die($res->getMessage());
}
// If nothing is found, send to object not found.
if ($res->numRows() < 1) {
$t->assign('heading', "Error");
$t->assign('message', "Did not find the object you were looking for.");
$t->display('error.tpl');
die;
}
// Assign vars to resonse
$response = array();
while ($row = $res->fetchRow()) {
$response['obj_id'] = $row['id'];
$response['obj_num'] = $row['objnum'];
$response['objectName'] = convert_smart_quotes($row['name']);
$response['objectDescription'] = convert_smart_quotes(allEntitiesDecode($row['notes'], ENT_COMPAT, "UTF-8"));
$response['obj_order'] = $row['order_num'];
$response['obj_img'] = $row['img_path'];
// HACK to accommodate the current zoomer tool
// dirs for filenames have spaces replaced with underscores for ZOOMs
$lastSlash = strrpos($row['img_path'], "/") + 1;
if ($lastSlash === false) {
$path = substr($row['img_path'], 0, -4);
} else {
// Use up to slash, plus filename without extension where space converted to _.
$path = substr($row['img_path'], 0, $lastSlash) . str_replace(" ", "_", substr($row['img_path'], $lastSlash, -4));
}
$response['obj_zoomDir'] = $path;
// trims off .jpg
}
// Free the result
function cleanFormDataAllowHTML($str)
{
// TODO Tags for which we should remove all content as well as the tags.
//$dangerousTags = array('script', 'style', 'title', 'xml' );
// Tags we'll allow.
$safeFormatTags = array('b', 'i', 'strong', 'em', 'br', 'hr', 'strike');
// $hyperLinkTag = 'a';
// $safeHyperLinkProtocols = array('http', 'mailto' );
// $keys = array_keys($safeFormatTags);
$str = stripslashes($str);
// First, close up all space around the angle brackets.
$str = eregi_replace("<[[:space:]]*([^>]*)[[:space:]]*>", "<\\1>", $str);
// TODO If we allow hyperlinks, then tighten up the format and constrain args. REVIEW
//$str = eregi_replace("<a([^>]*)href=\"?([^\"]*)\"?([^>]*)>","<a href=\"\\2\">", $str);
$tmp = '';
// Find the first tag in the string
while (eregi("<([^> ]*)([^>]*)>", $str, $reg)) {
$i = strpos($str, $reg[0]);
$l = strlen($reg[0]);
// Fold tag string for compare
if ($reg[1][0] == "/") {
// Close tag?
$tag = strtolower(substr($reg[1], 1));
$closetag = true;
} else {
$tag = strtolower($reg[1]);
$closetag = false;
}
if (in_array($tag, $safeFormatTags)) {
if ($closetag) {
$tag = "</{$tag}>";
} else {
$tag = "<{$tag}>";
}
// TODO - put in code to catch dangerous tags and remove them and content.
} elseif ($tag == 'script') {
$tag = '';
// elide the tag
$pos = strpos($str, '</script>');
if ($pos === false) {
// No closing tag, so toss the rest of the string
$l = 0;
$str = substr($str, 0, $i);
} else {
// Strip everything up to the end of the closing tag
$l = $pos - $i + strlen('</script>');
}
} else {
$tag = '';
}
// elide the tag
// Append the string up to the tag and the filtered tag string
// Need to ensure we safely store entities in the DB.
// But html_entity_decode misses some important ones, including
// mdash, ndash.
$tmp .= htmlentities(allEntitiesDecode(substr($str, 0, $i), ENT_QUOTES, ""), ENT_QUOTES, "UTF-8") . $tag;
// Reset the string
$str = substr($str, $i + $l);
}
// Append the end of the string
$str = $tmp . htmlentities(allEntitiesDecode($str, ENT_QUOTES, ""), ENT_QUOTES, "UTF-8");
// Squash PHP tags unconditionally
$str = ereg_replace("<\\?", "", $str);
// Squash comment tags unconditionally
$str = ereg_replace("<!--", "", $str);
return $str;
}
