) {
$error_fields[] = __('Page Title');
}
/** homepage setting check okstmtcc **/
if ($id == 1) {
/** homepage page title **/
if (empty($pagesetting['homepage_discover_title'])) {
$error_fields[] = __('Homepage Title');
}
if (empty($pagesetting['homepage_discover_teaser'])) {
$error_fields[] = __('Homepage Teaser');
}
/** highlight 1 **/
// if (empty($pagesetting['highlight_title'])){
// $error_fields[] = __('Highlight 1´s Title');
// }
// if (empty($pagesetting['highlight_text1'])){
// $error_fields[] = __('Highlight 1´s Text 1');
// }
// if (empty($pagesetting['highlight_url'])){
// $error_fields[] = __('Highlight 1´s Read More URL');
// }
// $pagesetting_ori = PageSetting::init();
// if (isset($_FILES)) {
// if(empty($_FILES['upload_highlight_image']['name'])){
// $pagesetting['highlight_image'] = $pagesetting_ori->highlight_image;
// } else {
// $pagesetting['highlight_image'] = $_FILES['upload_highlight_image']['name'];
// }
// } else {
// $pagesetting['highlight_image'] = $pagesetting_ori->highlight_image;
// }
// if (empty($pagesetting['highlight_image'])){
// $error_fields[] = __('Highlight 1´s Image');
// }
// /** highlight 2 **/
// if (empty($pagesetting['highlight2_title'])){
// $error_fields[] = __('Highlight 2´s Title');
// }
// if (empty($pagesetting['highlight2_text1'])){
// $error_fields[] = __('Highlight 2´s Text 1');
// }
// if (empty($pagesetting['highlight2_url'])){
// $error_fields[] = __('Highlight 2´s Read More URL');
// }
// if (isset($_FILES)) {
// if(empty($_FILES['upload_highlight2_image']['name'])){
// $pagesetting['highlight2_image'] = $pagesetting_ori->highlight2_image;
// } else {
// $pagesetting['highlight2_image'] = $_FILES['upload_highlight2_image']['name'];
// }
// } else {
// $pagesetting['highlight2_image'] = $pagesetting_ori->highlight2_image;
// }
// if (empty($pagesetting['highlight2_image'])){
// $error_fields[] = __('Highlight 2´s Image');
// }
// if (isset($_FILES)) {
// if(empty($_FILES['upload_newdev_image']['name'])){
// $pagesetting['newdev_image'] = $pagesetting_ori->newdev_image;
// } else {
// $pagesetting['newdev_image'] = $_FILES['upload_newdev_image']['name'];
// }
// } else {
// $pagesetting['newdev_image'] = $pagesetting_ori->newdev_image;
// }
// if (empty($pagesetting['newdev_image'])){
// $error_fields[] = __('New Development Image');
// }
}
/** homepage setting check okstmtcc **/
$data['slug'] = !empty($data['slug']) ? trim($data['slug']) : '';
if (empty($data['slug']) && $id != '1') {
$error_fields[] = __('Slug');
} else {
if ($data['slug'] == ADMIN_DIR) {
$errors[] = __('You cannot have a slug named :slug!', array(':slug' => ADMIN_DIR));
}
if (!Validate::slug($data['slug']) && (!empty($data['slug']) && $id == '1')) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'slug'));
}
}
// Check all numerical fields for a page
$fields = array('parent_id', 'layout_id', 'needs_login');
foreach ($fields as $field) {
if (!Validate::digit($data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
// Check all date fields for a page
$fields = array('created_on', 'published_on', 'valid_until');
foreach ($fields as $field) {
if (isset($data[$field])) {
$data[$field] = trim($data[$field]);
if (!empty($data[$field]) && !(bool) preg_match('/^[0-9]{4}-[0-9]{2}-[0-9]{2}$/D', (string) $data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
}
// Check all time fields for a page
$fields = array('created_on_time', 'published_on_time', 'valid_until_time');
foreach ($fields as $field) {
if (isset($data[$field])) {
$data[$field] = trim($data[$field]);
if (!empty($data[$field]) && !(bool) preg_match('/^[0-9]{2}:[0-9]{2}:[0-9]{2}$/D', (string) $data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
}
// Check alphanumerical fields
$fields = array('keywords', 'description');
foreach ($fields as $field) {
use_helper('Kses');
$data[$field] = kses(trim($data[$field]), array());
/*
if (!empty($data[$field]) && !Validate::alpha_comma($data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
*
*/
}
// Check behaviour_id field
if (!empty($data['behaviour_id']) && !Validate::slug($data['behaviour_id'])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'behaviour_id'));
}
// Make sure the title doesn't contain HTML
if (Setting::get('allow_html_title') == 'off') {
use_helper('Kses');
$data['title'] = kses(trim($data['title']), array());
}
// Create the page object to be manipulated and populate data
if ($action == 'add') {
$page = new Page($data);
} else {
$page = Record::findByIdFrom('Page', $id);
$page->setFromData($data);
}
// Upon errors, rebuild original page and return to screen with errors
if (false !== $errors || $error_fields !== false) {
$tags = $_POST['page_tag'];
// Rebuild time fields
if (isset($page->created_on) && isset($page->created_on_time)) {
$page->created_on = $page->created_on . ' ' . $page->created_on_time;
}
if (isset($page->published_on) && isset($page->published_on_time)) {
$page->published_on = $page->published_on . ' ' . $page->published_on_time;
}
if (isset($page->valid_until)) {
$page->valid_until = $page->valid_until . ' ' . $page->valid_until_time;
}
// Rebuild parts
$part = '';
if (!empty($_POST['part'])) {
$part = $_POST['part'];
$tmp = false;
foreach ($part as $key => $val) {
$tmp[$key] = (object) $val;
}
$part = $tmp;
}
// Set the errors to be displayed.
$err_msg = $errors != false ? implode('<br/>', $errors) : '';
$err_msg .= $error_fields != false ? '<br />Please specify these fields: ' . implode(', ', $error_fields) : '';
Flash::setNow('error', $err_msg);
//$settingdata = 'aaa';
// display things ...
$this->setLayout('backend');
$pagesettingobj = new stdClass();
foreach ($pagesetting as $name => $value) {
$pagesettingobj->{$name} = $value;
}
$this->display('page/edit', array('action' => $action, 'csrf_token' => SecureToken::generateToken(BASE_URL . 'page/' . $action), 'page' => (object) $page, 'pagesetting' => $pagesettingobj, 'tags' => $tags, 'filters' => Filter::findAll(), 'behaviors' => Behavior::findAll(), 'page_parts' => $part, 'layouts' => Record::findAllFrom('Layout')));
}
// Notify
if ($action == 'add') {
Observer::notify('page_add_before_save', $page);
} else {
Observer::notify('page_edit_before_save', $page);
}
// Time to actually save the page
// @todo rebuild this so parts are already set before save?
// @todo determine lazy init impact
$page->newwindow = !empty($data['newwindow']) ? '1' : '0';
if ($page->save()) {
// Get data for parts of this page
$data_parts = $_POST['part'];
Flash::set('post_parts_data', (object) $data_parts);
if ($action == 'edit') {
$old_parts = PagePart::findByPageId($id);
// check if all old page part are passed in POST
// if not ... we need to delete it!
foreach ($old_parts as $old_part) {
$not_in = true;
foreach ($data_parts as $part_id => $data) {
$data['name'] = trim($data['name']);
if ($old_part->name == $data['name']) {
$not_in = false;
// this will not really create a new page part because
// the id of the part is passed in $data
$part = new PagePart($data);
$part->page_id = $id;
Observer::notify('part_edit_before_save', $part);
$part->save();
Observer::notify('part_edit_after_save', $part);
unset($data_parts[$part_id]);
break;
}
}
if ($not_in) {
$old_part->delete();
}
}
}
// add the new parts
foreach ($data_parts as $data) {
$data['name'] = trim($data['name']);
$part = new PagePart($data);
$part->page_id = $page->id;
Observer::notify('part_add_before_save', $part);
$part->save();
Observer::notify('part_add_after_save', $part);
}
// save tags
$page->saveTags($_POST['page_tag']['tags']);
// save homepage banner info okstmtcc
if ($id == 1) {
// upload home banner image 1, 2
if (isset($_FILES) && !empty($_FILES['upload_banner_image1']['name'])) {
//okstmtcc 20150827 Replace image filename spaces
$_FILES['upload_banner_image1']['name'] = str_replace(array(" ", "(", ")"), array("_", "", ""), $_FILES['upload_banner_image1']['name']);
$file = $this->upload_file($_FILES['upload_banner_image1']['name'], FILES_DIR . '/pagesetting/images/', $_FILES['upload_banner_image1']['tmp_name'], $overwrite);
if ($file === false) {
Flash::set('error', __('Home banner could not be uploaded!'));
redirect(get_url('page/edit/1'));
} else {
$pagesetting['banner_image1'] = $file;
}
}
if (isset($_FILES) && !empty($_FILES['upload_banner_image2']['name'])) {
//okstmtcc 20150827 Replace image filename spaces
$_FILES['upload_banner_image2']['name'] = str_replace(array(" ", "(", ")"), array("_", "", ""), $_FILES['upload_banner_image2']['name']);
$file = $this->upload_file($_FILES['upload_banner_image2']['name'], FILES_DIR . '/pagesetting/images/', $_FILES['upload_banner_image2']['tmp_name'], $overwrite);
if ($file === false) {
Flash::set('error', __('Home banner could not be uploaded!'));
redirect(get_url('page/edit/1'));
} else {
$pagesetting['banner_image2'] = $file;
}
}
PageSetting::saveFromData($pagesetting);
}
// save homepage banner info okstmtcc
// save about banner info okstmtcc
if ($id == 4) {
// upload about page image 1
if (isset($_FILES) && !empty($_FILES['upload_about_image1']['name'])) {
//okstmtcc 20150827 Replace image filename spaces
$_FILES['upload_about_image1']['name'] = str_replace(array(" ", "(", ")"), array("_", "", ""), $_FILES['upload_about_image1']['name']);
$file = $this->upload_file($_FILES['upload_about_image1']['name'], FILES_DIR . '/pagesetting/images/', $_FILES['upload_about_image1']['tmp_name'], $overwrite);
if ($file === false) {
Flash::set('error', __('Home banner could not be uploaded!'));
redirect(get_url('page/edit/1'));
} else {
$pagesetting['about_image1'] = $file;
}
}
PageSetting::saveFromData($pagesetting);
}
// save about banner info okstmtcc
Flash::set('success', __('Page has been saved.'));
} else {
Flash::set('error', __('Page has not been saved!'));
$url = 'page/';
$url .= $action == 'edit' ? 'edit/' . $id : 'add/';
redirect(get_url($url));
}
if ($action == 'add') {
Observer::notify('page_add_after_save', $page);
} else {
Observer::notify('page_edit_after_save', $page);
}
// save and quit or save and continue editing ?
if (isset($_POST['commit'])) {
redirect(get_url('page'));
} else {
redirect(get_url('page/edit/' . $page->id));
}
}
/**
* Internal "helper" function to apply the tag removal
*
* @param string $input_string
* @param array $allowed_tags
* @return string
*/
function ksesProcess($input_string, $allowed_tags)
{
if (function_exists('kses')) {
return kses($input_string, $allowed_tags);
} else {
return getBare($input_string);
}
}
/**
* Sanitize
*
* Sanitizes the field value contents so that there are no HTML tags or attributes
* which have not been defined in the white_list. Critical for security.
*
* @api
* @return mixed
* @since 1.0.0
*/
public function sanitize()
{
if ($this->field_value === null) {
} else {
$this->field_value = kses($this->field_value, $this->white_list, array('http', 'https'));
}
return $this->field_value;
}
function sanitize_string($input_string, $sanitize_level)
{
require_once dirname(__FILE__) . '/lib-htmlawed.php';
if (get_magic_quotes_gpc()) {
$input_string = stripslashes($input_string);
}
if ($sanitize_level === 0) {
$input_string = str_replace(chr(0), " ", $input_string);
} else {
if ($sanitize_level === 1) {
$allowed_tags = "(" . getOption('allowed_tags') . ")";
$allowed = parseAllowedTags($allowed_tags);
if ($allowed === false) {
$allowed = array();
}
$input_string = kses($input_string, $allowed);
} else {
if ($sanitize_level === 2) {
$allowed = array();
$input_string = kses($input_string, $allowed);
}
}
}
return $input_string;
}
/**
* Callback for kses_split for fixing malformed HTML tags.
*
* This function does a lot of work. It rejects some very malformed things like
* <:::>. It returns an empty string, if the element isn't allowed (look ma, no
* strip_tags()!). Otherwise it splits the tag into an element and an attribute
* list.
*
* After the tag is split into an element and an attribute list, it is run
* through another filter which will remove illegal attributes and once that is
* completed, will be returned.
*
* @access private
* @uses kses_attr()
*
* @param string $string Content to filter
* @param array $allowed_html Allowed HTML elements
* @param array $allowed_protocols Allowed protocols to keep
* @return string Fixed HTML element
*/
function kses_split2($string, $allowed_html, $allowed_protocols)
{
$string = kses_stripslashes($string);
if (substr($string, 0, 1) != '<') {
return '>';
}
// It matched a ">" character
if (preg_match('%^<!--(.*?)(-->)?$%', $string, $matches)) {
$string = str_replace(array('<!--', '-->'), '', $matches[1]);
while ($string != ($newstring = kses($string, $allowed_html, $allowed_protocols))) {
$string = $newstring;
}
if ($string == '') {
return '';
}
// prevent multiple dashes in comments
$string = preg_replace('/--+/', '-', $string);
// prevent three dashes closing a comment
$string = preg_replace('/-$/', '', $string);
return "<!--{$string}-->";
}
// Allow HTML comments
if (!preg_match('%^<\\s*(/\\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches)) {
return '';
}
// It's seriously malformed
$slash = trim($matches[1]);
$elem = $matches[2];
$attrlist = $matches[3];
if (!@isset($allowed_html[strtolower($elem)])) {
return '';
}
// They are using a not allowed HTML element
if ($slash != '') {
return "<{$slash}{$elem}>";
}
// No attributes are allowed for closing elements
return kses_attr("{$slash}{$elem}", $attrlist, $allowed_html, $allowed_protocols);
}
/**
* Function to validate HTML
* @see HTML_QuickForm_Rule
* @param string $html
* @return boolean True if html is valid
*/
function validate($html, $mode = NO_HTML)
{
$allowed_tags = self::get_allowed_tags($mode, $fullpage);
$cleaned_html = kses($html, $allowed_tags);
return $html == $cleaned_html;
}
<?php
if (!AuthUser::hasPermission('administrator,developer,editor')) {
header('Location: ' . URL_PUBLIC . ' ');
exit;
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<title><?php
use_helper('Kses');
echo kses(Setting::get('admin_title'), array()) . ' - ' . ucfirst($ctrl = Dispatcher::getController(Setting::get('default_tab')));
?>
</title>
<base href="<?php
echo trim(BASE_URL, '?/') . '/';
?>
" />
<link rel="favourites icon" href="<?php
echo URL_PUBLIC;
?>
favicon.ico" />
<link href="stylesheets/admin.css" media="screen" rel="Stylesheet" type="text/css" />
<link href="stylesheets/toolbar.css" media="screen" rel="Stylesheet" type="text/css" />
<link href="themes/<?php
/**
* Runs checks and stores a page.
*
* @param string $action What kind of action this is: add or edit.
* @param mixed $id Page to edit if any.
*/
private function _store($action, $id = false)
{
// Sanity checks
if ($action == 'edit' && !$id) {
throw new Exception('Trying to edit page when $id is false.');
}
use_helper('Validate');
$data = $_POST['page'];
$data['is_protected'] = !empty($data['is_protected']) ? 1 : 0;
Flash::set('post_data', (object) $data);
// Add pre-save checks here
$errors = false;
// CSRF checks
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'page/' . $action)) {
$errors[] = __('Invalid CSRF token found!');
}
} else {
$errors[] = __('No CSRF token found!');
}
$data['title'] = trim($data['title']);
if (empty($data['title'])) {
$errors[] = __('You have to specify a title!');
}
$data['slug'] = trim($data['slug']);
if (empty($data['slug']) && $id != '1') {
$errors[] = __('You have to specify a slug!');
} else {
if ($data['slug'] == ADMIN_DIR) {
$errors[] = __('You cannot have a slug named :slug!', array(':slug' => ADMIN_DIR));
}
if (!Validate::slug($data['slug']) && (!empty($data['slug']) && $id == '1')) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'slug'));
}
}
// Check all numerical fields for a page
$fields = array('parent_id', 'layout_id', 'needs_login');
foreach ($fields as $field) {
if (!Validate::digit($data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
// Check all date fields for a page
$fields = array('created_on', 'published_on', 'valid_until');
foreach ($fields as $field) {
if (isset($data[$field])) {
$data[$field] = trim($data[$field]);
if (!empty($data[$field]) && !(bool) preg_match('/^[0-9]{4}-[0-9]{2}-[0-9]{2}$/D', (string) $data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
}
// Check all time fields for a page
$fields = array('created_on_time', 'published_on_time', 'valid_until_time');
foreach ($fields as $field) {
if (isset($data[$field])) {
$data[$field] = trim($data[$field]);
if (!empty($data[$field]) && !(bool) preg_match('/^[0-9]{2}:[0-9]{2}:[0-9]{2}$/D', (string) $data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
}
// Check alphanumerical fields
$fields = array('keywords', 'description');
foreach ($fields as $field) {
use_helper('Kses');
$data[$field] = kses(trim($data[$field]), array());
/*
if (!empty($data[$field]) && !Validate::alpha_comma($data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
*
*/
}
// Check behaviour_id field
if (!empty($data['behaviour_id']) && !Validate::slug($data['behaviour_id'])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'behaviour_id'));
}
// Make sure the title doesn't contain HTML
if (Setting::get('allow_html_title') == 'off') {
use_helper('Kses');
$data['title'] = kses(trim($data['title']), array());
}
// Create the page object to be manipulated and populate data
if ($action == 'add') {
$page = new Page($data);
} else {
$page = Record::findByIdFrom('Page', $id);
$page->setFromData($data);
}
// Upon errors, rebuild original page and return to screen with errors
if (false !== $errors) {
$tags = $_POST['page_tag'];
// Rebuild time fields
if (isset($page->created_on)) {
$page->created_on = $page->created_on . ' ' . $page->created_on_time;
}
if (isset($page->published_on)) {
$page->published_on = $page->published_on . ' ' . $page->published_on_time;
}
if (isset($page->valid_until)) {
$page->valid_until = $page->valid_until . ' ' . $page->valid_until_time;
}
// Rebuild parts
$part = $_POST['part'];
if (!empty($part)) {
$tmp = false;
foreach ($part as $key => $val) {
$tmp[$key] = (object) $val;
}
$part = $tmp;
}
// Set the errors to be displayed.
Flash::setNow('error', implode('<br/>', $errors));
// display things ...
$this->setLayout('backend');
$this->display('page/edit', array('action' => $action, 'csrf_token' => SecureToken::generateToken(BASE_URL . 'page/' . $action), 'page' => (object) $page, 'tags' => $tags, 'filters' => Filter::findAll(), 'behaviors' => Behavior::findAll(), 'page_parts' => (object) $part, 'layouts' => Record::findAllFrom('Layout')));
}
// Notify
if ($action == 'add') {
Observer::notify('page_add_before_save', $page);
} else {
Observer::notify('page_edit_before_save', $page);
}
// Time to actually save the page
// @todo rebuild this so parts are already set before save?
// @todo determine lazy init impact
if ($page->save()) {
// Get data for parts of this page
$data_parts = $_POST['part'];
Flash::set('post_parts_data', (object) $data_parts);
if ($action == 'edit') {
$old_parts = PagePart::findByPageId($id);
// check if all old page part are passed in POST
// if not ... we need to delete it!
foreach ($old_parts as $old_part) {
$not_in = true;
foreach ($data_parts as $part_id => $data) {
$data['name'] = trim($data['name']);
if ($old_part->name == $data['name']) {
$not_in = false;
// this will not really create a new page part because
// the id of the part is passed in $data
$part = new PagePart($data);
$part->page_id = $id;
Observer::notify('part_edit_before_save', $part);
$part->save();
Observer::notify('part_edit_after_save', $part);
unset($data_parts[$part_id]);
break;
}
}
if ($not_in) {
$old_part->delete();
}
}
}
// add the new parts
foreach ($data_parts as $data) {
$data['name'] = trim($data['name']);
$part = new PagePart($data);
$part->page_id = $page->id;
Observer::notify('part_add_before_save', $part);
$part->save();
Observer::notify('part_add_after_save', $part);
}
// save tags
$page->saveTags($_POST['page_tag']['tags']);
Flash::set('success', __('Page has been saved!'));
} else {
Flash::set('error', __('Page has not been saved!'));
$url = 'page/';
$url .= $action == 'edit' ? 'edit/' . $id : 'add/';
redirect(get_url($url));
}
if ($action == 'add') {
Observer::notify('page_add_after_save', $page);
} else {
Observer::notify('page_edit_after_save', $page);
}
// save and quit or save and continue editing ?
if (isset($_POST['commit'])) {
redirect(get_url('page'));
} else {
redirect(get_url('page/edit/' . $page->id));
}
}
function smarty_modifier_kses($text)
{
//This is a Smarty wrapper for kses.
$dis = array('table' => array(), 'tr' => array(), 'td' => array(), 'th' => array(), 'dl' => array(), 'dd' => array(), 'dt' => array(), 'p' => array(), 'blockquote' => array(), 'ul' => array(), 'ol' => array(), 'li' => array(), 'pre' => array(), 'code' => array(), 'a' => array('href' => 1, 'title' => 1, 'rel' => 1), 'b' => array(), 'i' => array(), 'em' => array(), 'strong' => array(), 'h1' => array(), 'h2' => array(), 'h3' => array(), 'h4' => array(), 'h5' => array(), 'h6' => array());
return kses($text, $dis);
}
if (isset($this->vars['content_for_layout']->vars['action'])) {
$tmp = $this->vars['content_for_layout']->vars['action'];
$title .= ' - ' . ucfirst($tmp);
if ($tmp == 'edit' && isset($this->vars['content_for_layout']->vars['page'])) {
$tmp = $this->vars['content_for_layout']->vars['page'];
$title .= ' - ' . $tmp->title;
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<title><?php
use_helper('Kses');
echo kses(Setting::get('admin_title'), array()) . ' - ' . $title;
?>
</title>
<link href="<?php
echo URI_PUBLIC;
?>
wolf/admin/stylesheets/admin.css" media="screen" rel="Stylesheet" type="text/css" />
<link href="<?php
echo URI_PUBLIC;
?>
wolf/admin/themes/<?php
echo Setting::get('theme');
?>
/styles.css" id="css_theme" media="screen" rel="Stylesheet" type="text/css" />
<link href="<?php
public function filter($value)
{
return kses($value, $this->getTags());
}
