/**
* Redirects users to ?event=jmd_dashboard upon login (unless they were
* loading another event).
*/
function jmd_dashboard_login()
{
global $siteurl;
if (gps('p_password') && !gps('event')) {
txp_status_header("302 Found");
header("Location: http://{$siteurl}/textpattern/?event=jmd_dashboard");
exit;
}
}
function rss()
{
global $prefs, $thisarticle;
extract($prefs);
extract(doSlash(gpsa(array('category', 'section', 'limit', 'area'))));
$area = gps('area');
$sitename .= $section ? ' - ' . $section : '';
$sitename .= $category ? ' - ' . $category : '';
$out[] = tag(doSpecial($sitename), 'title');
$out[] = tag(hu, 'link');
$out[] = tag(doSpecial($site_slogan), 'description');
$articles = array();
if (!$area or $area == 'article') {
$sfilter = $section ? "and Section = '" . $section . "'" : '';
$cfilter = $category ? "and (Category1='" . $category . "' or Category2='" . $category . "')" : '';
$limit = $limit ? $limit : $rss_how_many;
$limit = min($limit, max(100, $rss_how_many));
$frs = safe_column("name", "txp_section", "in_rss != '1'");
if ($frs) {
foreach ($frs as $f) {
$query[] = "and Section != '" . doSlash($f) . "'";
}
}
$query[] = $sfilter;
$query[] = $cfilter;
$rs = safe_rows_start("*, unix_timestamp(Posted) as uPosted, ID as thisid", "textpattern", "Status = 4 " . join(' ', $query) . "and Posted < now() order by Posted desc limit {$limit}");
if ($rs) {
while ($a = nextRow($rs)) {
extract($a);
populateArticleData($a);
$a['posted'] = $uPosted;
$Body = !$syndicate_body_or_excerpt ? $thisarticle['body'] : $thisarticle['excerpt'];
$Body = !trim($Body) ? $thisarticle['body'] : $Body;
$Body = str_replace('href="/', 'href="' . hu, $Body);
$Body = preg_replace("/href=\\\"#(.*)\"/", "href=\"" . permlinkurl($a) . "#\\1\"", $Body);
$Body = rss_safe_hed($Body);
$Body = preg_replace(array('/</', '/>/', "/'/", '/"/'), array('<', '>', ''', '"'), $Body);
// encode bare ampersands
$Body = preg_replace("/&(?![#0-9]+;|\\w+;)/i", '&', $Body);
$uTitle = $url_title ? $url_title : stripSpace($Title);
$uTitle = htmlspecialchars($uTitle, ENT_NOQUOTES);
if ($show_comment_count_in_feed) {
$count = $comments_count > 0 ? ' [' . $comments_count . ']' : '';
} else {
$count = '';
}
$Title = doSpecial($Title) . $count;
$permlink = permlinkurl($a);
$item = tag(strip_tags($Title), 'title') . n . tag($Body, 'description') . n . tag($permlink, 'link');
$articles[$ID] = tag($item, 'item');
$etags[$ID] = strtoupper(dechex(crc32($articles[$ID])));
$dates[$ID] = $uPosted;
}
}
} elseif ($area == 'link') {
$cfilter = $category ? "category='{$category}'" : '1';
$limit = $limit ? $limit : $rss_how_many;
$limit = min($limit, max(100, $rss_how_many));
$rs = safe_rows_start("*", "txp_link", "{$cfilter} order by date desc limit {$limit}");
if ($rs) {
while ($a = nextRow($rs)) {
extract($a);
$item = tag(doSpecial($linkname), 'title') . n . tag(doSpecial($description), 'description') . n . tag(doSpecial($url), 'link');
$articles[$id] = tag($item, 'item');
$etags[$id] = strtoupper(dechex(crc32($articles[$id])));
$dates[$id] = $date;
}
}
}
//turn on compression if we aren't using it already
if (extension_loaded('zlib') && ini_get("zlib.output_compression") == 0 && ini_get('output_handler') != 'ob_gzhandler' && !headers_sent()) {
@ob_start("ob_gzhandler");
}
$last = fetch('unix_timestamp(val)', 'txp_prefs', 'name', 'lastmod');
$expires = gmdate('D, d M Y H:i:s \\G\\M\\T', time() + 3600 * 1);
header("Expires: {$expires}");
$hims = serverset('HTTP_IF_MODIFIED_SINCE');
$imsd = $hims ? strtotime($hims) : 0;
if ($imsd >= $last) {
txp_status_header("304 Not Modified");
exit;
}
header("Last-Modified: " . gmdate('D, d M Y H:i:s \\G\\M\\T', $last));
if (is_callable('apache_request_headers')) {
$headers = apache_request_headers();
if (isset($headers["A-IM"])) {
$canaim = strpos($headers["A-IM"], "feed");
} else {
$canaim = false;
}
} else {
$canaim = false;
}
$hinm = stripslashes(serverset('HTTP_IF_NONE_MATCH'));
$cutarticles = false;
if ($canaim !== false) {
foreach ($articles as $id => $thing) {
if (strpos($hinm, $etags[$id]) !== false) {
unset($articles[$id]);
$cutarticles = true;
$cut_etag = true;
}
if ($dates[$id] < $imsd) {
unset($articles[$id]);
$cutarticles = true;
$cut_time = true;
}
}
}
if (isset($cut_etag) && isset($cut_time)) {
header("Vary: If-None-Match, If-Modified-Since");
} else {
if (isset($cut_etag)) {
header("Vary: If-None-Match");
} else {
if (isset($cut_time)) {
header("Vary: If-Modified-Since");
}
}
}
$etag = @join("-", $etags);
if (strstr($hinm, $etag)) {
header("HTTP/1.1 304 Not Modified");
exit;
}
if ($cutarticles) {
//header("HTTP/1.1 226 IM Used");
//This should be used as opposed to 200, but Apache doesn't like it.
//http://intertwingly.net/blog/2004/09/11/Vary-ETag/ says that the status code should be 200.
header("Cache-Control: no-store, im");
header("IM: feed");
}
$out = array_merge($out, $articles);
header("Content-Type: application/rss+xml; charset=utf-8");
if ($etag) {
header('ETag: "' . $etag . '"');
}
return '<rss version="0.92">' . tag(join(n, $out), 'channel') . '</rss>';
}
function atom()
{
global $thisarticle;
extract($GLOBALS['prefs']);
define("t_texthtml", ' type="text/html"');
define("t_text", ' type="text"');
define("t_html", ' type="html"');
define("t_xhtml", ' type="xhtml"');
define('t_appxhtml', ' type="xhtml"');
define("r_relalt", ' rel="alternate"');
define("r_relself", ' rel="self"');
$area = doSlash(gps('area'));
extract(doSlash(gpsa(array('category', 'section', 'limit'))));
$last = fetch('unix_timestamp(val)', 'txp_prefs', 'name', 'lastmod');
$sitename .= $section ? ' - ' . $section : '';
$sitename .= $category ? ' - ' . $category : '';
$pub = safe_row("RealName, email", "txp_users", "privs=1");
$out[] = tag(escape_output($sitename), 'title', t_text);
$out[] = tag(escape_output($site_slogan), 'subtitle', t_text);
$out[] = '<link' . r_relself . ' href="' . pagelinkurl(array('atom' => 1, 'area' => $area, 'section' => $section, 'category' => $category, 'limit' => $limit)) . '" />';
$out[] = '<link' . r_relalt . t_texthtml . ' href="' . hu . '" />';
$articles = array();
//Atom feeds with mail or domain name
$dn = explode('/', $siteurl);
$mail_or_domain = $use_mail_on_feeds_id ? eE($blog_mail_uid) : $dn[0];
$out[] = tag('tag:' . $mail_or_domain . ',' . $blog_time_uid . ':' . $blog_uid . ($section ? '/' . $section : '') . ($category ? '/' . $category : ''), 'id');
$out[] = tag('Textpattern', 'generator', ' uri="http://textpattern.com/" version="' . $version . '"');
$out[] = tag(safe_strftime("w3cdtf", $last), 'updated');
$auth[] = tag($pub['RealName'], 'name');
$auth[] = $include_email_atom ? tag(eE($pub['email']), 'email') : '';
$auth[] = tag(hu, 'uri');
$out[] = tag(n . t . t . join(n . t . t, $auth) . n, 'author');
if (!$area or $area == 'article') {
$sfilter = $section ? "and Section = '" . $section . "'" : '';
$cfilter = $category ? "and (Category1='" . $category . "' or Category2='" . $category . "')" : '';
$limit = $limit ? $limit : $rss_how_many;
$limit = intval(min($limit, max(100, $rss_how_many)));
$frs = safe_column("name", "txp_section", "in_rss != '1'");
$query = array();
foreach ($frs as $f) {
$query[] = "and Section != '" . doSlash($f) . "'";
}
$query[] = $sfilter;
$query[] = $cfilter;
$rs = safe_rows_start("*, \n\t\t\t\tID as thisid, \n\t\t\t\tunix_timestamp(Posted) as uPosted,\n\t\t\t\tunix_timestamp(LastMod) as uLastMod", "textpattern", "Status=4 and Posted <= now() " . join(' ', $query) . "order by Posted desc limit {$limit}");
if ($rs) {
while ($a = nextRow($rs)) {
extract($a);
populateArticleData($a);
$cb = callback_event('atom_entry');
$e = array();
$a['posted'] = $uPosted;
if ($show_comment_count_in_feed) {
$count = $comments_count > 0 ? ' [' . $comments_count . ']' : '';
} else {
$count = '';
}
$thisauthor = get_author_name($AuthorID);
$e['thisauthor'] = tag(n . t . t . t . tag(htmlspecialchars($thisauthor), 'name') . n . t . t, 'author');
$e['issued'] = tag(safe_strftime('w3cdtf', $uPosted), 'published');
$e['modified'] = tag(safe_strftime('w3cdtf', $uLastMod), 'updated');
$escaped_title = escape_output($Title);
$e['title'] = tag($escaped_title . $count, 'title', t_html);
$permlink = permlinkurl($a);
$e['link'] = '<link' . r_relalt . t_texthtml . ' href="' . $permlink . '" />';
$e['id'] = tag('tag:' . $mail_or_domain . ',' . $feed_time . ':' . $blog_uid . '/' . $uid, 'id');
$e['category1'] = trim($Category1) ? '<category term="' . htmlspecialchars($Category1) . '" />' : '';
$e['category2'] = trim($Category2) ? '<category term="' . htmlspecialchars($Category2) . '" />' : '';
$summary = trim(replace_relative_urls(parse($thisarticle['excerpt']), $permlink));
$content = trim(replace_relative_urls(parse($thisarticle['body']), $permlink));
if ($syndicate_body_or_excerpt) {
# short feed: use body as summary if there's no excerpt
if (!trim($summary)) {
$summary = $content;
}
$content = '';
}
if (trim($content)) {
$e['content'] = tag(n . escape_cdata($content) . n, 'content', t_html);
}
if (trim($summary)) {
$e['summary'] = tag(n . escape_cdata($summary) . n, 'summary', t_html);
}
$articles[$ID] = tag(n . t . t . join(n . t . t, $e) . n . $cb, 'entry');
$etags[$ID] = strtoupper(dechex(crc32($articles[$ID])));
$dates[$ID] = $uLastMod;
}
}
} elseif ($area == 'link') {
$cfilter = $category ? "category='" . $category . "'" : '1';
$limit = $limit ? $limit : $rss_how_many;
$limit = intval(min($limit, max(100, $rss_how_many)));
$rs = safe_rows_start("*", "txp_link", "{$cfilter} order by date desc, id desc limit {$limit}");
if ($rs) {
while ($a = nextRow($rs)) {
extract($a);
$e['title'] = tag(htmlspecialchars($linkname), 'title', t_html);
$e['content'] = tag(n . htmlspecialchars($description) . n, 'content', t_html);
$url = preg_replace("/^\\/(.*)/", "https?://{$siteurl}/\$1", $url);
$url = preg_replace("/&((?U).*)=/", "&\\1=", $url);
$e['link'] = '<link' . r_relalt . t_texthtml . ' href="' . $url . '" />';
$e['issued'] = tag(safe_strftime('w3cdtf', strtotime($date)), 'published');
$e['modified'] = tag(gmdate('Y-m-d\\TH:i:s\\Z', strtotime($date)), 'updated');
$e['id'] = tag('tag:' . $mail_or_domain . ',' . $feed_time . ':' . $id, 'id');
$articles[$id] = tag(n . t . t . join(n . t . t, $e) . n, 'entry');
$etags[$id] = strtoupper(dechex(crc32($articles[$id])));
$dates[$id] = $date;
}
}
}
if (!empty($articles)) {
//turn on compression if we aren't using it already
if (extension_loaded('zlib') && ini_get("zlib.output_compression") == 0 && ini_get('output_handler') != 'ob_gzhandler' && !headers_sent()) {
@ob_start("ob_gzhandler");
}
handle_lastmod();
$hims = serverset('HTTP_IF_MODIFIED_SINCE');
$imsd = $hims ? strtotime($hims) : 0;
if ($imsd >= $last) {
txp_status_header("304 Not Modified");
exit;
}
header("Last-Modified: " . gmdate('D, d M Y H:i:s \\G\\M\\T', $last));
if (is_callable('apache_request_headers')) {
$headers = apache_request_headers();
if (isset($headers["A-IM"])) {
$canaim = strpos($headers["A-IM"], "feed");
} else {
$canaim = false;
}
} else {
$canaim = false;
}
$hinm = stripslashes(serverset('HTTP_IF_NONE_MATCH'));
$cutarticles = false;
if ($canaim !== false) {
foreach ($articles as $id => $thing) {
if (strpos($hinm, $etags[$id])) {
unset($articles[$id]);
$cutarticles = true;
$cut_etag = true;
}
if ($dates[$id] < $imsd) {
unset($articles[$id]);
$cutarticles = true;
$cut_time = true;
}
}
}
if (isset($cut_etag) && isset($cut_time)) {
header("Vary: If-None-Match, If-Modified-Since");
} else {
if (isset($cut_etag)) {
header("Vary: If-None-Match");
} else {
if (isset($cut_time)) {
header("Vary: If-Modified-Since");
}
}
}
$etag = @join("-", $etags);
if (strstr($hinm, $etag)) {
header("HTTP/1.1 304 Not Modified");
exit;
}
if ($etag) {
header('ETag: "' . $etag . '"');
}
if ($cutarticles) {
//header("HTTP/1.1 226 IM Used");
//This should be used as opposed to 200, but Apache doesn't like it.
//http://intertwingly.net/blog/2004/09/11/Vary-ETag/ says that the status code should be 200.
header("Cache-Control: no-store, im");
header("IM: feed");
}
$out = array_merge($out, $articles);
header('Content-type: application/atom+xml; charset=utf-8');
return chr(60) . '?xml version="1.0" encoding="UTF-8"?' . chr(62) . n . '<feed xml:lang="' . $language . '" xmlns="http://www.w3.org/2005/Atom">' . join(n, $out) . '</feed>';
}
}
function rss()
{
global $prefs, $thisarticle;
set_error_handler('feedErrorHandler');
ob_clean();
extract($prefs);
extract(doSlash(gpsa(array('limit', 'area'))));
// build filter criteria from a comma-separated list of sections and categories
$feed_filter_limit = get_pref('feed_filter_limit', 10);
$section = gps('section');
$category = gps('category');
if (!is_scalar($section) || !is_scalar($category)) {
txp_die('Not Found', 404);
}
$section = $section ? array_slice(array_unique(do_list($section)), 0, $feed_filter_limit) : array();
$category = $category ? array_slice(array_unique(do_list($category)), 0, $feed_filter_limit) : array();
$st = array();
foreach ($section as $s) {
$st[] = fetch_section_title($s);
}
$ct = array();
foreach ($category as $c) {
$ct[] = fetch_category_title($c);
}
$sitename .= $section ? ' - ' . join(' - ', $st) : '';
$sitename .= $category ? ' - ' . join(' - ', $ct) : '';
$dn = explode('/', $siteurl);
$mail_or_domain = $use_mail_on_feeds_id ? eE($blog_mail_uid) : $dn[0];
// feed header
$out[] = tag('http://textpattern.com/?v=' . $version, 'generator');
$out[] = tag(doSpecial($sitename), 'title');
$out[] = tag(hu, 'link');
$out[] = '<atom:link href="' . pagelinkurl(array('rss' => 1, 'area' => $area, 'section' => $section, 'category' => $category, 'limit' => $limit)) . '" rel="self" type="application/rss+xml" />';
$out[] = tag(doSpecial($site_slogan), 'description');
$last = fetch('unix_timestamp(val)', 'txp_prefs', 'name', 'lastmod');
$out[] = tag(safe_strftime('rfc822', $last), 'pubDate');
$out[] = callback_event('rss_head');
// feed items
$articles = array();
$section = doSlash($section);
$category = doSlash($category);
if (!$area or $area == 'article') {
$sfilter = !empty($section) ? "and Section in ('" . join("','", $section) . "')" : '';
$cfilter = !empty($category) ? "and (Category1 in ('" . join("','", $category) . "') or Category2 in ('" . join("','", $category) . "'))" : '';
$limit = $limit ? $limit : $rss_how_many;
$limit = intval(min($limit, max(100, $rss_how_many)));
$frs = safe_column("name", "txp_section", "in_rss != '1'");
if ($frs) {
foreach ($frs as $f) {
$query[] = "and Section != '" . doSlash($f) . "'";
}
}
$query[] = $sfilter;
$query[] = $cfilter;
$expired = $publish_expired_articles ? '' : ' and (now() <= Expires or Expires = ' . NULLDATETIME . ') ';
$rs = safe_rows_start("*, unix_timestamp(Posted) as uPosted, unix_timestamp(LastMod) as uLastMod, unix_timestamp(Expires) as uExpires, ID as thisid", "textpattern", "Status = 4 " . join(' ', $query) . "and Posted < now()" . $expired . "order by Posted desc limit {$limit}");
if ($rs) {
while ($a = nextRow($rs)) {
extract($a);
populateArticleData($a);
$cb = callback_event('rss_entry');
$a['posted'] = $uPosted;
$permlink = permlinkurl($a);
$summary = trim(replace_relative_urls(parse($thisarticle['excerpt']), $permlink));
$content = trim(replace_relative_urls(parse($thisarticle['body']), $permlink));
if ($syndicate_body_or_excerpt) {
# short feed: use body as summary if there's no excerpt
if (!trim($summary)) {
$summary = $content;
}
$content = '';
}
if ($show_comment_count_in_feed) {
$count = $comments_count > 0 ? ' [' . $comments_count . ']' : '';
} else {
$count = '';
}
$Title = escape_title(strip_tags($Title)) . $count;
$thisauthor = get_author_name($AuthorID);
$item = tag($Title, 'title') . n . (trim($summary) ? tag(n . escape_cdata($summary) . n, 'description') . n : '') . (trim($content) ? tag(n . escape_cdata($content) . n, 'content:encoded') . n : '') . tag($permlink, 'link') . n . tag(safe_strftime('rfc822', $a['posted']), 'pubDate') . n . tag(htmlspecialchars($thisauthor), 'dc:creator') . n . tag('tag:' . $mail_or_domain . ',' . $feed_time . ':' . $blog_uid . '/' . $uid, 'guid', ' isPermaLink="false"') . n . $cb;
$articles[$ID] = tag($item, 'item');
$etags[$ID] = strtoupper(dechex(crc32($articles[$ID])));
$dates[$ID] = $uPosted;
}
}
} elseif ($area == 'link') {
$cfilter = $category ? "category in ('" . join("','", $category) . "')" : '1';
$limit = $limit ? $limit : $rss_how_many;
$limit = intval(min($limit, max(100, $rss_how_many)));
$rs = safe_rows_start("*, unix_timestamp(date) as uDate", "txp_link", "{$cfilter} order by date desc limit {$limit}");
if ($rs) {
while ($a = nextRow($rs)) {
extract($a);
$item = tag(doSpecial($linkname), 'title') . n . tag(doSpecial($description), 'description') . n . tag(doSpecial($url), 'link') . n . tag(safe_strftime('rfc822', $uDate), 'pubDate');
$articles[$id] = tag($item, 'item');
$etags[$id] = strtoupper(dechex(crc32($articles[$id])));
$dates[$id] = $date;
}
}
}
if (!$articles) {
if ($section) {
if (safe_field('name', 'txp_section', "name in ('" . join("','", $section) . "')") == false) {
txp_die(gTxt('404_not_found'), '404');
}
} elseif ($category) {
switch ($area) {
case 'link':
if (safe_field('id', 'txp_category', "name = '{$category}' and type = 'link'") == false) {
txp_die(gTxt('404_not_found'), '404');
}
break;
case 'article':
default:
if (safe_field('id', 'txp_category', "name in ('" . join("','", $category) . "') and type = 'article'") == false) {
txp_die(gTxt('404_not_found'), '404');
}
break;
}
}
} else {
//turn on compression if we aren't using it already
if (extension_loaded('zlib') && ini_get("zlib.output_compression") == 0 && ini_get('output_handler') != 'ob_gzhandler' && !headers_sent()) {
// make sure notices/warnings/errors don't fudge up the feed
// when compression is used
$buf = '';
while ($b = @ob_get_clean()) {
$buf .= $b;
}
@ob_start('ob_gzhandler');
echo $buf;
}
handle_lastmod();
$hims = serverset('HTTP_IF_MODIFIED_SINCE');
$imsd = $hims ? strtotime($hims) : 0;
if (is_callable('apache_request_headers')) {
$headers = apache_request_headers();
if (isset($headers["A-IM"])) {
$canaim = strpos($headers["A-IM"], "feed");
} else {
$canaim = false;
}
} else {
$canaim = false;
}
$hinm = stripslashes(serverset('HTTP_IF_NONE_MATCH'));
$cutarticles = false;
if ($canaim !== false) {
foreach ($articles as $id => $thing) {
if (strpos($hinm, $etags[$id]) !== false) {
unset($articles[$id]);
$cutarticles = true;
$cut_etag = true;
}
if ($dates[$id] < $imsd) {
unset($articles[$id]);
$cutarticles = true;
$cut_time = true;
}
}
}
if (isset($cut_etag) && isset($cut_time)) {
header("Vary: If-None-Match, If-Modified-Since");
} else {
if (isset($cut_etag)) {
header("Vary: If-None-Match");
} else {
if (isset($cut_time)) {
header("Vary: If-Modified-Since");
}
}
}
$etag = @join("-", $etags);
if (strstr($hinm, $etag)) {
txp_status_header('304 Not Modified');
exit(0);
}
if ($cutarticles) {
//header("HTTP/1.1 226 IM Used");
//This should be used as opposed to 200, but Apache doesn't like it.
//http://intertwingly.net/blog/2004/09/11/Vary-ETag/ says that the status code should be 200.
header("Cache-Control: no-store, im");
header("IM: feed");
}
}
$out = array_merge($out, $articles);
header("Content-Type: application/rss+xml; charset=utf-8");
if (isset($etag)) {
header('ETag: "' . $etag . '"');
}
return '<?xml version="1.0" encoding="utf-8"?>' . n . '<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom">' . n . tag(join(n, $out), 'channel') . n . '</rss>';
}
/**
* Send a text/javascript response
*
* @param string $out
* @since 4.4
*/
function send_script_response($out = '')
{
static $headers_sent = false;
if (!$headers_sent) {
ob_clean();
header('Content-Type: text/javascript; charset=utf-8');
txp_status_header('200 OK');
$headers_sent = true;
}
echo ";\n" . $out . ";\n";
}
function doArticles($atts, $iscustom, $thing = null)
{
global $pretext, $prefs;
extract($pretext);
extract($prefs);
$customFields = getCustomFields();
$customlAtts = array_null(array_flip($customFields));
if ($iscustom) {
$extralAtts = array('category' => '', 'section' => '', 'excerpted' => '', 'author' => '', 'month' => '', 'expired' => $publish_expired_articles, 'id' => '', 'exclude' => '');
} else {
$extralAtts = array('listform' => '', 'searchform' => '', 'searchall' => 1, 'searchsticky' => 0, 'pageby' => '', 'pgonly' => 0);
}
// Getting attributes.
$theAtts = lAtts(array('form' => 'default', 'limit' => 10, 'sort' => '', 'sortby' => '', 'sortdir' => '', 'keywords' => '', 'time' => 'past', 'status' => STATUS_LIVE, 'allowoverride' => !$q and !$iscustom, 'offset' => 0, 'wraptag' => '', 'break' => '', 'label' => '', 'labeltag' => '', 'class' => '') + $customlAtts + $extralAtts, $atts);
// For the txp:article tag, some attributes are taken from globals;
// override them, then stash all filter attributes.
if (!$iscustom) {
$theAtts['category'] = $c ? $c : '';
$theAtts['section'] = $s && $s != 'default' ? $s : '';
$theAtts['author'] = !empty($author) ? $author : '';
$theAtts['month'] = !empty($month) ? $month : '';
$theAtts['frontpage'] = $s && $s == 'default' ? true : false;
$theAtts['excerpted'] = 0;
$theAtts['exclude'] = 0;
$theAtts['expired'] = $publish_expired_articles;
filterAtts($theAtts);
} else {
$theAtts['frontpage'] = false;
}
extract($theAtts);
// If a listform is specified, $thing is for doArticle() - hence ignore here.
if (!empty($listform)) {
$thing = '';
}
$pageby = empty($pageby) ? $limit : $pageby;
// Treat sticky articles differently wrt search filtering, etc.
$status = in_array(strtolower($status), array('sticky', STATUS_STICKY)) ? STATUS_STICKY : STATUS_LIVE;
$issticky = $status == STATUS_STICKY;
// Give control to search, if necessary.
if ($q && !$iscustom && !$issticky) {
include_once txpath . '/publish/search.php';
$s_filter = $searchall ? filterSearch() : '';
$q = trim($q);
$quoted = $q[0] === '"' && $q[strlen($q) - 1] === '"';
$q = doSlash($quoted ? trim(trim($q, '"')) : $q);
// Searchable article fields are limited to the columns of the
// textpattern table and a matching fulltext index must exist.
$cols = do_list_unique($searchable_article_fields);
if (empty($cols) or $cols[0] == '') {
$cols = array('Title', 'Body');
}
$match = ", MATCH (`" . join("`, `", $cols) . "`) AGAINST ('{$q}') AS score";
$search_terms = preg_replace('/\\s+/', ' ', str_replace(array('\\', '%', '_', '\''), array('\\\\', '\\%', '\\_', '\\\''), $q));
if ($quoted || empty($m) || $m === 'exact') {
for ($i = 0; $i < count($cols); $i++) {
$cols[$i] = "`{$cols[$i]}` LIKE '%{$search_terms}%'";
}
} else {
$colJoin = $m === 'any' ? "OR" : "AND";
$search_terms = explode(' ', $search_terms);
for ($i = 0; $i < count($cols); $i++) {
$like = array();
foreach ($search_terms as $search_term) {
$like[] = "`{$cols[$i]}` LIKE '%{$search_term}%'";
}
$cols[$i] = "(" . join(" {$colJoin} ", $like) . ")";
}
}
$cols = join(" OR ", $cols);
$search = " AND ({$cols}) {$s_filter}";
// searchall=0 can be used to show search results for the current
// section only.
if ($searchall) {
$section = '';
}
if (!$sort) {
$sort = "score DESC";
}
} else {
$match = $search = '';
if (!$sort) {
$sort = "Posted DESC";
}
}
// For backwards compatibility. sortby and sortdir are deprecated.
if ($sortby) {
trigger_error(gTxt('deprecated_attribute', array('{name}' => 'sortby')), E_USER_NOTICE);
if (!$sortdir) {
$sortdir = "DESC";
} else {
trigger_error(gTxt('deprecated_attribute', array('{name}' => 'sortdir')), E_USER_NOTICE);
}
$sort = "{$sortby} {$sortdir}";
} elseif ($sortdir) {
trigger_error(gTxt('deprecated_attribute', array('{name}' => 'sortdir')), E_USER_NOTICE);
$sort = "Posted {$sortdir}";
}
// Building query parts.
$frontpage = ($frontpage and (!$q or $issticky)) ? filterFrontPage() : '';
$category = join("','", doSlash(do_list_unique($category)));
$category = !$category ? '' : " AND (Category1 IN ('" . $category . "') OR Category2 IN ('" . $category . "'))";
$section = !$section ? '' : " AND Section IN ('" . join("','", doSlash(do_list_unique($section))) . "')";
$excerpted = !$excerpted ? '' : " AND Excerpt !=''";
$author = !$author ? '' : " AND AuthorID IN ('" . join("','", doSlash(do_list_unique($author))) . "')";
$month = !$month ? '' : " AND Posted LIKE '" . doSlash($month) . "%'";
$ids = $id ? array_map('intval', do_list_unique($id)) : array();
$exclude = $exclude ? array_map('intval', do_list_unique($exclude)) : array();
$id = (!$id ? '' : " AND ID IN (" . join(',', $ids) . ")") . (!$exclude ? '' : " AND ID NOT IN (" . join(',', $exclude) . ")");
switch ($time) {
case 'any':
$time = "";
break;
case 'future':
$time = " AND Posted > " . now('posted');
break;
default:
$time = " AND Posted <= " . now('posted');
}
if (!$expired) {
$time .= " AND (" . now('expires') . " <= Expires OR Expires = " . NULLDATETIME . ")";
}
$custom = '';
if ($customFields) {
foreach ($customFields as $cField) {
if (isset($atts[$cField])) {
$customPairs[$cField] = $atts[$cField];
}
}
if (!empty($customPairs)) {
$custom = buildCustomSql($customFields, $customPairs);
}
}
// Allow keywords for no-custom articles. That tagging mode, you know.
if ($keywords) {
$keys = doSlash(do_list_unique($keywords));
foreach ($keys as $key) {
$keyparts[] = "FIND_IN_SET('" . $key . "', Keywords)";
}
$keywords = " AND (" . join(' or ', $keyparts) . ")";
}
if ($q and $searchsticky) {
$statusq = " AND Status >= " . STATUS_LIVE;
} elseif ($id) {
$statusq = " AND Status >= " . STATUS_LIVE;
} else {
$statusq = " AND Status = " . intval($status);
}
$where = "1 = 1" . $statusq . $time . $search . $id . $category . $section . $excerpted . $month . $author . $keywords . $custom . $frontpage;
// Do not paginate if we are on a custom list.
if (!$iscustom and !$issticky) {
$grand_total = safe_count('textpattern', $where);
$total = $grand_total - $offset;
$numPages = ceil($total / $pageby);
$pg = !$pg ? 1 : $pg;
$pgoffset = $offset + ($pg - 1) * $pageby;
// Send paging info to txp:newer and txp:older.
$pageout['pg'] = $pg;
$pageout['numPages'] = $numPages;
$pageout['s'] = $s;
$pageout['c'] = $c;
$pageout['context'] = 'article';
$pageout['grand_total'] = $grand_total;
$pageout['total'] = $total;
global $thispage;
if (empty($thispage)) {
$thispage = $pageout;
}
if ($pgonly) {
return;
}
} else {
$pgoffset = $offset;
}
// Preserve order of custom article ids unless 'sort' attribute is set.
if (!empty($atts['id']) && empty($atts['sort'])) {
$safe_sort = "FIELD(id, " . join(',', $ids) . ")";
} else {
$safe_sort = doSlash($sort);
}
$rs = safe_rows_start("*, UNIX_TIMESTAMP(Posted) AS uPosted, UNIX_TIMESTAMP(Expires) AS uExpires, UNIX_TIMESTAMP(LastMod) AS uLastMod" . $match, 'textpattern', "{$where} ORDER BY {$safe_sort} LIMIT " . intval($pgoffset) . ", " . intval($limit));
// Get the form name.
if ($q and !$iscustom and !$issticky) {
$fname = $searchform ? $searchform : 'search_results';
} else {
$fname = !empty($listform) ? $listform : $form;
}
if ($rs) {
$count = 0;
$last = numRows($rs);
$articles = array();
while ($a = nextRow($rs)) {
++$count;
populateArticleData($a);
global $thisarticle, $uPosted, $limit;
$thisarticle['is_first'] = $count == 1;
$thisarticle['is_last'] = $count == $last;
// Article form preview.
if (txpinterface === 'admin' && ps('Form')) {
doAuth();
if (!has_privs('form')) {
txp_status_header('401 Unauthorized');
exit(hed('401 Unauthorized', 1) . graf(gTxt('restricted_area')));
}
$articles[] = parse(gps('Form'));
} elseif ($allowoverride and $a['override_form']) {
$articles[] = parse_form($a['override_form']);
} else {
$articles[] = $thing ? parse($thing) : parse_form($fname);
}
// Sending these to paging_link(); Required?
$uPosted = $a['uPosted'];
unset($GLOBALS['thisarticle']);
}
return doLabel($label, $labeltag) . doWrap($articles, $wraptag, $break, $class);
}
}
function textpattern()
{
global $pretext, $microstart, $prefs, $qcount, $qtime, $production_status, $txptrace, $siteurl, $has_article_tag;
$has_article_tag = false;
callback_event('textpattern');
if ($pretext['status'] == '404') {
txp_die(gTxt('404_not_found'), '404');
}
if ($pretext['status'] == '410') {
txp_die(gTxt('410_gone'), '410');
}
$html = safe_field('user_html', 'txp_page', "name='" . doSlash($pretext['page']) . "'");
if (!$html) {
txp_die(gTxt('unknown_section'), '404');
}
// useful for clean urls with error-handlers
txp_status_header('200 OK');
trace_add('[' . gTxt('page') . ': ' . $pretext['page'] . ']');
set_error_handler("tagErrorHandler");
$pretext['secondpass'] = false;
$html = parse($html);
$pretext['secondpass'] = true;
trace_add('[ ~~~ ' . gTxt('secondpass') . ' ~~~ ]');
$html = parse($html);
// the function so nice, he ran it twice
if ($prefs['allow_page_php_scripting']) {
$html = evalString($html);
}
// make sure the page has an article tag if necessary
if (!$has_article_tag and $production_status != 'live' and (!empty($pretext['id']) or !empty($pretext['c']) or !empty($pretext['q']) or !empty($pretext['pg']))) {
trigger_error(gTxt('missing_article_tag', array('{page}' => $pretext['page'])));
}
restore_error_handler();
header("Content-type: text/html; charset=utf-8");
echo $html;
if (in_array($production_status, array('debug', 'testing'))) {
$microdiff = getmicrotime() - $microstart;
echo n, comment('Runtime: ' . substr($microdiff, 0, 6));
echo n, comment('Query time: ' . sprintf('%02.6f', $qtime));
echo n, comment('Queries: ' . $qcount);
echo maxMemUsage('end of textpattern()', 1);
if (!empty($txptrace) and is_array($txptrace)) {
echo n, comment('txp tag trace: ' . n . str_replace('--', '­­', join(n, $txptrace)) . n);
}
// '­­' is *no* tribute to Kajagoogoo, but an attempt to avoid prematurely terminating HTML comments
}
callback_event('textpattern_end');
}
function db_down()
{
// 503 status might discourage search engines from indexing or caching the error message
txp_status_header('503 Service Unavailable');
$error = mysql_error();
return <<<eod
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
\t<meta http-equiv="content-type" content="text/html; charset=utf-8" />
\t<title>Untitled</title>
</head>
<body>
<p align="center" style="margin-top:4em">Database unavailable.</p>
<!-- {$error} -->
</body>
</html>
eod;
}
/**
* Validates the sent login form and creates a session.
*
* During the reset request procedure, it is conceivable to verify the
* token as soon as it's presented in the URL, but that would:
* a) require refactoring code similarities in both p_confirm and p_alter branches
* b) require some way (e.g. an Exception) to signal back to doLoginForm() that
* the token is bogus so the 'change your password' form is not displayed.
* c) leak information about the validity of a token, thus allowing rapid brute-force
* attempts.
*
* The inconvenience of a real user following an expired token and being told so
* after they've set a password is a small price to pay for the improved security
* and reduction of attack surface that validating after submission affords.
*
* @todo Could the checks be done via a (reusable) Validator()?
*
* @return string A localised feedback message
* @see doLoginForm()
*/
function doTxpValidate()
{
global $logout, $txp_user;
$p_userid = ps('p_userid');
$p_password = ps('p_password');
$p_reset = ps('p_reset');
$p_alter = ps('p_alter');
$p_set = ps('p_set');
$stay = ps('stay');
$p_confirm = gps('confirm');
$logout = gps('logout');
$message = '';
$pub_path = preg_replace('|//$|', '/', rhu . '/');
if (cs('txp_login') && strpos(cs('txp_login'), ',')) {
$txp_login = explode(',', cs('txp_login'));
$c_hash = end($txp_login);
$c_userid = join(',', array_slice($txp_login, 0, -1));
} else {
$c_hash = '';
$c_userid = '';
}
if ($logout) {
setcookie('txp_login', '', time() - 3600);
setcookie('txp_login_public', '', time() - 3600, $pub_path);
}
if ($c_userid && strlen($c_hash) === 32) {
// Cookie exists.
// @todo Improve security by using a better nonce/salt mechanism. md5 and uniqid are bad.
$r = safe_row("name, nonce", 'txp_users', "name = '" . doSlash($c_userid) . "' AND last_access > DATE_SUB(NOW(), INTERVAL 30 DAY)");
if ($r && $r['nonce'] && $r['nonce'] === md5($c_userid . pack('H*', $c_hash))) {
// Cookie is good.
if ($logout) {
// Destroy nonce.
safe_update('txp_users', "nonce = '" . doSlash(md5(uniqid(mt_rand(), true))) . "'", "name = '" . doSlash($c_userid) . "'");
} else {
// Create $txp_user.
$txp_user = $r['name'];
}
return $message;
} else {
txp_status_header('401 Your session has expired');
setcookie('txp_login', $c_userid, time() + 3600 * 24 * 365);
setcookie('txp_login_public', '', time() - 3600, $pub_path);
$message = array(gTxt('bad_cookie'), E_ERROR);
}
} elseif ($p_userid && $p_password) {
// Incoming login vars.
$name = txp_validate($p_userid, $p_password);
if ($name !== false) {
$c_hash = md5(uniqid(mt_rand(), true));
$nonce = md5($name . pack('H*', $c_hash));
safe_update('txp_users', "nonce = '" . doSlash($nonce) . "'", "name = '" . doSlash($name) . "'");
setcookie('txp_login', $name . ',' . $c_hash, $stay ? time() + 3600 * 24 * 365 : 0, null, null, null, LOGIN_COOKIE_HTTP_ONLY);
setcookie('txp_login_public', substr(md5($nonce), -10) . $name, $stay ? time() + 3600 * 24 * 30 : 0, $pub_path);
// Login is good, create $txp_user.
$txp_user = $name;
return '';
} else {
sleep(3);
txp_status_header('401 Could not log in with that username/password');
$message = array(gTxt('could_not_log_in'), E_ERROR);
}
} elseif ($p_reset) {
// Reset request.
sleep(3);
include_once txpath . '/lib/txplib_admin.php';
$message = $p_userid ? send_reset_confirmation_request($p_userid) : '';
} elseif ($p_alter || $p_set) {
// Password change/set confirmation.
sleep(3);
global $sitename;
$pass = ps('p_password');
$type = $p_alter ? 'password_reset' : 'account_activation';
if (trim($pass) === '') {
$message = array(gTxt('password_required'), E_ERROR);
} else {
$hash = gps('hash');
$selector = substr($hash, SALT_LENGTH);
$tokenInfo = safe_row("reference_id, token, expires", 'txp_token', "selector = '" . doSlash($selector) . "' AND type='{$type}'");
if ($tokenInfo) {
if (strtotime($tokenInfo['expires']) <= time()) {
$message = array(gTxt('token_expired'), E_ERROR);
} else {
$uid = assert_int($tokenInfo['reference_id']);
$row = safe_row("name, email, nonce, pass AS old_pass", 'txp_users', "user_id = {$uid}");
if ($row && $row['nonce'] && $hash === bin2hex(pack('H*', substr(hash(HASHING_ALGORITHM, $row['nonce'] . $selector . $row['old_pass']), 0, SALT_LENGTH))) . $selector) {
if (change_user_password($row['name'], $pass)) {
$body = gTxt('salutation', array('{name}' => $row['name'])) . n . n . ($p_alter ? gTxt('password_change_confirmation') : gTxt('password_set_confirmation') . n . n . gTxt('log_in_at') . ': ' . hu . 'textpattern/index.php');
$message = $p_alter ? gTxt('password_changed') : gTxt('password_set');
txpMail($row['email'], "[{$sitename}] " . $message, $body);
// Invalidate all tokens in the wild for this user.
safe_delete("txp_token", "reference_id = {$uid} AND type IN ('password_reset', 'account_activation')");
}
} else {
$message = array(gTxt('invalid_token'), E_ERROR);
}
}
} else {
$message = array(gTxt('invalid_token'), E_ERROR);
}
}
}
$txp_user = '';
return $message;
}
/**
* Returns an error page.
*
* This function is used to return a bailout page when resolving database connections fails.
* Sends a HTTP 503 error status and displays the last logged MySQL error message.
*
* @return string HTML5 document
* @access private
*/
function db_down()
{
// 503 status might discourage search engines from indexing or caching the error message.
txp_status_header('503 Service Unavailable');
$error = mysql_error();
return <<<eod
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Database unavailable</title>
</head>
<body>
<p>Database unavailable.</p>
<!-- {$error} -->
</body>
</html>
eod;
}
function render_feed($rs, $area, $type, $feedtitle, $atom_self_ref, $atom_id_ext)
{
global $prefs, $thisarticle;
extract($prefs);
set_error_handler('tagErrorHandler');
$atom = $type == 'atom';
if ($atom) {
define("t_texthtml", ' type="text/html"');
define("t_text", ' type="text"');
define("t_html", ' type="html"');
define("t_xhtml", ' type="xhtml"');
define('t_appxhtml', ' type="xhtml"');
define("r_relalt", ' rel="alternate"');
define("r_relself", ' rel="self"');
} else {
define("t_texthtml", '');
define("t_text", '');
define("t_html", '');
define("t_xhtml", '');
define('t_appxhtml', '');
define("r_relalt", '');
define("r_relself", '');
}
$dn = explode('/', $siteurl);
$mail_or_domain = $use_mail_on_feeds_id ? eE($blog_mail_uid) : $dn[0];
$last = fetch('unix_timestamp(val)', 'txp_prefs', 'name', 'lastmod');
if ($atom) {
$out[] = tag('Textpattern', 'generator', ' uri="http://textpattern.com/" version="' . $version . '"');
$out[] = tag(htmlspecialchars($feedtitle), 'title', t_text);
$out[] = tag(htmlspecialchars($site_slogan), 'subtitle', t_text);
$out[] = tag(safe_strftime("w3cdtf", $last), 'updated');
$out[] = '<link' . r_relself . ' href="' . $atom_self_ref . '" />';
$out[] = '<link' . r_relalt . t_texthtml . ' href="' . hu . '" />';
//Atom feeds with mail or domain name
$out[] = tag('tag:' . $mail_or_domain . ',' . $blog_time_uid . ':' . $blog_uid . $atom_id_ext, 'id');
$pub = safe_row("RealName, email", "txp_users", "privs=1");
$auth[] = tag($pub['RealName'], 'name');
$auth[] = $include_email_atom ? tag(eE($pub['email']), 'email') : '';
$auth[] = tag(hu, 'uri');
$out[] = tag(n . t . t . join(n . t . t, $auth) . n, 'author');
} else {
$out[] = tag('http://textpattern.com/?v=' . $version, 'generator');
$out[] = tag(doSpecial($feedtitle), 'title');
$out[] = tag(doSpecial($site_slogan), 'description');
$out[] = tag(safe_strftime('rfc822', $last), 'pubDate');
$out[] = tag(hu, 'link');
$out[] = '<atom:link href="' . $atom_self_ref . '" rel="self" type="application/rss+xml" />';
}
$out[] = callback_event($atom ? 'atom_head' : 'rss_head');
$articles = array();
if (!$area or $area == 'article') {
if ($rs) {
while ($a = nextRow($rs)) {
extract($a);
populateArticleData($a);
$cb = callback_event($atom ? 'atom_entry' : 'rss_entry');
$e = array();
$thisauthor = doSpecial(get_author_name($AuthorID));
$thisauthor = tag($thisauthor, $atom ? 'name' : 'dc:creator');
if ($atom) {
$thisauthor = tag(n . t . t . t . $thisauthor . n . t . t, 'author');
}
$e['thisauthor'] = $thisauthor;
if ($atom) {
$e['issued'] = tag(safe_strftime('w3cdtf', $uPosted), 'published');
} else {
$e['issued'] = tag(safe_strftime('rfc822', $uPosted), 'pubDate');
}
if ($atom) {
$e['modified'] = tag(safe_strftime('w3cdtf', $uLastMod), 'updated');
$e['category1'] = trim($Category1) ? '<category term="' . doSpecial($Category1) . '" />' : '';
$e['category2'] = trim($Category2) ? '<category term="' . doSpecial($Category2) . '" />' : '';
}
$count = '';
if ($show_comment_count_in_feed && $comments_count > 0) {
$count = ' [' . $comments_count . ']';
}
$escaped_title = $atom ? htmlspecialchars($Title) : htmlspecialchars(strip_tags($Title));
$e['title'] = tag($escaped_title . $count, 'title', t_html);
$a['posted'] = $uPosted;
$permlink = permlinkurl($a);
if ($atom) {
$e['link'] = '<link' . r_relalt . t_texthtml . ' href="' . $permlink . '" />';
} else {
$e['link'] = tag($permlink, 'link');
}
$e['id'] = tag('tag:' . $mail_or_domain . ',' . $feed_time . ':' . $blog_uid . '/' . $uid, $atom ? 'id' : 'guid', $atom ? '' : ' isPermaLink="false"');
$summary = trim(replace_relative_urls(parse($thisarticle['excerpt']), $permlink));
$content = trim(replace_relative_urls(parse($thisarticle['body']), $permlink));
if ($syndicate_body_or_excerpt) {
# short feed: use body as summary if there's no excerpt
if (!trim($summary)) {
$summary = $content;
}
$content = '';
}
if (trim($summary)) {
$e['summary'] = tag(n . escape_cdata($summary) . n, $atom ? 'summary' : 'description', t_html);
}
if (trim($content)) {
$e['content'] = tag(n . escape_cdata($content) . n, $atom ? 'content' : 'content:encoded', t_html);
}
$articles[$ID] = tag(n . t . t . join(n . t . t, $e) . n . $cb, $atom ? 'entry' : 'item');
$etags[$ID] = strtoupper(dechex(crc32($articles[$ID])));
$dates[$ID] = $atom ? $uLastMod : $uPosted;
}
}
} elseif ($area == 'link') {
if ($rs) {
while ($a = nextRow($rs)) {
extract($a);
$e['title'] = tag(doSpecial($linkname), 'title', t_html);
if ($atom) {
$e['content'] = tag(n . doSpecial($description) . n, 'content', t_html);
$url = preg_replace("/^\\/(.*)/", "https?://{$siteurl}/\$1", $url);
$url = preg_replace("/&((?U).*)=/", "&\\1=", $url);
$e['link'] = '<link' . r_relalt . t_texthtml . ' href="' . $url . '" />';
$e['issued'] = tag(safe_strftime('w3cdtf', strtotime($date)), 'published');
$e['modified'] = tag(gmdate('Y-m-d\\TH:i:s\\Z', strtotime($date)), 'updated');
$e['id'] = tag('tag:' . $mail_or_domain . ',' . safe_strftime('%Y-%m-%d', strtotime($date)) . ':' . $blog_uid . '/' . $id, 'id');
} else {
$e['content'] = tag(doSpecial($description), 'description');
$e['link'] = tag(doSpecial($url), 'link');
$e['issued'] = tag(safe_strftime('rfc822', $uDate), 'pubDate');
}
$articles[$id] = tag(n . t . t . join(n . t . t, $e) . n, $atom ? 'entry' : 'item');
$etags[$id] = strtoupper(dechex(crc32($articles[$id])));
$dates[$id] = $date;
}
}
}
if (!$articles) {
if ($section) {
if (safe_field('name', 'txp_section', "name = '{$section}'") == false) {
txp_die(gTxt('404_not_found'), '404');
}
} elseif ($category) {
switch ($area) {
case 'link':
if (safe_field('id', 'txp_category', "name = '{$category}' and type = 'link'") == false) {
txp_die(gTxt('404_not_found'), '404');
}
break;
case 'article':
default:
if (safe_field('id', 'txp_category', "name = '{$category}' and type = 'article'") == false) {
txp_die(gTxt('404_not_found'), '404');
}
break;
}
}
} else {
//turn on compression if we aren't using it already
if (extension_loaded('zlib') && ini_get("zlib.output_compression") == 0 && ini_get('output_handler') != 'ob_gzhandler' && !headers_sent()) {
// make sure notices/warnings/errors don't
// fudge up the feed when compression is used
$buf = '';
while ($b = @ob_get_clean()) {
$buf .= $b;
}
@ob_start('ob_gzhandler');
echo $buf;
}
handle_lastmod();
$hims = serverset('HTTP_IF_MODIFIED_SINCE');
$imsd = $hims ? strtotime($hims) : 0;
if (is_callable('apache_request_headers')) {
$headers = apache_request_headers();
if (isset($headers["A-IM"])) {
$canaim = strpos($headers["A-IM"], "feed");
} else {
$canaim = false;
}
} else {
$canaim = false;
}
$hinm = stripslashes(serverset('HTTP_IF_NONE_MATCH'));
$cutarticles = false;
if ($canaim !== false) {
foreach ($articles as $id => $thing) {
if (strpos($hinm, $etags[$id]) !== false) {
unset($articles[$id]);
$cutarticles = true;
$cut_etag = true;
}
if ($dates[$id] < $imsd) {
unset($articles[$id]);
$cutarticles = true;
$cut_time = true;
}
}
}
if (isset($cut_etag) && isset($cut_time)) {
header("Vary: If-None-Match, If-Modified-Since");
} else {
if (isset($cut_etag)) {
header("Vary: If-None-Match");
} else {
if (isset($cut_time)) {
header("Vary: If-Modified-Since");
}
}
}
$etag = @join("-", $etags);
if (strstr($hinm, $etag)) {
txp_status_header('304 Not Modified');
exit(0);
}
if ($etag) {
header('ETag: "' . $etag . '"');
}
if ($cutarticles) {
//header("HTTP/1.1 226 IM Used");
//This should be used as opposed to 200, but Apache doesn't like it.
//http://intertwingly.net/blog/2004/09/11/Vary-ETag/ says that the status code should be 200.
header("Cache-Control: no-store, im");
header("IM: feed");
}
}
$out = array_merge($out, $articles);
header('Content-type: application/' . ($atom ? 'atom' : 'rss') . '+xml; charset=utf-8');
if ($atom) {
return chr(60) . '?xml version="1.0" encoding="UTF-8"?' . chr(62) . n . '<feed xml:lang="' . $language . '" xmlns="http://www.w3.org/2005/Atom">' . n . join(n, $out) . '</feed>';
} else {
return '<?xml version="1.0" encoding="utf-8"?>' . n . '<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom">' . n . tag(join(n, $out), 'channel') . n . '</rss>';
}
}
# Serve resource requests...
#===========================================================================
switch (gps('sed_resources')) {
case 'sed_sf_write_js':
require_privs('article');
_sed_sf_write_js();
break;
case 'sed_sf_section_js':
require_privs('section');
_sed_sf_section_js();
break;
case 'update_data_format':
# Only for upgrades from v2 to v3+ of the plugin.
_sed_sf_upgrade_storage_format();
$uri = 'http://' . $GLOBALS['siteurl'] . '/textpattern/index.php?event=prefs';
txp_status_header("302 Found");
header("Location: {$uri}");
exit;
break;
default:
break;
}
}
function _sed_sf_get_max_field_number()
{
static $max;
if (!isset($max)) {
if (is_callable('glz_all_custom_fields')) {
$result = glz_all_custom_fields();
$max = count($result);
#
/**
* Returns an error page.
*
* This function is used to return a bailout page when resolving database
* connections fails. Sends a HTTP 503 error status and displays the last logged
* MySQL error message.
*
* @return string HTML5 document
* @access private
*/
function db_down()
{
global $DB;
// 503 status might discourage search engines from indexing or caching the
// error message.
txp_status_header('503 Service Unavailable');
if (is_object($DB)) {
$error = txpspecialchars(mysqli_error($DB->link));
} else {
$error = '$DB object is not available.';
}
return <<<eod
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Database unavailable</title>
</head>
<body>
<p>Database unavailable.</p>
<!-- {$error} -->
</body>
</html>
eod;
}
}
if (!defined("txpinterface")) {
die('If you just updated and expect to see your site here, please also update the files in your main installation directory.' . ' (Otherwise note that publish.php cannot be called directly.)');
}
include_once txpath . '/lib/txplib_db.php';
include_once txpath . '/lib/txplib_html.php';
include_once txpath . '/lib/txplib_forms.php';
include_once txpath . '/lib/txplib_misc.php';
include_once txpath . '/lib/admin_config.php';
include_once txpath . '/publish/taghandlers.php';
include_once txpath . '/publish/log.php';
include_once txpath . '/publish/comment.php';
// set_error_handler('myErrorHandler');
ob_start();
// useful for clean urls with error-handlers
txp_status_header('200 OK');
// start the clock for runtime
$microstart = getmicrotime();
// check the size of the url request
bombShelter();
// get all prefs as an array
$prefs = get_prefs();
// add prefs to globals
extract($prefs);
// set a higher error level during initialization
set_error_level(@$production_status == 'live' ? 'testing' : @$production_status);
// use the current URL path if $siteurl is unknown
if (empty($siteurl)) {
$prefs['siteurl'] = $siteurl = $_SERVER['HTTP_HOST'] . rtrim(dirname($_SERVER['SCRIPT_NAME']), '/');
}
if (empty($path_to_site)) {
function mem_form($atts, $thing = '')
{
global $sitename, $prefs, $file_max_upload_size, $mem_form_error, $mem_form_submit, $mem_form, $mem_form_labels, $mem_form_values, $mem_form_default, $mem_form_type, $mem_form_thanks_form, $mem_glz_custom_fields_plugin;
extract(mem_form_lAtts(array('form' => '', 'thanks_form' => '', 'thanks' => graf(mem_form_gTxt('submitted_thanks')), 'label' => '', 'type' => '', 'redirect' => '', 'redirect_form' => '', 'class' => 'memForm', 'file_accept' => '', 'max_file_size' => $file_max_upload_size, 'form_expired_msg' => mem_form_gTxt('form_expired'), 'show_error' => 1, 'show_input' => 1), $atts));
if (empty($type) or empty($form) && empty($thing)) {
trigger_error('Argument not specified for mem_form tag', E_USER_WARNING);
return '';
}
$out = '';
$mem_form_type = $type;
$mem_form_default = array();
callback_event('mem_form.defaults');
unset($atts['show_error'], $atts['show_input']);
$mem_form_id = md5(serialize($atts) . preg_replace('/[\\t\\s\\r\\n]/', '', $thing));
$mem_form_submit = ps('mem_form_id') == $mem_form_id;
$nonce = doSlash(ps('mem_form_nonce'));
$renonce = false;
if ($mem_form_submit) {
safe_delete('txp_discuss_nonce', 'issue_time < date_sub(now(), interval 10 minute)');
if ($rs = safe_row('used', 'txp_discuss_nonce', "nonce = '{$nonce}'")) {
if ($rs['used']) {
unset($mem_form_error);
$mem_form_error[] = mem_form_gTxt('form_used');
$renonce = true;
$_POST['mem_form_submit'] = TRUE;
$_POST['mem_form_id'] = $mem_form_id;
$_POST['mem_form_nonce'] = $nonce;
}
} else {
$mem_form_error[] = $form_expired_msg;
$renonce = true;
}
}
if ($mem_form_submit and $nonce and !$renonce) {
$mem_form_nonce = $nonce;
} elseif (!$show_error or $show_input) {
$mem_form_nonce = md5(uniqid(rand(), true));
safe_insert('txp_discuss_nonce', "issue_time = now(), nonce = '{$mem_form_nonce}'");
}
$form = $form ? fetch_form($form) : $thing;
$form = parse($form);
if (!$mem_form_submit) {
# don't show errors or send mail
} elseif (mem_form_error()) {
if ($show_error or !$show_input) {
$out .= mem_form_display_error();
if (!$show_input) {
return $out;
}
}
} elseif ($show_input and is_array($mem_form)) {
if ($mem_glz_custom_fields_plugin) {
// prep the values
glz_custom_fields_before_save();
}
callback_event('mem_form.spam');
/// load and check spam plugins/
$evaluator =& get_mem_form_evaluator();
$is_spam = $evaluator->is_spam();
if ($is_spam) {
return mem_form_gTxt('spam');
}
$mem_form_thanks_form = $thanks_form ? fetch_form($thanks_form) : $thanks;
safe_update('txp_discuss_nonce', "used = '1', issue_time = now()", "nonce = '{$nonce}'");
$result = callback_event('mem_form.submit');
if (mem_form_error()) {
$out .= mem_form_display_error();
$redirect = false;
}
$thanks_form = $mem_form_thanks_form;
unset($mem_form_thanks_form);
if (!empty($result)) {
return $result;
}
if (mem_form_error() and $show_input) {
// no-op, reshow form with errors
} else {
if ($redirect) {
$_POST = array();
while (@ob_end_clean()) {
}
$uri = hu . ltrim($redirect, '/');
if (empty($_SERVER['FCGI_ROLE']) and empty($_ENV['FCGI_ROLE'])) {
txp_status_header('303 See Other');
header('Location: ' . $uri);
header('Connection: close');
header('Content-Length: 0');
} else {
$uri = htmlspecialchars($uri);
$refresh = mem_form_gTxt('refresh');
if (!empty($redirect_form)) {
$redirect_form = fetch_form($redirect_form);
echo str_replace('{uri}', $uri, $redirect_form);
}
if (empty($redirect_form)) {
echo <<<END
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
\t<title>{$sitename}</title>
\t<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
\t<meta http-equiv="refresh" content="0;url={$uri}" />
</head>
<body>
<a href="{$uri}">{$refresh}</a>
</body>
</html>
END;
}
}
exit;
} else {
return '<div class="memThanks" id="mem' . $mem_form_id . '">' . $thanks_form . '</div>';
}
}
}
if ($show_input) {
$file_accept = !empty($file_accept) ? ' accept="' . $file_accept . '"' : '';
$class = htmlspecialchars($class);
return '<form method="post"' . ((!$show_error and $mem_form_error) ? '' : ' id="mem' . $mem_form_id . '"') . ' class="' . $class . '" action="' . htmlspecialchars(serverSet('REQUEST_URI')) . '#mem' . $mem_form_id . '"' . $file_accept . '>' . ($label ? n . '<fieldset>' : n . '<div>') . ($label ? n . '<legend>' . htmlspecialchars($label) . '</legend>' : '') . $out . n . '<input type="hidden" name="mem_form_nonce" value="' . $mem_form_nonce . '" />' . n . '<input type="hidden" name="mem_form_id" value="' . $mem_form_id . '" />' . (!empty($max_file_size) ? n . '<input type="hidden" name="MAX_FILE_SIZE" value="' . $max_file_size . '" />' : '') . callback_event('mem_form.display', '', 1) . $form . callback_event('mem_form.display') . ($label ? n . '</fieldset>' : n . '</div>') . n . '</form>';
}
return '';
}
unset($GLOBALS[$_txpfoo], ${$_txpfoo});
}
}
}
define("txpinterface", "public");
// Save server path to site root.
if (!isset($here)) {
$here = dirname(__FILE__);
}
// Pull in config unless configuration data has already been provided (multi-headed use).
if (!isset($txpcfg['table_prefix'])) {
// Use buffering to ensure bogus whitespace in config.php is ignored.
ob_start(null, 2048);
include '../private/config.php';
ob_end_clean();
}
if (!defined('txpath')) {
define("txpath", realpath(dirname(__FILE__) . '/../../../textpattern'));
}
include txpath . '/lib/constants.php';
include txpath . '/lib/txplib_misc.php';
if (!isset($txpcfg['table_prefix'])) {
txp_status_header('503 Service Unavailable');
exit('config.php is missing or corrupt. To install Textpattern, visit <a href="./setup/">textpattern/setup/</a>');
}
// custom caches, et cetera?
if (isset($txpcfg['pre_publish_script'])) {
require $txpcfg['pre_publish_script'];
}
include txpath . '/publish.php';
textpattern();
function saveComment()
{
global $siteurl, $comments_moderate, $comments_sendmail, $txpcfg, $comments_disallow_images, $prefs;
$ref = serverset('HTTP_REFERRER');
$in = psa(array('parentid', 'name', 'email', 'web', 'message', 'backpage', 'nonce', 'remember'));
extract($in);
if (!checkCommentsAllowed($parentid)) {
txp_die(gTxt('comments_closed'), '403');
}
if ($prefs['comments_require_name']) {
if (!trim($name)) {
exit(graf(gTxt('comment_name_required')) . graf('<a href="" onClick="history.go(-1)">' . gTxt('back') . '</a>'));
}
}
if ($prefs['comments_require_email']) {
if (!trim($email)) {
exit(graf(gTxt('comment_email_required')) . graf('<a href="" onClick="history.go(-1)">' . gTxt('back') . '</a>'));
}
}
if (!trim($message)) {
exit(graf(gTxt('comment_required')) . graf('<a href="" onClick="history.go(-1)">' . gTxt('back') . '</a>'));
}
$ip = serverset('REMOTE_ADDR');
$message = trim($message);
$blacklisted = is_blacklisted($ip);
$name = doSlash(strip_tags(deEntBrackets($name)));
$web = doSlash(clean_url(strip_tags(deEntBrackets($web))));
$email = doSlash(clean_url(strip_tags(deEntBrackets($email))));
$message2db = doSlash(markup_comment($message));
$isdup = safe_row("message,name", "txp_discuss", "name='{$name}' and message='{$message2db}' and ip='{$ip}'");
if (checkBan($ip)) {
if ($blacklisted == false) {
if (!$isdup) {
if (checkNonce($nonce)) {
$visible = $comments_moderate ? 0 : 1;
$rs = safe_insert("txp_discuss", "parentid = '" . doSlash($parentid) . "',\n\t\t\t\t\t\t\t name\t\t = '{$name}',\n\t\t\t\t\t\t\t email\t = '{$email}',\n\t\t\t\t\t\t\t web\t\t = '{$web}',\n\t\t\t\t\t\t\t ip\t\t = '{$ip}',\n\t\t\t\t\t\t\t message = '{$message2db}',\n\t\t\t\t\t\t\t visible = {$visible},\n\t\t\t\t\t\t\t posted\t = now()");
if ($rs) {
safe_update("txp_discuss_nonce", "used='1'", "nonce='" . doslash($nonce) . "'");
if ($prefs['comment_means_site_updated']) {
safe_update("txp_prefs", "val=now()", "name='lastmod'");
}
if ($comments_sendmail) {
mail_comment($message, $name, $email, $web, $parentid);
}
$updated = update_comments_count($parentid);
$backpage = substr($backpage, 0, $prefs['max_url_len']);
$backpage = preg_replace("/[\n\r#].*\$/s", '', $backpage);
$backpage .= (strstr($backpage, '?') ? '&' : '?') . 'commented=1';
txp_status_header('302 Found');
if ($comments_moderate) {
header('Location: ' . $backpage . '#txpCommentInputForm');
} else {
header('Location: ' . $backpage . '#c' . sprintf("%06s", $rs));
}
}
}
// end check nonce
}
// end check dup
} else {
txp_die(gTxt('your_ip_is_blacklisted_by' . ' ' . $blacklisted), '403');
}
// end check blacklist
} else {
txp_die(gTxt('you_have_been_banned'), '403');
}
// end check site ban
}
function doArticles($atts, $iscustom, $thing = NULL)
{
global $pretext, $prefs;
extract($pretext);
extract($prefs);
$customFields = getCustomFields();
$customlAtts = array_null(array_flip($customFields));
//getting attributes
$theAtts = lAtts(array('form' => 'default', 'listform' => '', 'searchform' => '', 'limit' => 10, 'pageby' => '', 'category' => '', 'section' => '', 'excerpted' => '', 'author' => '', 'sort' => '', 'sortby' => '', 'sortdir' => '', 'month' => '', 'keywords' => '', 'expired' => $publish_expired_articles, 'frontpage' => '', 'id' => '', 'time' => 'past', 'status' => '4', 'pgonly' => 0, 'searchall' => 1, 'searchsticky' => 0, 'allowoverride' => !$q and !$iscustom, 'offset' => 0, 'wraptag' => '', 'break' => '', 'label' => '', 'labeltag' => '', 'class' => '') + $customlAtts, $atts);
// if an article ID is specified, treat it as a custom list
$iscustom = !empty($theAtts['id']) ? true : $iscustom;
//for the txp:article tag, some attributes are taken from globals;
//override them before extract
if (!$iscustom) {
$theAtts['category'] = $c ? $c : '';
$theAtts['section'] = $s && $s != 'default' ? $s : '';
$theAtts['author'] = !empty($author) ? $author : '';
$theAtts['month'] = !empty($month) ? $month : '';
$theAtts['frontpage'] = $s && $s == 'default' ? true : false;
$theAtts['excerpted'] = '';
}
extract($theAtts);
// if a listform is specified, $thing is for doArticle() - hence ignore here.
if (!empty($listform)) {
$thing = '';
}
$pageby = empty($pageby) ? $limit : $pageby;
// treat sticky articles differently wrt search filtering, etc
$status = in_array(strtolower($status), array('sticky', '5')) ? 5 : 4;
$issticky = $status == 5;
// give control to search, if necessary
if ($q && !$iscustom && !$issticky) {
include_once txpath . '/publish/search.php';
$s_filter = $searchall ? filterSearch() : '';
$q = trim($q);
$quoted = $q[0] === '"' && $q[strlen($q) - 1] === '"';
$q = doSlash($quoted ? trim(trim($q, '"')) : $q);
// searchable article fields are limited to the columns of
// the textpattern table and a matching fulltext index must exist.
$cols = do_list($searchable_article_fields);
if (empty($cols) or $cols[0] == '') {
$cols = array('Title', 'Body');
}
$match = ', match (`' . join('`, `', $cols) . "`) against ('{$q}') as score";
$search_terms = preg_replace('/\\s+/', ' ', str_replace(array('\\', '%', '_', '\''), array('\\\\', '\\%', '\\_', '\\\''), $q));
if ($quoted || empty($m) || $m === 'exact') {
for ($i = 0; $i < count($cols); $i++) {
$cols[$i] = "`{$cols[$i]}` like '%{$search_terms}%'";
}
} else {
$colJoin = $m === 'any' ? 'or' : 'and';
$search_terms = explode(' ', $search_terms);
for ($i = 0; $i < count($cols); $i++) {
$like = array();
foreach ($search_terms as $search_term) {
$like[] = "`{$cols[$i]}` like '%{$search_term}%'";
}
$cols[$i] = '(' . join(' ' . $colJoin . ' ', $like) . ')';
}
}
$cols = join(' or ', $cols);
$search = " and ({$cols}) {$s_filter}";
// searchall=0 can be used to show search results for the current section only
if ($searchall) {
$section = '';
}
if (!$sort) {
$sort = 'score desc';
}
} else {
$match = $search = '';
if (!$sort) {
$sort = 'Posted desc';
}
}
// for backwards compatibility
// sortby and sortdir are deprecated
if ($sortby) {
trigger_error(gTxt('deprecated_attribute', array('{name}' => 'sortby')), E_USER_NOTICE);
if (!$sortdir) {
$sortdir = 'desc';
} else {
trigger_error(gTxt('deprecated_attribute', array('{name}' => 'sortdir')), E_USER_NOTICE);
}
$sort = "{$sortby} {$sortdir}";
} elseif ($sortdir) {
trigger_error(gTxt('deprecated_attribute', array('{name}' => 'sortdir')), E_USER_NOTICE);
$sort = "Posted {$sortdir}";
}
//Building query parts
$frontpage = ($frontpage and (!$q or $issticky)) ? filterFrontPage() : '';
$category = join("','", doSlash(do_list($category)));
$category = !$category ? '' : " and (Category1 IN ('" . $category . "') or Category2 IN ('" . $category . "'))";
$section = !$section ? '' : " and Section IN ('" . join("','", doSlash(do_list($section))) . "')";
$excerpted = $excerpted == 'y' || $excerpted == '1' ? " and Excerpt !=''" : '';
$author = !$author ? '' : " and AuthorID IN ('" . join("','", doSlash(do_list($author))) . "')";
$month = !$month ? '' : " and Posted like '" . doSlash($month) . "%'";
$ids = array_map('intval', do_list($id));
$id = !$id ? '' : " and ID IN (" . join(',', $ids) . ")";
switch ($time) {
case 'any':
$time = "";
break;
case 'future':
$time = " and Posted > now()";
break;
default:
$time = " and Posted <= now()";
}
if (!$expired) {
$time .= " and (now() <= Expires or Expires = " . NULLDATETIME . ")";
}
$custom = '';
if ($customFields) {
foreach ($customFields as $cField) {
if (isset($atts[$cField])) {
$customPairs[$cField] = $atts[$cField];
}
}
if (!empty($customPairs)) {
$custom = buildCustomSql($customFields, $customPairs);
}
}
//Allow keywords for no-custom articles. That tagging mode, you know
if ($keywords) {
$keys = doSlash(do_list($keywords));
foreach ($keys as $key) {
$keyparts[] = "FIND_IN_SET('" . $key . "',Keywords)";
}
$keywords = " and (" . join(' or ', $keyparts) . ")";
}
if ($q and $searchsticky) {
$statusq = ' and Status >= 4';
} elseif ($id) {
$statusq = ' and Status >= 4';
} else {
$statusq = ' and Status = ' . intval($status);
}
$where = "1=1" . $statusq . $time . $search . $id . $category . $section . $excerpted . $month . $author . $keywords . $custom . $frontpage;
//do not paginate if we are on a custom list
if (!$iscustom and !$issticky) {
$grand_total = safe_count('textpattern', $where);
$total = $grand_total - $offset;
$numPages = ceil($total / $pageby);
$pg = !$pg ? 1 : $pg;
$pgoffset = $offset + ($pg - 1) * $pageby;
// send paging info to txp:newer and txp:older
$pageout['pg'] = $pg;
$pageout['numPages'] = $numPages;
$pageout['s'] = $s;
$pageout['c'] = $c;
$pageout['context'] = 'article';
$pageout['grand_total'] = $grand_total;
$pageout['total'] = $total;
global $thispage;
if (empty($thispage)) {
$thispage = $pageout;
}
if ($pgonly) {
return;
}
} else {
$pgoffset = $offset;
}
// preserve order of custom article ids unless 'sort' attribute is set
if (!empty($atts['id']) && empty($atts['sort'])) {
$safe_sort = 'field(id, ' . join(',', $ids) . ')';
} else {
$safe_sort = doSlash($sort);
}
$rs = safe_rows_start("*, unix_timestamp(Posted) as uPosted, unix_timestamp(Expires) as uExpires, unix_timestamp(LastMod) as uLastMod" . $match, 'textpattern', $where . ' order by ' . $safe_sort . ' limit ' . intval($pgoffset) . ', ' . intval($limit));
// get the form name
if ($q and !$iscustom and !$issticky) {
$fname = $searchform ? $searchform : 'search_results';
} else {
$fname = $listform ? $listform : $form;
}
if ($rs) {
$count = 0;
$last = numRows($rs);
$articles = array();
while ($a = nextRow($rs)) {
++$count;
populateArticleData($a);
global $thisarticle, $uPosted, $limit;
$thisarticle['is_first'] = $count == 1;
$thisarticle['is_last'] = $count == $last;
filterAtts($theAtts);
// article form preview
if (txpinterface === 'admin' && ps('Form')) {
doAuth();
if (!has_privs('form')) {
txp_status_header('401 Unauthorized');
exit(hed('401 Unauthorized', 1) . graf(gTxt('restricted_area')));
}
$articles[] = parse(gps('Form'));
} elseif ($allowoverride and $a['override_form']) {
$articles[] = parse_form($a['override_form']);
} else {
$articles[] = $thing ? parse($thing) : parse_form($fname);
}
// sending these to paging_link(); Required?
$uPosted = $a['uPosted'];
unset($GLOBALS['thisarticle']);
}
return doLabel($label, $labeltag) . doWrap($articles, $wraptag, $break, $class);
}
}
function saveComment()
{
global $siteurl, $comments_moderate, $comments_sendmail, $txpcfg, $comments_disallow_images, $prefs;
$ref = serverset('HTTP_REFERRER');
$in = getComment();
$evaluator =& get_comment_evaluator();
extract($in);
if (!checkCommentsAllowed($parentid)) {
txp_die(gTxt('comments_closed'), '403');
}
$ip = serverset('REMOTE_ADDR');
if (!checkBan($ip)) {
txp_die(gTxt('you_have_been_banned'), '403');
}
$blacklisted = is_blacklisted($ip);
if ($blacklisted) {
txp_die(gTxt('your_ip_is_blacklisted_by' . ' ' . $blacklisted), '403');
}
$name = doSlash(strip_tags(deEntBrackets($name)));
$web = doSlash(clean_url(strip_tags(deEntBrackets($web))));
$email = doSlash(clean_url(strip_tags(deEntBrackets($email))));
$message = trim($message);
$message2db = doSlash(markup_comment($message));
$isdup = safe_row("message,name", "txp_discuss", "name='{$name}' and message='{$message2db}' and ip='{$ip}'");
if ($prefs['comments_require_name'] && !trim($name) || $prefs['comments_require_email'] && !trim($email) || !trim($message)) {
$evaluator->add_estimate(RELOAD, 1);
// The error-messages are added in the preview-code
}
if ($isdup) {
$evaluator->add_estimate(RELOAD, 1);
}
// FIXME? Tell the user about dupe?
if ($evaluator->get_result() != RELOAD && checkNonce($nonce)) {
callback_event('comment.save');
$visible = $evaluator->get_result();
if ($visible != RELOAD) {
$rs = safe_insert("txp_discuss", "parentid = '" . doSlash($parentid) . "',\n\t\t\t\t\t name\t\t = '{$name}',\n\t\t\t\t\t email\t = '{$email}',\n\t\t\t\t\t web\t\t = '{$web}',\n\t\t\t\t\t ip\t\t = '{$ip}',\n\t\t\t\t\t message = '{$message2db}',\n\t\t\t\t\t visible = {$visible},\n\t\t\t\t\t posted\t = now()");
if ($rs) {
safe_update("txp_discuss_nonce", "used='1'", "nonce='" . doslash($nonce) . "'");
if ($prefs['comment_means_site_updated']) {
safe_update("txp_prefs", "val=now()", "name='lastmod'");
}
if ($comments_sendmail) {
mail_comment($message, $name, $email, $web, $parentid, $rs);
}
$updated = update_comments_count($parentid);
$backpage = substr($backpage, 0, $prefs['max_url_len']);
$backpage = preg_replace("/[\n\r#].*\$/s", '', $backpage);
$backpage .= (strstr($backpage, '?') ? '&' : '?') . 'commented=' . ($visible == VISIBLE ? '1' : '0');
txp_status_header('302 Found');
if ($comments_moderate) {
header('Location: ' . $backpage . '#txpCommentInputForm');
} else {
header('Location: ' . $backpage . '#c' . sprintf("%06s", $rs));
}
if ($prefs['logging'] == 'refer') {
logit('refer');
} elseif ($prefs['logging'] == 'all') {
logit();
}
$evaluator->write_trace();
exit;
}
}
}
// Force another Preview
$_POST['preview'] = RELOAD;
//$evaluator->write_trace();
}
function txp_die($msg, $status = '503')
{
// 503 status might discourage search engines from indexing or caching the error message
//Make it possible to call this function as a tag, e.g. in an article <txp:txp_die status="410" />
if (is_array($msg)) {
extract(lAtts(array('msg' => '', 'status' => '503'), $msg));
}
// Intentionally incomplete - just the ones we're likely to use
$codes = array('200' => 'OK', '301' => 'Moved Permanently', '302' => 'Found', '304' => 'Not Modified', '307' => 'Temporary Redirect', '401' => 'Unauthorized', '403' => 'Forbidden', '404' => 'Not Found', '410' => 'Gone', '414' => 'Request-URI Too Long', '500' => 'Internal Server Error', '501' => 'Not Implemented', '503' => 'Service Unavailable');
if ($status) {
if (isset($codes[strval($status)])) {
$status = strval($status) . ' ' . $codes[$status];
}
txp_status_header($status);
}
$code = '';
if ($status and $parts = @explode(' ', $status, 2)) {
$code = @$parts[0];
}
if (@$GLOBALS['connected']) {
$out = safe_field('user_html', 'txp_page', "name='error_" . doSlash($code) . "'");
if (empty($out)) {
$out = safe_field('user_html', 'txp_page', "name='error_default'");
}
}
if (empty($out)) {
$out = <<<eod
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Textpattern Error: <txp:error_status /></title>
</head>
<body>
<p align="center" style="margin-top:4em"><txp:error_message /></p>
</body>
</html>
eod;
}
$GLOBALS['txp_error_message'] = $msg;
$GLOBALS['txp_error_status'] = $status;
$GLOBALS['txp_error_code'] = $code;
header("Content-type: text/html; charset=utf-8");
die(parse($out));
}
/**
* Generic asset renderer
* @param string $file file handle
* @param string $mime mimetype
*/
public function render_asset($file, $mime = 'text/plain')
{
$file = $this->get_asset($file);
ob_clean();
header('Content-Type: ' . $mime . '; charset=utf-8');
txp_status_header('200 OK');
echo $file;
die;
}
/**
* Generates and outputs an Atom feed.
*
* This function can only be called once on a page. It outputs an Atom feed
* based on the requested URL parameters. Accepts HTTP GET parameters 'limit',
* 'area', 'section' and 'category'.
*/
function atom()
{
global $thisarticle, $prefs;
set_error_handler('feedErrorHandler');
ob_clean();
extract($prefs);
$last = fetch("UNIX_TIMESTAMP(val)", 'txp_prefs', 'name', 'lastmod');
extract(doSlash(gpsa(array('limit', 'area'))));
// Build filter criteria from a comma-separated list of sections
// and categories.
$feed_filter_limit = get_pref('feed_filter_limit', 10);
$section = gps('section');
$category = gps('category');
if (!is_scalar($section) || !is_scalar($category)) {
txp_die('Not Found', 404);
}
$section = $section ? array_slice(do_list_unique($section), 0, $feed_filter_limit) : array();
$category = $category ? array_slice(do_list_unique($category), 0, $feed_filter_limit) : array();
$st = array();
foreach ($section as $s) {
$st[] = fetch_section_title($s);
}
$ct = array();
foreach ($category as $c) {
$ct[] = fetch_category_title($c);
}
$sitename .= $section ? ' - ' . join(' - ', $st) : '';
$sitename .= $category ? ' - ' . join(' - ', $ct) : '';
$pub = safe_row("RealName, email", 'txp_users', "privs = 1");
// Feed header.
$out[] = tag(htmlspecialchars($sitename), 'title', t_text);
$out[] = tag(htmlspecialchars($site_slogan), 'subtitle', t_text);
$out[] = '<link' . r_relself . ' href="' . pagelinkurl(array('atom' => 1, 'area' => $area, 'section' => $section, 'category' => $category, 'limit' => $limit)) . '" />';
$out[] = '<link' . r_relalt . t_texthtml . ' href="' . hu . '" />';
// Atom feeds with mail or domain name.
$dn = explode('/', $siteurl);
$mail_or_domain = $use_mail_on_feeds_id ? eE($blog_mail_uid) : $dn[0];
$out[] = tag('tag:' . $mail_or_domain . ',' . $blog_time_uid . ':' . $blog_uid . ($section ? '/' . join(',', $section) : '') . ($category ? '/' . join(',', $category) : ''), 'id');
$out[] = tag('Textpattern', 'generator', ' uri="http://textpattern.com/" version="' . $version . '"');
$out[] = tag(safe_strftime("w3cdtf", $last), 'updated');
$auth[] = tag($pub['RealName'], 'name');
$auth[] = $include_email_atom ? tag(eE($pub['email']), 'email') : '';
$auth[] = tag(hu, 'uri');
$out[] = tag(n . t . t . join(n . t . t, $auth) . n, 'author');
$out[] = callback_event('atom_head');
// Feed items.
$articles = array();
$section = doSlash($section);
$category = doSlash($category);
if (!$area or $area == 'article') {
$sfilter = !empty($section) ? "AND Section IN ('" . join("','", $section) . "')" : '';
$cfilter = !empty($category) ? "AND (Category1 IN ('" . join("','", $category) . "') OR Category2 IN ('" . join("','", $category) . "'))" : '';
$limit = $limit ? $limit : $rss_how_many;
$limit = intval(min($limit, max(100, $rss_how_many)));
$frs = safe_column("name", 'txp_section', "in_rss != '1'");
$query = array();
foreach ($frs as $f) {
$query[] = "AND Section != '" . doSlash($f) . "'";
}
$query[] = $sfilter;
$query[] = $cfilter;
$expired = $publish_expired_articles ? " " : " AND (" . now('expires') . " <= Expires OR Expires = " . NULLDATETIME . ") ";
$rs = safe_rows_start("*,\n ID AS thisid,\n UNIX_TIMESTAMP(Posted) AS uPosted,\n UNIX_TIMESTAMP(Expires) AS uExpires,\n UNIX_TIMESTAMP(LastMod) AS uLastMod", 'textpattern', "Status = 4 AND Posted <= " . now('posted') . $expired . join(' ', $query) . "ORDER BY Posted DESC LIMIT {$limit}");
if ($rs) {
while ($a = nextRow($rs)) {
extract($a);
populateArticleData($a);
$cb = callback_event('atom_entry');
$e = array();
$a['posted'] = $uPosted;
$a['expires'] = $uExpires;
if ($show_comment_count_in_feed) {
$count = $comments_count > 0 ? ' [' . $comments_count . ']' : '';
} else {
$count = '';
}
$thisauthor = get_author_name($AuthorID);
$e['thisauthor'] = tag(n . t . t . t . tag(htmlspecialchars($thisauthor), 'name') . n . t . t, 'author');
$e['issued'] = tag(safe_strftime('w3cdtf', $uPosted), 'published');
$e['modified'] = tag(safe_strftime('w3cdtf', $uLastMod), 'updated');
$escaped_title = htmlspecialchars($Title);
$e['title'] = tag($escaped_title . $count, 'title', t_html);
$permlink = permlinkurl($a);
$e['link'] = '<link' . r_relalt . t_texthtml . ' href="' . $permlink . '" />';
$e['id'] = tag('tag:' . $mail_or_domain . ',' . $feed_time . ':' . $blog_uid . '/' . $uid, 'id');
$e['category1'] = trim($Category1) ? '<category term="' . htmlspecialchars($Category1) . '" />' : '';
$e['category2'] = trim($Category2) ? '<category term="' . htmlspecialchars($Category2) . '" />' : '';
$summary = trim(replace_relative_urls(parse($thisarticle['excerpt']), $permlink));
$content = trim(replace_relative_urls(parse($thisarticle['body']), $permlink));
if ($syndicate_body_or_excerpt) {
// Short feed: use body as summary if there's no excerpt.
if (!trim($summary)) {
$summary = $content;
}
$content = '';
}
if (trim($content)) {
$e['content'] = tag(n . escape_cdata($content) . n, 'content', t_html);
}
if (trim($summary)) {
$e['summary'] = tag(n . escape_cdata($summary) . n, 'summary', t_html);
}
$articles[$ID] = tag(n . t . t . join(n . t . t, $e) . n . $cb, 'entry');
$etags[$ID] = strtoupper(dechex(crc32($articles[$ID])));
$dates[$ID] = $uLastMod;
}
}
} elseif ($area == 'link') {
$cfilter = $category ? "category in ('" . join("','", $category) . "')" : '1';
$limit = $limit ? $limit : $rss_how_many;
$limit = intval(min($limit, max(100, $rss_how_many)));
$rs = safe_rows_start("*", 'txp_link', "{$cfilter} ORDER BY date DESC, id DESC LIMIT {$limit}");
if ($rs) {
while ($a = nextRow($rs)) {
extract($a);
$e['title'] = tag(htmlspecialchars($linkname), 'title', t_html);
$e['content'] = tag(n . htmlspecialchars($description) . n, 'content', t_html);
$url = preg_replace("/^\\/(.*)/", "https?://{$siteurl}/\$1", $url);
$url = preg_replace("/&((?U).*)=/", "&\\1=", $url);
$e['link'] = '<link' . r_relalt . t_texthtml . ' href="' . $url . '" />';
$e['issued'] = tag(safe_strftime('w3cdtf', strtotime($date)), 'published');
$e['modified'] = tag(gmdate('Y-m-d\\TH:i:s\\Z', strtotime($date)), 'updated');
$e['id'] = tag('tag:' . $mail_or_domain . ',' . safe_strftime('%Y-%m-%d', strtotime($date)) . ':' . $blog_uid . '/' . $id, 'id');
$articles[$id] = tag(n . t . t . join(n . t . t, $e) . n, 'entry');
$etags[$id] = strtoupper(dechex(crc32($articles[$id])));
$dates[$id] = $date;
}
}
}
if (!$articles) {
if ($section) {
if (safe_field("name", 'txp_section', "name IN ('" . join("','", $section) . "')") == false) {
txp_die(gTxt('404_not_found'), '404');
}
} elseif ($category) {
switch ($area) {
case 'link':
if (safe_field("id", 'txp_category', "name = '{$category}' AND type = 'link'") == false) {
txp_die(gTxt('404_not_found'), '404');
}
break;
case 'article':
default:
if (safe_field("id", 'txp_category', "name IN ('" . join("','", $category) . "') AND type = 'article'") == false) {
txp_die(gTxt('404_not_found'), '404');
}
break;
}
}
} else {
// Turn on compression if we aren't using it already.
if (extension_loaded('zlib') && ini_get("zlib.output_compression") == 0 && ini_get('output_handler') != 'ob_gzhandler' && !headers_sent()) {
// Make sure notices/warnings/errors don't fudge up the feed when
// compression is used.
$buf = '';
while ($b = @ob_get_clean()) {
$buf .= $b;
}
@ob_start('ob_gzhandler');
echo $buf;
}
handle_lastmod();
$hims = serverset('HTTP_IF_MODIFIED_SINCE');
$imsd = $hims ? strtotime($hims) : 0;
if (is_callable('apache_request_headers')) {
$headers = apache_request_headers();
if (isset($headers["A-IM"])) {
$canaim = strpos($headers["A-IM"], "feed");
} else {
$canaim = false;
}
} else {
$canaim = false;
}
$hinm = stripslashes(serverset('HTTP_IF_NONE_MATCH'));
$cutarticles = false;
if ($canaim !== false) {
foreach ($articles as $id => $thing) {
if (strpos($hinm, $etags[$id])) {
unset($articles[$id]);
$cutarticles = true;
$cut_etag = true;
}
if ($dates[$id] < $imsd) {
unset($articles[$id]);
$cutarticles = true;
$cut_time = true;
}
}
}
if (isset($cut_etag) && isset($cut_time)) {
header("Vary: If-None-Match, If-Modified-Since");
} elseif (isset($cut_etag)) {
header("Vary: If-None-Match");
} elseif (isset($cut_time)) {
header("Vary: If-Modified-Since");
}
$etag = @join("-", $etags);
if (strstr($hinm, $etag)) {
txp_status_header('304 Not Modified');
exit(0);
}
if ($etag) {
header('ETag: "' . $etag . '"');
}
if ($cutarticles) {
// header("HTTP/1.1 226 IM Used");
// This should be used as opposed to 200, but Apache doesn't like it.
// http://intertwingly.net/blog/2004/09/11/Vary-ETag/ says that the
// status code should be 200.
header("Cache-Control: no-store, im");
header("IM: feed");
}
}
$out = array_merge($out, $articles);
header('Content-type: application/atom+xml; charset=utf-8');
return chr(60) . '?xml version="1.0" encoding="UTF-8"?' . chr(62) . n . '<feed xml:lang="' . txpspecialchars($language) . '" xmlns="http://www.w3.org/2005/Atom">' . join(n, $out) . '</feed>';
}
/**
* Send a text/javascript response
*
* @param string $out
* @since 4.4
*/
function send_script_response($out = '')
{
ob_clean();
header('Content-Type: text/javascript; charset=utf-8');
txp_status_header('200 OK');
die($out);
}
function saveComment()
{
global $siteurl, $comments_moderate, $comments_sendmail, $txpcfg, $comments_disallow_images, $prefs;
$ref = serverset('HTTP_REFERRER');
$in = getComment();
$evaluator =& get_comment_evaluator();
extract($in);
if (!checkCommentsAllowed($parentid)) {
txp_die(gTxt('comments_closed'), '403');
}
$ip = serverset('REMOTE_ADDR');
if (!checkBan($ip)) {
txp_die(gTxt('you_have_been_banned'), '403');
}
$blacklisted = is_blacklisted($ip);
if ($blacklisted) {
txp_die(gTxt('your_ip_is_blacklisted_by' . ' ' . $blacklisted), '403');
}
$web = clean_url($web);
$email = clean_url($email);
if ($remember == 1 || ps('checkbox_type') == 'forget' && ps('forget') != 1) {
setCookies($name, $email, $web);
} else {
destroyCookies();
}
$name = doSlash(strip_tags(deEntBrackets($name)));
$web = doSlash(strip_tags(deEntBrackets($web)));
$email = doSlash(strip_tags(deEntBrackets($email)));
$message = substr(trim($message), 0, 65535);
$message2db = doSlash(markup_comment($message));
$isdup = safe_row("message,name", "txp_discuss", "name='{$name}' and message='{$message2db}' and ip='" . doSlash($ip) . "'");
if ($prefs['comments_require_name'] && !trim($name) || $prefs['comments_require_email'] && !trim($email) || !trim($message)) {
$evaluator->add_estimate(RELOAD, 1);
// The error-messages are added in the preview-code
}
if ($isdup) {
$evaluator->add_estimate(RELOAD, 1);
}
// FIXME? Tell the user about dupe?
if ($evaluator->get_result() != RELOAD && checkNonce($nonce)) {
callback_event('comment.save');
$visible = $evaluator->get_result();
if ($visible != RELOAD) {
$parentid = assert_int($parentid);
$rs = safe_insert("txp_discuss", "parentid = {$parentid},\n\t\t\t\t\t name\t\t = '{$name}',\n\t\t\t\t\t email\t = '{$email}',\n\t\t\t\t\t web\t\t = '{$web}',\n\t\t\t\t\t ip\t\t = '" . doSlash($ip) . "',\n\t\t\t\t\t message = '{$message2db}',\n\t\t\t\t\t visible = " . intval($visible) . ",\n\t\t\t\t\t posted\t = now()");
if ($rs) {
safe_update("txp_discuss_nonce", "used = 1", "nonce='" . doSlash($nonce) . "'");
if ($prefs['comment_means_site_updated']) {
update_lastmod();
}
if ($comments_sendmail) {
mail_comment($message, $name, $email, $web, $parentid, $rs);
}
$updated = update_comments_count($parentid);
$backpage = substr($backpage, 0, $prefs['max_url_len']);
$backpage = preg_replace("/[\n\r#].*\$/s", '', $backpage);
$backpage = preg_replace("#(https?://[^/]+)/.*\$#", "\$1", hu) . $backpage;
if (defined('PARTLY_MESSY') and PARTLY_MESSY) {
$backpage = permlinkurl_id($parentid);
}
$backpage .= (strstr($backpage, '?') ? '&' : '?') . 'commented=' . ($visible == VISIBLE ? '1' : '0');
txp_status_header('302 Found');
if ($comments_moderate) {
header('Location: ' . $backpage . '#txpCommentInputForm');
} else {
header('Location: ' . $backpage . '#c' . sprintf("%06s", $rs));
}
log_hit('302');
$evaluator->write_trace();
exit;
}
}
}
// Force another Preview
$_POST['preview'] = RELOAD;
//$evaluator->write_trace();
}
/**
* Sends an application/json response.
*
* If the provided $out is not a string, its encoded as JSON. Any string is
* treated as it were valid JSON.
*
* @param mixed $out The JSON
* @since 4.6.0
* @package Ajax
*/
function send_json_response($out = '')
{
static $headers_sent = false;
if (!$headers_sent) {
ob_clean();
header('Content-Type: application/json; charset=utf-8');
txp_status_header('200 OK');
$headers_sent = true;
}
if (!is_string($out)) {
$out = json_encode($out);
}
echo $out;
}
/**
* Protection from those who'd bomb the site by GET.
*
* Origin of the infamous 'Nice try' message and an even more useful '503' http status.
*/
function bombShelter()
{
global $prefs;
$in = serverset('REQUEST_URI');
if (!empty($prefs['max_url_len']) and strlen($in) > $prefs['max_url_len']) {
txp_status_header('503 Service Unavailable');
exit('Nice try.');
}
}
function yab_shop_redirect($uri)
{
if ($uri != '') {
txp_status_header('303 See Other');
header('Location: ' . $uri);
header('Connection: close');
header('Content-Length: 0');
} else {
return false;
}
}
function send_xml_response($response = array())
{
ob_clean();
$default_response = array('http-status' => '200 OK');
// backfill default response properties
$response = $response + $default_response;
header('Content-Type: text/xml');
txp_status_header($response['http-status']);
$out[] = '<?xml version="1.0" encoding="utf-8" standalone="yes"?>';
$out[] = '<textpattern>';
foreach ($response as $element => $value) {
// element *names* must not contain <>&, *values* may.
$value = doSpecial($value);
if (is_array($value)) {
$out[] = t . "<{$element}>" . n;
foreach ($value as $e => $v) {
$out[] = t . t . "<{$e} value='{$v}' />" . n;
}
$out[] = t . "</{$element}>" . n;
} else {
$out[] = t . "<{$element} value='{$value}' />" . n;
}
}
$out[] = '</textpattern>';
echo join(n, $out);
exit;
}
private function setRating()
{
$userRating = intval(gps('rating'));
if ($this->voted) {
echo tag('You have already voted!', 'p', ' class="error"');
} elseif ($userRating > $this->maxValue) {
echo tag('Cheater!', 'p', ' class="error"');
} else {
safe_insert($this->dbTable, "parentid={$this->parentid}, value={$userRating}, max_value={$this->maxValue}, ip=INET_ATON('{$this->ip}')");
while (@ob_end_clean()) {
}
if (empty($_SERVER['FCGI_ROLE']) and empty($_ENV['FCGI_ROLE'])) {
txp_status_header('303 See Other');
header('Location: ' . $this->uri);
header('Connection: close');
header('Content-Length: 0');
} else {
echo <<<HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-us" xml:lang="en-us" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="refresh" content="0;url={$this->uri}"/>
<title>Redirecting...</title>
</head>
<body>
<a href="{$this->uri}">Back to the article</a>
</body>
</html>
HTML;
}
}
}