function comment_save(&$page) { // check if we need to save a comment if (!isset($_POST['comment'])) { return; } global $__FROG_CONN__; if ($page->comment_status != Comment::OPEN) { return; } $data = $_POST['comment']; if (is_null($data)) { return; } if (!isset($data['author_name']) or trim($data['author_name']) == '') { return; } if (!isset($data['author_email']) or trim($data['author_email']) == '') { return; } if (!isset($data['body']) or trim($data['body']) == '') { return; } use_helper('Kses'); $allowed_tags = array('a' => array('href' => array(), 'title' => array()), 'abbr' => array('title' => array()), 'acronym' => array('title' => array()), 'b' => array(), 'blockquote' => array('cite' => array()), 'br' => array(), 'code' => array(), 'em' => array(), 'i' => array(), 'p' => array(), 'strike' => array(), 'strong' => array()); // get the setting for comments moderations //$sql = 'SELECT value FROM '.TABLE_PREFIX.'setting WHERE name=\'auto_approve_comment\''; //$stmt = $__FROG_CONN__->prepare($sql); //$stmt->execute(); //$auto_approve_comment = (int) $stmt->fetchColumn(); $auto_approve_comment = 1; $sql = 'INSERT INTO ' . TABLE_PREFIX . 'comment (page_id, author_name, author_email, author_link, body, is_approved, created_on) VALUES (' . '\'' . $page->id . '\', ' . $__FROG_CONN__->quote(strip_tags($data['author_name'])) . ', ' . $__FROG_CONN__->quote(strip_tags($data['author_email'])) . ', ' . $__FROG_CONN__->quote(strip_tags($data['author_link'])) . ', ' . $__FROG_CONN__->quote(kses($data['body'], $allowed_tags)) . ', ' . $__FROG_CONN__->quote($auto_approve_comment) . ', ' . $__FROG_CONN__->quote(date('Y-m-d H:i:s')) . ')'; $__FROG_CONN__->exec($sql); Observer::notify('comment_after_add'); }
public function update_event() { if (!isset($_POST['save'])) { Flash::set('error', __('Could not update this event!')); } else { use_helper('Kses'); /* Prepare the data */ $data = $_POST['event']; if (isset($data['id'])) { $data['id'] = kses(trim($data['id']), array()); } $event = new CalendarEvent(); if (isset($data['id'])) { $event->id = $data['id']; $event->created_by_id = $data['created_by_id']; } $event->title = $data['title']; $event->date_from = $data['date_from']; $event->date_to = $data['date_to']; $event->description = $data['description']; /* Check data and, if correct, save to DB */ if ($event->checkData() && $event->save()) { if (isset($data['id'])) { Flash::set('success', __('The event has been updated.')); } else { Flash::set('success', __('A new event has been created.')); } redirect(get_url('plugin/calendar/events')); } else { Flash::setNow('error', __('There are errors in the form.')); $this->display(CALENDAR_VIEWS . '/update', array('event' => $event)); } } }
/** * Saves the settings. */ private final function _save() { $data = $_POST['setting']; // CSRF checks if (isset($_POST['csrf_token'])) { $csrf_token = $_POST['csrf_token']; if (!SecureToken::validateToken($csrf_token, BASE_URL . 'setting')) { Flash::set('error', __('Invalid CSRF token found!')); Observer::notify('csrf_token_invalid', AuthUser::getUserName()); redirect(get_url('setting')); } } else { Flash::set('error', __('No CSRF token found!')); Observer::notify('csrf_token_not_found', AuthUser::getUserName()); redirect(get_url('setting')); } if (!isset($data['allow_html_title'])) { $data['allow_html_title'] = 'off'; } use_helper('Kses'); $allowed = array('img' => array('src' => array()), 'abbr' => array('title' => array()), 'acronym' => array('title' => array()), 'b' => array(), 'blockquote' => array('cite' => array()), 'br' => array(), 'code' => array(), 'em' => array(), 'i' => array(), 'p' => array(), 'strike' => array(), 'strong' => array()); $data['admin_title'] = kses(trim($data['admin_title']), $allowed); Setting::saveFromData($data); Flash::set('success', __('Settings have been saved!')); redirect(get_url('setting')); }
function __mobile_strip_images($i) { static $allowed; if (!$allowed) { $allowed = getConfig('rss.input.allowed'); if (isset($allowed['img'])) { unset($allowed['img']); } } $i->description = kses($i->description, $allowed); return $i; }
function onetest($htmlbefore, $htmlafter, &$score, &$max, $allowed) { $max++; $htmlkses = kses($htmlbefore, $allowed); # echo "htmlkses --".htmlspecialchars($htmlkses)."--<br>\n"; if ($htmlkses == $htmlafter) { echo 'OK'; $score++; } else { echo 'not OK'; } echo "<br>\n"; }
function ConvertToPlain_UTF8(&$html) { //$string = strip_tags($html); // replace numeric entities //$string = preg_replace('~&#x([0-9a-f]+);~ei', 'chr(hexdec("\\1"))', $string); //$string = preg_replace('~&#([0-9]+);~e', 'chr("\\1")', $string); // replace literal entities //return strtr($string, $this->utf8_trans_tbl); $tags = array(); $res = kses($html, $tags); // strip all tags $res = str_replace('&', '&', $res); return $res; }
function kses_filter($text, $hook) { $allowed_html = array('b' => array(), 'i' => array(), 'a' => array('href' => array('maxlen' => 100), 'title' => 1), 'p' => array('align' => 1), 'font' => array('size' => array('maxval' => 20)), 'br' => array()); if (get_magic_quotes_gpc()) { $text = stripslashes($text); } if ($text != "gettags") { return kses($text, $allowed_html); } else { foreach ($allowed_html as $tag => $null) { $kses_printtags .= "<{$tag}>, "; } return $kses_printtags; } }
function smarty_modifier_kses($in, $allowedtags = FALSE) { if ($allowedtags == 'nolinks') { /* need some way to specify a multi dimentional array via a smarty modifer paramater. e.g. {$var|kses:"a(href,title),b,i,blockquote(cite)"}. How to do that? $tags = array(explode(',',$allowedtags)); $allowed_html = array(); foreach($tags as $tag) { $allowed_html[] = array($tag=>array()); } .. for the mean time we'll just have a 'safe' list of things for unapproved comments */ $allowed_html = array('b' => array(), 'i' => array(), 'strong' => array(), 'code' => array(), 'acronym' => array('title'), 'abbr' => array('title'), 'blockquote' => array('cite' => array())); } else { $allowed_html = array('b' => array(), 'i' => array(), 'strong' => array(), 'code' => array(), 'acronym' => array('title'), 'abbr' => array('title'), 'a' => array('href' => array('maxlen' => 300), 'title', 'rel' => array('minlen' => 3, 'maxlen' => 250)), 'blockquote' => array('cite' => array())); } return kses($in, $allowed_html, array('http', 'https', 'ftp', 'mailto')); }
/** * Kses filtering of tags, called on a plugin hook * * @param mixed $var Variable to filter * @return mixed */ function kses_filter_tags($hook, $entity_type, $returnvalue, $params) { $return = $returnvalue; $var = $returnvalue; if (@(include_once dirname(dirname(dirname(__FILE__))) . "/vendors/kses/kses.php")) { global $CONFIG; $allowedtags = $CONFIG->allowedtags; $allowedprotocols = $CONFIG->allowedprotocols; if (!is_array($var)) { $return = ""; $return = kses($var, $allowedtags, $allowedprotocols); } else { $return = array(); foreach ($var as $key => $el) { $return[$key] = kses($el, $allowedtags, $allowedprotocols); } } } return $return; }
OpenTable(); echo "<div align=center class=title>" . _ENTRYADDED . "</div><br><br>"; echo "<div align=center> [ <a href=\"modules.php?name={$module_name}&file=edit\">" . _RETURNJOURNAL . "</a> ]</div>"; CloseTable(); $username = $cookie[1]; $user = filter($user, "nohtml"); $username = filter($username, "nohtml"); $sitename = filter($sitename, "nohtml"); $title = filter($title, "nohtml"); $title = addslashes($title); if (isset($mood)) { $mood = filter($mood, "nohtml"); } else { $mood = ""; } $jbodytext = kses(ADVT_stripslashes($jbodytext), $allowed); $jbodytext = addslashes($jbodytext); $sql = "INSERT INTO " . $prefix . "_journal (jid,aid,title,bodytext,mood,pdate,ptime,status,mtime,mdate) VALUES (NULL,'{$username}','{$title}','{$jbodytext}','{$mood}','{$pdate}','{$ptime}','{$status}','{$mtime}','{$ndate}')"; $db->sql_query($sql); update_points(1); $sql = "SELECT * FROM " . $prefix . "_journal_stats WHERE joid = '{$username}'"; $result = $db->sql_query($sql); $row_count = $db->sql_numrows($result); if ($row_count == 0) { $query = "INSERT INTO " . $prefix . "_journal_stats (id,joid,nop,ldp,ltp,micro) VALUES ('','{$username}','1',now(),'{$mtime}',now())"; $db->sql_query($query); } else { $row = $db->sql_fetchrow($result); $nnop = $row['nop']; $nnnop = $nnop + 1; $micro = date("U");
/** * Cleans HTML text filter * @param string $html HTML to clean * @param int $mode (optional) * @return string The cleaned HTML */ function html_filter($html, $mode = NO_HTML) { $allowed_tags = HTML_QuickForm_Rule_HTML::get_allowed_tags($mode); $cleaned_html = kses($html, $allowed_tags); return $cleaned_html; }
function rmsViewHistory($id, $pp, $lenght = 10, $offset = 0) { global $sock; $result = array(); $cmd = "HISTORY " . $id . "." . $pp . " " . $lenght . " " . $offset . "\r\n"; sendData($cmd); $packet = socket_read($sock, 1024, PHP_NORMAL_READ); if (substr($packet, 0, 3) >= 400) { return false; } // kses input filtering $allowed = array('b' => array(), 'i' => array(), 'a' => array('href' => 1, 'title' => 1), 'p' => array('align' => 1), 'br' => array(), 'font' => array('size' => 1, 'color' => 1, 'face' => 1) ); while (!preg_match("/^231 /", $packet)) { $msg = ""; preg_match("/from (.*)/", $packet, $header); $from = $header[1]; $packet = socket_read($sock, 1024, PHP_NORMAL_READ); $snttime = substr($packet, 12); $packet = socket_read($sock, 1024, PHP_NORMAL_READ); $packet = socket_read($sock, 1024, PHP_NORMAL_READ); while (!preg_match("/^223 /", $packet)) { $msg .= (($msg!="")?"<br/>":"").$packet; $packet = socket_read($sock, 1024, PHP_NORMAL_READ); } if (get_magic_quotes_gpc()) $msg = stripslashes($msg); $result[] = array('msg' => kses($msg, $allowed), 'time' => trim($snttime), 'from' => trim($from)); $packet = socket_read($sock, 1024, PHP_NORMAL_READ); } return $result; }
private function _edit($id) { $data = $_POST['page']; $page = Record::findByIdFrom('Page', $id); $old_parts = PagePart::findByPageId($id); // need to do this because the use of a checkbox $data['is_protected'] = !empty($data['is_protected']) ? 1 : 0; /** * Make sure the title doesn't contain HTML * * @todo Replace this by HTML Purifier? */ if (Setting::get('allow_html_title') == 'off') { use_helper('Kses'); $data['title'] = kses(trim($data['title']), array()); } $page->setFromData($data); if ($page->save()) { // update parts $page->parts = $_POST['part']; // save tags $page->setTags($_POST['page_tag']['tags']); Flash::set('success', __('Page has been saved!')); } else { Flash::set('error', __('Page has not been saved!')); redirect(get_url('page/edit/' . $id)); } // save and quit or save and continue editing ? if (isset($_POST['commit'])) { redirect(get_url('page')); } else { redirect(get_url('page/edit/' . $id)); } }
public static function htmlize_comment_text($text) { global $ratatoeskr_settings; return kses(textprocessor_apply($text, $ratatoeskr_settings["comment_textprocessor"]), array("a" => array("href" => 1, "hreflang" => 1, "title" => 1, "rel" => 1, "rev" => 1), "b" => array(), "i" => array(), "u" => array(), "strong" => array(), "em" => array(), "p" => array("align" => 1), "br" => array(), "abbr" => array(), "acronym" => array(), "code" => array(), "pre" => array(), "blockquote" => array("cite" => 1), "h1" => array(), "h2" => array(), "h3" => array(), "h4" => array(), "h5" => array(), "h6" => array(), "img" => array("src" => 1, "alt" => 1, "width" => 1, "height" => 1), "s" => array(), "q" => array("cite" => 1), "samp" => array(), "ul" => array(), "ol" => array(), "li" => array(), "del" => array(), "ins" => array(), "dl" => array(), "dd" => array(), "dt" => array(), "dfn" => array(), "div" => array(), "dir" => array(), "kbd" => array("prompt" => 1), "strike" => array(), "sub" => array(), "sup" => array(), "table" => array("style" => 1), "tbody" => array(), "thead" => array(), "tfoot" => array(), "tr" => array(), "td" => array("colspan" => 1, "rowspan" => 1), "th" => array("colspan" => 1, "rowspan" => 1), "tt" => array(), "var" => array())); }
function update($id) { $kses_allowed = getConfig('rss.input.allowed'); //getAllowedTags(); $updatedIds = array(); $sql = "select id, url, title, mode from " . getTable("channels"); if ($id != "" && is_numeric($id)) { $sql .= " where id={$id}"; $sql .= " and not(mode & " . RSS_MODE_DELETED_STATE . ") "; } else { $sql .= " where not(mode & " . RSS_MODE_DELETED_STATE . ") "; } if (getConfig('rss.config.absoluteordering')) { $sql .= " order by parent, position"; } else { $sql .= " order by parent, title"; } $res = rss_query($sql); while (list($cid, $url, $title, $mode) = rss_fetch_row($res)) { // suppress warnings because Magpie is rather noisy $old_level = error_reporting(E_ERROR); $rss = fetch_rss($url); //reset error_reporting($old_level); if (!$rss && $id != "" && is_numeric($id)) { return array(magpie_error(), array()); } elseif (!$rss || !($rss->rss_origin & MAGPIE_FEED_ORIGIN_HTTP_200)) { continue; // no need to do anything if we do not get a 200 OK from the feed } // base URL for items in this feed. if (array_key_exists('link', $rss->channel)) { $baseUrl = $rss->channel['link']; } else { $baseUrl = $url; // The feed is invalid } // Keep track of guids we've handled, because some feeds (hello, // Technorati!) have this insane habit of serving the same item // twice in the same feed. $guids = array(); // Allow updates in this feed? $allowUpdates = getProperty($cid, 'rss.input.allowupdates'); if ($allowUpdates === null) { $allowUpdates = getConfig('rss.input.allowupdates'); } $itemIdsInFeed = array(); // This variable will store the item id's of the elements in the feed foreach ($rss->items as $item) { $item = rss_plugin_hook('rss.plugins.rssitem', $item); // a plugin might delete this item if (!isset($item)) { continue; } // item title: strip out html tags $title = array_key_exists('title', $item) ? strip_tags($item['title']) : ""; //$title = str_replace('& ', '& ', $title); $description = ""; // item content, if any if (array_key_exists('content', $item) && is_array($item['content']) && array_key_exists('encoded', $item['content'])) { $description = $item['content']['encoded']; } elseif (array_key_exists('description', $item)) { $description = $item['description']; } elseif (array_key_exists('atom_content', $item)) { $description = $item['atom_content']; } elseif (array_key_exists('summary', $item)) { $description = $item['summary']; } else { $description = ""; } $md5sum = ""; $guid = ""; if (array_key_exists('guid', $item) && $item['guid'] != "") { $guid = $item['guid']; } elseif (array_key_exists('id', $item) && $item['id'] != "") { $guid = $item['id']; } $guid = trim($guid); $guid = rss_real_escape_string($guid); // skip this one if it's an in-feed-dupe if ($guid && isset($guids[$guid])) { continue; } elseif ($guid) { $guids[$guid] = true; } if ($description != "") { $md5sum = md5($description); $description = kses($description, $kses_allowed); // strip out tags if ($baseUrl != "") { $description = relative_to_absolute($description, $baseUrl); } } // Now let plugins modify the description $description = rss_plugin_hook('rss.plugins.import.description', $description); // link if (array_key_exists('link', $item) && $item['link'] != "") { $url = $item['link']; } elseif (array_key_exists('guid', $item) && $item['guid'] != "") { $url = $item['guid']; } elseif (array_key_exists('link_', $item) && $item['link_'] != "") { $url = $item['link_']; } else { // fall back to something basic $url = md5($title); } // make sure the url is properly escaped $url = htmlentities($url, ENT_QUOTES); $url = rss_real_escape_string($url); // author if (array_key_exists('dc', $item) && array_key_exists('creator', $item['dc'])) { // RSS 1.0 $author = $item['dc']['creator']; } else { if (array_key_exists('author_name', $item)) { // Atom 0.3 $author = $item['author_name']; } else { $author = ""; } } $author = trim(strip_tags($author)); // pubdate $cDate = -1; if (array_key_exists('dc', $item) && array_key_exists('date', $item['dc'])) { // RSS 1.0 $cDate = parse_w3cdtf($item['dc']['date']); } elseif (array_key_exists('pubdate', $item)) { // RSS 2.0 (?) // We use the second param of strtotime here as a workaround // of a PHP bug with strtotime. If the pubdate field doesn't // contain seconds, the strtotime function will use the current // time to fill in seconds in PHP4. This interferes with the // update mechanism of gregarius. See ticket #328 for the full // gory details. Giving a known date as a second param to // strtotime fixes this problem, hence the 0 here. $cDate = strtotime($item['pubdate'], 0); } elseif (array_key_exists('published', $item)) { // atom 1.0 $cDate = parse_iso8601($item['published']); } elseif (array_key_exists('issued', $item)) { //Atom, alternative $cDate = parse_iso8601($item['issued']); } elseif (array_key_exists('updated', $item)) { //Atom, alternative $cDate = parse_iso8601($item['updated']); } elseif (array_key_exists('created', $item)) { // atom 0.3 $cDate = parse_iso8601($item['created']); } // enclosure if (array_key_exists('enclosure@url', $item)) { $enclosure = $item['enclosure@url']; // If the enclosure is an image, append it to the content // but only if it isn't there yet if ($enclosure && array_key_exists('enclosure@type', $item) && preg_match('#image/(png|gif|jpe?g)#', $item['enclosure@type']) && FALSE == strpos($description, $enclosure)) { $description = '<img src="' . $enclosure . '" alt="" />' . $description; $enclosure = ''; } } else { $enclosure = ""; } // drop items with an url exceeding our column length: we couldn't provide a // valid link back anyway. if (strlen($url) >= 255) { continue; } $dbtitle = rss_real_escape_string($title); if (strlen($dbtitle) >= 255) { $dbtitle = substr($dbtitle, 0, 254); } if ($cDate > 0) { $sec = "FROM_UNIXTIME({$cDate})"; } else { $sec = "null"; } // check whether we already have this item if ($guid) { $sql = "select id,unread, md5sum, guid, pubdate from " . getTable("item") . " where cid={$cid} and guid='{$guid}'"; } else { $sql = "select id,unread, md5sum, guid, pubdate from " . getTable("item") . " where cid={$cid} and url='{$url}' and title='{$dbtitle}'" . " and (pubdate is NULL OR pubdate={$sec})"; } $subres = rss_query($sql); list($indb, $state, $dbmd5sum, $dbGuid, $dbPubDate) = rss_fetch_row($subres); if ($indb) { $itemIdsInFeed[] = $indb; if (!($state & RSS_MODE_DELETED_STATE) && $md5sum != $dbmd5sum) { // the md5sums do not match. if ($allowUpdates) { // Are we allowed update items in the db? list($cid, $indb, $description) = rss_plugin_hook('rss.plugins.items.updated', array($cid, $indb, $description)); $sql = "update " . getTable("item") . " set " . " description='" . rss_real_escape_string($description) . "', " . " unread = unread | " . RSS_MODE_UNREAD_STATE . ", md5sum='{$md5sum}'" . " where cid={$cid} and id={$indb}"; rss_query($sql); $updatedIds[] = $indb; continue; } } } else { // $indb = "" . This must be new item then. In you go. list($cid, $dbtitle, $url, $description) = rss_plugin_hook('rss.plugins.items.new', array($cid, $dbtitle, $url, $description)); $sql = "insert into " . getTable("item") . " (cid, added, title, url, enclosure," . " description, author, unread, pubdate, md5sum, guid) " . " values (" . "{$cid}, now(), '{$dbtitle}', " . " '{$url}', '" . rss_real_escape_string($enclosure) . "', '" . rss_real_escape_string($description) . "', '" . rss_real_escape_string($author) . "', " . "{$mode}, {$sec}, '{$md5sum}', '{$guid}')"; rss_query($sql); $newIid = rss_insert_id(); $itemIdsInFeed[] = $newIid; $updatedIds[] = $newIid; rss_plugin_hook('rss.plugins.items.newiid', array($newIid, $item, $cid)); } // end handling of this item } // end handling of all the items in this feed $sql = "update " . getTable("channels") . " set " . " itemsincache = '" . serialize($itemIdsInFeed) . "' where id={$cid}"; rss_query($sql); } // end handling all the feeds we were asked to handle if ($id != "" && is_numeric($id)) { if ($rss) { // when everything went well, return the error code // and numer of new items return array($rss->rss_origin, $updatedIds); } else { return array(-1, array()); } } else { return array(-1, $updatedIds); } }
/** * Returns truncated html formatted content * * @param string $articlecontent the source string * @param int $shorten new size * @param string $shortenindicator * @param bool $forceindicator set to true to include the indicator no matter what * @return string */ function shortenContent($articlecontent, $shorten, $shortenindicator, $forceindicator = false) { global $_user_tags; if ($shorten && ($forceindicator || mb_strlen($articlecontent) > $shorten)) { $allowed_tags = getAllowedTags('allowed_tags'); //remove script to be replaced later $articlecontent = preg_replace('~<script.*?/script>~is', '', $articlecontent); //remove HTML comments $articlecontent = preg_replace('~<!--.*?-->~is', '', $articlecontent); $short = mb_substr($articlecontent, 0, $shorten); $short2 = kses($short . '</p>', $allowed_tags); if (($l2 = mb_strlen($short2)) < $shorten) { $c = 0; $l1 = $shorten; $delta = $shorten - $l2; while ($l2 < $shorten && $c++ < 5) { $open = mb_strrpos($short, '<'); if ($open > mb_strrpos($short, '>')) { $l1 = mb_strpos($articlecontent, '>', $l1 + 1) + $delta; } else { $l1 = $l1 + $delta; } $short = mb_substr($articlecontent, 0, $l1); preg_match_all('/(<p>)/', $short, $open); preg_match_all('/(<\\/p>)/', $short, $close); if (count($open) > count($close)) { $short .= '</p>'; } $short2 = kses($short, $allowed_tags); $l2 = mb_strlen($short2); } $shorten = $l1; } $short = truncate_string($articlecontent, $shorten, ''); if ($short != $articlecontent) { // we actually did remove some stuff // drop open tag strings $open = mb_strrpos($short, '<'); if ($open > mb_strrpos($short, '>')) { $short = mb_substr($short, 0, $open); } if (class_exists('tidy')) { $tidy = new tidy(); $tidy->parseString($short . $shortenindicator, array('show-body-only' => true), 'utf8'); $tidy->cleanRepair(); $short = trim($tidy); } else { $short = trim(cleanHTML($short . $shortenindicator)); } } $articlecontent = $short; } if (isset($matches)) { //replace the script text foreach ($matches[0] as $script) { $articlecontent = $script . $articlecontent; } } return $articlecontent; }
/** * Internal "helper" function to apply the tag removal * * @param string $input_string * @param array $allowed_tags * @return string */ function ksesProcess($input_string, $allowed_tags) { if (function_exists('kses')) { return kses($input_string, $allowed_tags); } else { $input_string = preg_replace('~<script.*?/script>~is', '', $input_string); $input_string = preg_replace('~<style.*?/style>~is', '', $input_string); $input_string = preg_replace('~<!--.*?-->~is', '', $input_string); $content = strip_tags($input_string); $input_string = str_replace(' ', ' ', $input_string); $input_string = html_decode($input_string); return $input_string; } }
function sanitize_string($input_string, $sanitize_level) { if (get_magic_quotes_gpc()) { $input_string = stripslashes($input_string); } if ($sanitize_level === 0) { $input_string = str_replace(chr(0), " ", $input_string); } else { if ($sanitize_level === 1) { $allowed_tags = "(" . getOption('allowed_tags') . ")"; $allowed = parseAllowedTags($allowed_tags); if ($allowed === false) { $allowed = array(); } $input_string = kses($input_string, $allowed); } else { if ($sanitize_level === 2) { $allowed = array(); $input_string = kses($input_string, $allowed); // Full sanitation. Strips all code. } else { if ($sanitize_level === 3) { $allowed_tags = array(); $input_string = kses($input_string, $allowed_tags); } } } } return $input_string; }
/** * Executed through the Observer system each time a page is found. * * @global <type> $__CMS_CONN__ * @param Page $page The object instance for the page that was found. * @return <type> Nothing. */ function comment_save(&$page) { // Check if we need to save a comment if (!isset($_POST['comment'])) { return; } $data = $_POST['comment']; if (is_null($data)) { return; } $captcha = Plugin::getSetting('use_captcha', 'comment'); if ($captcha && $captcha == '1') { if (isset($data['secure'])) { if ($data['secure'] == "" or empty($data['secure']) or $data['secure'] != $_SESSION['security_number']) { return; } } else { return; } } if ($page->comment_status != Comment::OPEN) { return; } if (!isset($data['author_name']) or trim($data['author_name']) == '') { return; } if (!isset($data['author_email']) or trim($data['author_email']) == '') { return; } if (!preg_match('/[^\\x00-\\x20()<>@,;:\\".[\\]\\x7f-\\xff]+(?:\\.[^\\x00-\\x20()<>@,;:\\".[\\]\\x7f-\\xff]+)*\\@[^\\x00-\\x20()<>@,;:\\".[\\]\\x7f-\\xff]+(?:\\.[^\\x00-\\x20()<>@,;:\\".[\\]\\x7f-\\xff]+)+/i', $data['author_email'])) { return; } if (!isset($data['body']) or trim($data['body']) == '') { return; } use_helper('Kses'); $allowed_tags = array('a' => array('href' => array(), 'title' => array()), 'abbr' => array('title' => array()), 'acronym' => array('title' => array()), 'b' => array(), 'blockquote' => array('cite' => array()), 'br' => array(), 'code' => array(), 'em' => array(), 'i' => array(), 'p' => array(), 'strike' => array(), 'strong' => array()); $auto_approve_comment = Plugin::getSetting('auto_approve_comment', 'comment'); // Check for and correct problems with website link if (isset($data['author_link']) && $data['author_link'] !== '') { if (strpos($data['author_link'], 'http://') !== 0 && strpos($data['author_link'], 'https://') !== 0) { $data['author_link'] = 'http://' . $data['author_link']; } } global $__CMS_CONN__; $sql = 'INSERT INTO ' . TABLE_PREFIX . 'comment (page_id, author_name, author_email, author_link, ip, body, is_approved, created_on) VALUES (' . '\'' . $page->id . '\', ' . $__CMS_CONN__->quote(strip_tags($data['author_name'])) . ', ' . $__CMS_CONN__->quote(strip_tags($data['author_email'])) . ', ' . $__CMS_CONN__->quote(strip_tags($data['author_link'])) . ', ' . $__CMS_CONN__->quote($data['author_ip']) . ', ' . $__CMS_CONN__->quote(kses($data['body'], $allowed_tags)) . ', ' . $__CMS_CONN__->quote($auto_approve_comment) . ', ' . $__CMS_CONN__->quote(date('Y-m-d H:i:s')) . ')'; $__CMS_CONN__->exec($sql); // @todo FIXME - If code above used Comment object for saving data there would be // no need to reload it from database. Using lastInsertId() is unrealiable anyway. $comment_id = Record::lastInsertId(); $comment = Comment::findById($comment_id); Observer::notify('comment_after_add', $comment); if (Plugin::isEnabled('statistics_api')) { $event = array('event_type' => 'comment_added', 'description' => __('A comment was added.'), 'ipaddress' => $comment->ip, 'username' => $comment->author_name); Observer::notify('stats_comment_after_add', $event); } }
/** * Runs checks and stores a page. * * @param string $action What kind of action this is: add or edit. * @param mixed $id Page to edit if any. */ private function _store($action, $id = false) { // Sanity checks if ($action == 'edit' && !$id) { throw new Exception('Trying to edit page when $id is false.'); } use_helper('Validate'); $data = $_POST['page']; $data['is_protected'] = !empty($data['is_protected']) ? 1 : 0; Flash::set('post_data', (object) $data); $pagesetting = array(); //For homepage info & about page info okstmtcc if ($id == 1 || $id == 4) { $upload = $_POST['upload']; $pagesetting = $_POST['pagesetting']; //Flash::set('post_settingdata', (object) $pagesetting); } // Add pre-save checks here $errors = false; $error_fields = false; // CSRF checks if (isset($_POST['csrf_token'])) { $csrf_token = $_POST['csrf_token']; $csrf_id = ''; if ($action === 'edit') { $csrf_id = '/' . $id; } if (!SecureToken::validateToken($csrf_token, BASE_URL . 'page/' . $action . $csrf_id)) { $errors[] = __('Invalid CSRF token found!'); } } else { $errors[] = __('No CSRF token found!'); } $data['title'] = trim($data['title']); if (empty($data['title'])) { $error_fields[] = __('Page Title'); } /** homepage setting check okstmtcc **/ if ($id == 1) { /** homepage page title **/ if (empty($pagesetting['homepage_discover_title'])) { $error_fields[] = __('Homepage Title'); } if (empty($pagesetting['homepage_discover_teaser'])) { $error_fields[] = __('Homepage Teaser'); } /** highlight 1 **/ // if (empty($pagesetting['highlight_title'])){ // $error_fields[] = __('Highlight 1´s Title'); // } // if (empty($pagesetting['highlight_text1'])){ // $error_fields[] = __('Highlight 1´s Text 1'); // } // if (empty($pagesetting['highlight_url'])){ // $error_fields[] = __('Highlight 1´s Read More URL'); // } // $pagesetting_ori = PageSetting::init(); // if (isset($_FILES)) { // if(empty($_FILES['upload_highlight_image']['name'])){ // $pagesetting['highlight_image'] = $pagesetting_ori->highlight_image; // } else { // $pagesetting['highlight_image'] = $_FILES['upload_highlight_image']['name']; // } // } else { // $pagesetting['highlight_image'] = $pagesetting_ori->highlight_image; // } // if (empty($pagesetting['highlight_image'])){ // $error_fields[] = __('Highlight 1´s Image'); // } // /** highlight 2 **/ // if (empty($pagesetting['highlight2_title'])){ // $error_fields[] = __('Highlight 2´s Title'); // } // if (empty($pagesetting['highlight2_text1'])){ // $error_fields[] = __('Highlight 2´s Text 1'); // } // if (empty($pagesetting['highlight2_url'])){ // $error_fields[] = __('Highlight 2´s Read More URL'); // } // if (isset($_FILES)) { // if(empty($_FILES['upload_highlight2_image']['name'])){ // $pagesetting['highlight2_image'] = $pagesetting_ori->highlight2_image; // } else { // $pagesetting['highlight2_image'] = $_FILES['upload_highlight2_image']['name']; // } // } else { // $pagesetting['highlight2_image'] = $pagesetting_ori->highlight2_image; // } // if (empty($pagesetting['highlight2_image'])){ // $error_fields[] = __('Highlight 2´s Image'); // } // if (isset($_FILES)) { // if(empty($_FILES['upload_newdev_image']['name'])){ // $pagesetting['newdev_image'] = $pagesetting_ori->newdev_image; // } else { // $pagesetting['newdev_image'] = $_FILES['upload_newdev_image']['name']; // } // } else { // $pagesetting['newdev_image'] = $pagesetting_ori->newdev_image; // } // if (empty($pagesetting['newdev_image'])){ // $error_fields[] = __('New Development Image'); // } } /** homepage setting check okstmtcc **/ $data['slug'] = !empty($data['slug']) ? trim($data['slug']) : ''; if (empty($data['slug']) && $id != '1') { $error_fields[] = __('Slug'); } else { if ($data['slug'] == ADMIN_DIR) { $errors[] = __('You cannot have a slug named :slug!', array(':slug' => ADMIN_DIR)); } if (!Validate::slug($data['slug']) && (!empty($data['slug']) && $id == '1')) { $errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'slug')); } } // Check all numerical fields for a page $fields = array('parent_id', 'layout_id', 'needs_login'); foreach ($fields as $field) { if (!Validate::digit($data[$field])) { $errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field)); } } // Check all date fields for a page $fields = array('created_on', 'published_on', 'valid_until'); foreach ($fields as $field) { if (isset($data[$field])) { $data[$field] = trim($data[$field]); if (!empty($data[$field]) && !(bool) preg_match('/^[0-9]{4}-[0-9]{2}-[0-9]{2}$/D', (string) $data[$field])) { $errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field)); } } } // Check all time fields for a page $fields = array('created_on_time', 'published_on_time', 'valid_until_time'); foreach ($fields as $field) { if (isset($data[$field])) { $data[$field] = trim($data[$field]); if (!empty($data[$field]) && !(bool) preg_match('/^[0-9]{2}:[0-9]{2}:[0-9]{2}$/D', (string) $data[$field])) { $errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field)); } } } // Check alphanumerical fields $fields = array('keywords', 'description'); foreach ($fields as $field) { use_helper('Kses'); $data[$field] = kses(trim($data[$field]), array()); /* if (!empty($data[$field]) && !Validate::alpha_comma($data[$field])) { $errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field)); } * */ } // Check behaviour_id field if (!empty($data['behaviour_id']) && !Validate::slug($data['behaviour_id'])) { $errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'behaviour_id')); } // Make sure the title doesn't contain HTML if (Setting::get('allow_html_title') == 'off') { use_helper('Kses'); $data['title'] = kses(trim($data['title']), array()); } // Create the page object to be manipulated and populate data if ($action == 'add') { $page = new Page($data); } else { $page = Record::findByIdFrom('Page', $id); $page->setFromData($data); } // Upon errors, rebuild original page and return to screen with errors if (false !== $errors || $error_fields !== false) { $tags = $_POST['page_tag']; // Rebuild time fields if (isset($page->created_on) && isset($page->created_on_time)) { $page->created_on = $page->created_on . ' ' . $page->created_on_time; } if (isset($page->published_on) && isset($page->published_on_time)) { $page->published_on = $page->published_on . ' ' . $page->published_on_time; } if (isset($page->valid_until)) { $page->valid_until = $page->valid_until . ' ' . $page->valid_until_time; } // Rebuild parts $part = ''; if (!empty($_POST['part'])) { $part = $_POST['part']; $tmp = false; foreach ($part as $key => $val) { $tmp[$key] = (object) $val; } $part = $tmp; } // Set the errors to be displayed. $err_msg = $errors != false ? implode('<br/>', $errors) : ''; $err_msg .= $error_fields != false ? '<br />Please specify these fields: ' . implode(', ', $error_fields) : ''; Flash::setNow('error', $err_msg); //$settingdata = 'aaa'; // display things ... $this->setLayout('backend'); $pagesettingobj = new stdClass(); foreach ($pagesetting as $name => $value) { $pagesettingobj->{$name} = $value; } $this->display('page/edit', array('action' => $action, 'csrf_token' => SecureToken::generateToken(BASE_URL . 'page/' . $action), 'page' => (object) $page, 'pagesetting' => $pagesettingobj, 'tags' => $tags, 'filters' => Filter::findAll(), 'behaviors' => Behavior::findAll(), 'page_parts' => $part, 'layouts' => Record::findAllFrom('Layout'))); } // Notify if ($action == 'add') { Observer::notify('page_add_before_save', $page); } else { Observer::notify('page_edit_before_save', $page); } // Time to actually save the page // @todo rebuild this so parts are already set before save? // @todo determine lazy init impact $page->newwindow = !empty($data['newwindow']) ? '1' : '0'; if ($page->save()) { // Get data for parts of this page $data_parts = $_POST['part']; Flash::set('post_parts_data', (object) $data_parts); if ($action == 'edit') { $old_parts = PagePart::findByPageId($id); // check if all old page part are passed in POST // if not ... we need to delete it! foreach ($old_parts as $old_part) { $not_in = true; foreach ($data_parts as $part_id => $data) { $data['name'] = trim($data['name']); if ($old_part->name == $data['name']) { $not_in = false; // this will not really create a new page part because // the id of the part is passed in $data $part = new PagePart($data); $part->page_id = $id; Observer::notify('part_edit_before_save', $part); $part->save(); Observer::notify('part_edit_after_save', $part); unset($data_parts[$part_id]); break; } } if ($not_in) { $old_part->delete(); } } } // add the new parts foreach ($data_parts as $data) { $data['name'] = trim($data['name']); $part = new PagePart($data); $part->page_id = $page->id; Observer::notify('part_add_before_save', $part); $part->save(); Observer::notify('part_add_after_save', $part); } // save tags $page->saveTags($_POST['page_tag']['tags']); // save homepage banner info okstmtcc if ($id == 1) { // upload home banner image 1, 2 if (isset($_FILES) && !empty($_FILES['upload_banner_image1']['name'])) { //okstmtcc 20150827 Replace image filename spaces $_FILES['upload_banner_image1']['name'] = str_replace(array(" ", "(", ")"), array("_", "", ""), $_FILES['upload_banner_image1']['name']); $file = $this->upload_file($_FILES['upload_banner_image1']['name'], FILES_DIR . '/pagesetting/images/', $_FILES['upload_banner_image1']['tmp_name'], $overwrite); if ($file === false) { Flash::set('error', __('Home banner could not be uploaded!')); redirect(get_url('page/edit/1')); } else { $pagesetting['banner_image1'] = $file; } } if (isset($_FILES) && !empty($_FILES['upload_banner_image2']['name'])) { //okstmtcc 20150827 Replace image filename spaces $_FILES['upload_banner_image2']['name'] = str_replace(array(" ", "(", ")"), array("_", "", ""), $_FILES['upload_banner_image2']['name']); $file = $this->upload_file($_FILES['upload_banner_image2']['name'], FILES_DIR . '/pagesetting/images/', $_FILES['upload_banner_image2']['tmp_name'], $overwrite); if ($file === false) { Flash::set('error', __('Home banner could not be uploaded!')); redirect(get_url('page/edit/1')); } else { $pagesetting['banner_image2'] = $file; } } PageSetting::saveFromData($pagesetting); } // save homepage banner info okstmtcc // save about banner info okstmtcc if ($id == 4) { // upload about page image 1 if (isset($_FILES) && !empty($_FILES['upload_about_image1']['name'])) { //okstmtcc 20150827 Replace image filename spaces $_FILES['upload_about_image1']['name'] = str_replace(array(" ", "(", ")"), array("_", "", ""), $_FILES['upload_about_image1']['name']); $file = $this->upload_file($_FILES['upload_about_image1']['name'], FILES_DIR . '/pagesetting/images/', $_FILES['upload_about_image1']['tmp_name'], $overwrite); if ($file === false) { Flash::set('error', __('Home banner could not be uploaded!')); redirect(get_url('page/edit/1')); } else { $pagesetting['about_image1'] = $file; } } PageSetting::saveFromData($pagesetting); } // save about banner info okstmtcc Flash::set('success', __('Page has been saved.')); } else { Flash::set('error', __('Page has not been saved!')); $url = 'page/'; $url .= $action == 'edit' ? 'edit/' . $id : 'add/'; redirect(get_url($url)); } if ($action == 'add') { Observer::notify('page_add_after_save', $page); } else { Observer::notify('page_edit_after_save', $page); } // save and quit or save and continue editing ? if (isset($_POST['commit'])) { redirect(get_url('page')); } else { redirect(get_url('page/edit/' . $page->id)); } }
/** * Internal "helper" function to apply the tag removal * * @param string $input_string * @param array $allowed_tags * @return string */ function ksesProcess($input_string, $allowed_tags) { if (function_exists('kses')) { return kses($input_string, $allowed_tags); } else { return getBare($input_string); } }
/** * Sanitize * * Sanitizes the field value contents so that there are no HTML tags or attributes * which have not been defined in the white_list. Critical for security. * * @api * @return mixed * @since 1.0.0 */ public function sanitize() { if ($this->field_value === null) { } else { $this->field_value = kses($this->field_value, $this->white_list, array('http', 'https')); } return $this->field_value; }
function sanitize_string($input_string, $sanitize_level) { require_once dirname(__FILE__) . '/lib-htmlawed.php'; if (get_magic_quotes_gpc()) { $input_string = stripslashes($input_string); } if ($sanitize_level === 0) { $input_string = str_replace(chr(0), " ", $input_string); } else { if ($sanitize_level === 1) { $allowed_tags = "(" . getOption('allowed_tags') . ")"; $allowed = parseAllowedTags($allowed_tags); if ($allowed === false) { $allowed = array(); } $input_string = kses($input_string, $allowed); } else { if ($sanitize_level === 2) { $allowed = array(); $input_string = kses($input_string, $allowed); } } } return $input_string; }
/** * Callback for kses_split for fixing malformed HTML tags. * * This function does a lot of work. It rejects some very malformed things like * <:::>. It returns an empty string, if the element isn't allowed (look ma, no * strip_tags()!). Otherwise it splits the tag into an element and an attribute * list. * * After the tag is split into an element and an attribute list, it is run * through another filter which will remove illegal attributes and once that is * completed, will be returned. * * @access private * @uses kses_attr() * * @param string $string Content to filter * @param array $allowed_html Allowed HTML elements * @param array $allowed_protocols Allowed protocols to keep * @return string Fixed HTML element */ function kses_split2($string, $allowed_html, $allowed_protocols) { $string = kses_stripslashes($string); if (substr($string, 0, 1) != '<') { return '>'; } // It matched a ">" character if (preg_match('%^<!--(.*?)(-->)?$%', $string, $matches)) { $string = str_replace(array('<!--', '-->'), '', $matches[1]); while ($string != ($newstring = kses($string, $allowed_html, $allowed_protocols))) { $string = $newstring; } if ($string == '') { return ''; } // prevent multiple dashes in comments $string = preg_replace('/--+/', '-', $string); // prevent three dashes closing a comment $string = preg_replace('/-$/', '', $string); return "<!--{$string}-->"; } // Allow HTML comments if (!preg_match('%^<\\s*(/\\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches)) { return ''; } // It's seriously malformed $slash = trim($matches[1]); $elem = $matches[2]; $attrlist = $matches[3]; if (!@isset($allowed_html[strtolower($elem)])) { return ''; } // They are using a not allowed HTML element if ($slash != '') { return "<{$slash}{$elem}>"; } // No attributes are allowed for closing elements return kses_attr("{$slash}{$elem}", $attrlist, $allowed_html, $allowed_protocols); }
/** * Function to validate HTML * @see HTML_QuickForm_Rule * @param string $html * @return boolean True if html is valid */ function validate($html, $mode = NO_HTML) { $allowed_tags = self::get_allowed_tags($mode, $fullpage); $cleaned_html = kses($html, $allowed_tags); return $html == $cleaned_html; }
<?php if (!AuthUser::hasPermission('administrator,developer,editor')) { header('Location: ' . URL_PUBLIC . ' '); exit; } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title><?php use_helper('Kses'); echo kses(Setting::get('admin_title'), array()) . ' - ' . ucfirst($ctrl = Dispatcher::getController(Setting::get('default_tab'))); ?> </title> <base href="<?php echo trim(BASE_URL, '?/') . '/'; ?> " /> <link rel="favourites icon" href="<?php echo URL_PUBLIC; ?> favicon.ico" /> <link href="stylesheets/admin.css" media="screen" rel="Stylesheet" type="text/css" /> <link href="stylesheets/toolbar.css" media="screen" rel="Stylesheet" type="text/css" /> <link href="themes/<?php
/** * Runs checks and stores a page. * * @param string $action What kind of action this is: add or edit. * @param mixed $id Page to edit if any. */ private function _store($action, $id = false) { // Sanity checks if ($action == 'edit' && !$id) { throw new Exception('Trying to edit page when $id is false.'); } use_helper('Validate'); $data = $_POST['page']; $data['is_protected'] = !empty($data['is_protected']) ? 1 : 0; Flash::set('post_data', (object) $data); // Add pre-save checks here $errors = false; // CSRF checks if (isset($_POST['csrf_token'])) { $csrf_token = $_POST['csrf_token']; if (!SecureToken::validateToken($csrf_token, BASE_URL . 'page/' . $action)) { $errors[] = __('Invalid CSRF token found!'); } } else { $errors[] = __('No CSRF token found!'); } $data['title'] = trim($data['title']); if (empty($data['title'])) { $errors[] = __('You have to specify a title!'); } $data['slug'] = trim($data['slug']); if (empty($data['slug']) && $id != '1') { $errors[] = __('You have to specify a slug!'); } else { if ($data['slug'] == ADMIN_DIR) { $errors[] = __('You cannot have a slug named :slug!', array(':slug' => ADMIN_DIR)); } if (!Validate::slug($data['slug']) && (!empty($data['slug']) && $id == '1')) { $errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'slug')); } } // Check all numerical fields for a page $fields = array('parent_id', 'layout_id', 'needs_login'); foreach ($fields as $field) { if (!Validate::digit($data[$field])) { $errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field)); } } // Check all date fields for a page $fields = array('created_on', 'published_on', 'valid_until'); foreach ($fields as $field) { if (isset($data[$field])) { $data[$field] = trim($data[$field]); if (!empty($data[$field]) && !(bool) preg_match('/^[0-9]{4}-[0-9]{2}-[0-9]{2}$/D', (string) $data[$field])) { $errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field)); } } } // Check all time fields for a page $fields = array('created_on_time', 'published_on_time', 'valid_until_time'); foreach ($fields as $field) { if (isset($data[$field])) { $data[$field] = trim($data[$field]); if (!empty($data[$field]) && !(bool) preg_match('/^[0-9]{2}:[0-9]{2}:[0-9]{2}$/D', (string) $data[$field])) { $errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field)); } } } // Check alphanumerical fields $fields = array('keywords', 'description'); foreach ($fields as $field) { use_helper('Kses'); $data[$field] = kses(trim($data[$field]), array()); /* if (!empty($data[$field]) && !Validate::alpha_comma($data[$field])) { $errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field)); } * */ } // Check behaviour_id field if (!empty($data['behaviour_id']) && !Validate::slug($data['behaviour_id'])) { $errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'behaviour_id')); } // Make sure the title doesn't contain HTML if (Setting::get('allow_html_title') == 'off') { use_helper('Kses'); $data['title'] = kses(trim($data['title']), array()); } // Create the page object to be manipulated and populate data if ($action == 'add') { $page = new Page($data); } else { $page = Record::findByIdFrom('Page', $id); $page->setFromData($data); } // Upon errors, rebuild original page and return to screen with errors if (false !== $errors) { $tags = $_POST['page_tag']; // Rebuild time fields if (isset($page->created_on)) { $page->created_on = $page->created_on . ' ' . $page->created_on_time; } if (isset($page->published_on)) { $page->published_on = $page->published_on . ' ' . $page->published_on_time; } if (isset($page->valid_until)) { $page->valid_until = $page->valid_until . ' ' . $page->valid_until_time; } // Rebuild parts $part = $_POST['part']; if (!empty($part)) { $tmp = false; foreach ($part as $key => $val) { $tmp[$key] = (object) $val; } $part = $tmp; } // Set the errors to be displayed. Flash::setNow('error', implode('<br/>', $errors)); // display things ... $this->setLayout('backend'); $this->display('page/edit', array('action' => $action, 'csrf_token' => SecureToken::generateToken(BASE_URL . 'page/' . $action), 'page' => (object) $page, 'tags' => $tags, 'filters' => Filter::findAll(), 'behaviors' => Behavior::findAll(), 'page_parts' => (object) $part, 'layouts' => Record::findAllFrom('Layout'))); } // Notify if ($action == 'add') { Observer::notify('page_add_before_save', $page); } else { Observer::notify('page_edit_before_save', $page); } // Time to actually save the page // @todo rebuild this so parts are already set before save? // @todo determine lazy init impact if ($page->save()) { // Get data for parts of this page $data_parts = $_POST['part']; Flash::set('post_parts_data', (object) $data_parts); if ($action == 'edit') { $old_parts = PagePart::findByPageId($id); // check if all old page part are passed in POST // if not ... we need to delete it! foreach ($old_parts as $old_part) { $not_in = true; foreach ($data_parts as $part_id => $data) { $data['name'] = trim($data['name']); if ($old_part->name == $data['name']) { $not_in = false; // this will not really create a new page part because // the id of the part is passed in $data $part = new PagePart($data); $part->page_id = $id; Observer::notify('part_edit_before_save', $part); $part->save(); Observer::notify('part_edit_after_save', $part); unset($data_parts[$part_id]); break; } } if ($not_in) { $old_part->delete(); } } } // add the new parts foreach ($data_parts as $data) { $data['name'] = trim($data['name']); $part = new PagePart($data); $part->page_id = $page->id; Observer::notify('part_add_before_save', $part); $part->save(); Observer::notify('part_add_after_save', $part); } // save tags $page->saveTags($_POST['page_tag']['tags']); Flash::set('success', __('Page has been saved!')); } else { Flash::set('error', __('Page has not been saved!')); $url = 'page/'; $url .= $action == 'edit' ? 'edit/' . $id : 'add/'; redirect(get_url($url)); } if ($action == 'add') { Observer::notify('page_add_after_save', $page); } else { Observer::notify('page_edit_after_save', $page); } // save and quit or save and continue editing ? if (isset($_POST['commit'])) { redirect(get_url('page')); } else { redirect(get_url('page/edit/' . $page->id)); } }
function smarty_modifier_kses($text) { //This is a Smarty wrapper for kses. $dis = array('table' => array(), 'tr' => array(), 'td' => array(), 'th' => array(), 'dl' => array(), 'dd' => array(), 'dt' => array(), 'p' => array(), 'blockquote' => array(), 'ul' => array(), 'ol' => array(), 'li' => array(), 'pre' => array(), 'code' => array(), 'a' => array('href' => 1, 'title' => 1, 'rel' => 1), 'b' => array(), 'i' => array(), 'em' => array(), 'strong' => array(), 'h1' => array(), 'h2' => array(), 'h3' => array(), 'h4' => array(), 'h5' => array(), 'h6' => array()); return kses($text, $dis); }
if (isset($this->vars['content_for_layout']->vars['action'])) { $tmp = $this->vars['content_for_layout']->vars['action']; $title .= ' - ' . ucfirst($tmp); if ($tmp == 'edit' && isset($this->vars['content_for_layout']->vars['page'])) { $tmp = $this->vars['content_for_layout']->vars['page']; $title .= ' - ' . $tmp->title; } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title><?php use_helper('Kses'); echo kses(Setting::get('admin_title'), array()) . ' - ' . $title; ?> </title> <link href="<?php echo URI_PUBLIC; ?> wolf/admin/stylesheets/admin.css" media="screen" rel="Stylesheet" type="text/css" /> <link href="<?php echo URI_PUBLIC; ?> wolf/admin/themes/<?php echo Setting::get('theme'); ?> /styles.css" id="css_theme" media="screen" rel="Stylesheet" type="text/css" /> <link href="<?php
public function filter($value) { return kses($value, $this->getTags()); }