$_USER = SESS_sessionCheck();
if ($_USER['uid'] > 0) {
$_GROUPS = SEC_getUserGroups($_USER['uid']);
// Global array of current user permissions [read,edit]
$_RIGHTS = explode(',', SEC_getUserPermissions());
}
}
}
//set up the user
if ($_USER['uid'] < 2) {
$uid = 0;
} else {
$uid = $_USER['uid'];
}
$error = 'NULL';
$filter = new sanitizer();
$op = $filter->getCleanData('char', $_REQUEST['op']);
$filter->initFilter();
// Reset Filter
$firephp = FirePHP::getInstance(true);
$firephp->group('Nexfile - AJAX Server');
if (isset($_REQUEST['pending'])) {
$logmessage = "op:{$op}, user: {$uid}, cid: {$_POST['cid']}, pending request count: {$_REQUEST['pending']}";
} else {
$logmessage = "op:{$op}, user: {$uid}, reportmode: {$_GET['reportmode']}";
}
$firephp->log($logmessage);
//COM_errorLog ($logmessage);
$data = array();
function firelogmsg($message)
{
function MB_saveEditMenuElement()
{
global $_CONF, $_TABLES, $MenuElementAllowedHTML;
$filter = sanitizer::getInstance();
$allowedElements = $filter->makeAllowedElements($MenuElementAllowedHTML);
$filter->setAllowedElements($allowedElements);
$filter->setPostmode('html');
$id = COM_applyFilter($_POST['id'], true);
$menu_id = COM_applyFilter($_POST['menu']);
$pid = COM_applyFilter($_POST['pid'], true);
$label = DB_escapeString($filter->filterHTML($_POST['menulabel']));
$type = COM_applyFilter($_POST['menutype'], true);
$target = COM_applyFilter($_POST['urltarget']);
$menu = menu::getInstance($menu_id);
if ($type == 0) {
$type = 1;
}
switch ($type) {
case 2:
$subtype = COM_applyFilter($_POST['glfunction']);
break;
case 3:
$subtype = COM_applyFilter($_POST['gltype'], true);
break;
case 4:
$subtype = COM_applyFilter($_POST['pluginname']);
break;
case 5:
$subtype = COM_applyFilter($_POST['spname']);
break;
case 6:
$subtype = COM_applyFilter($_POST['menuurl']);
if (strpos($subtype, "http") !== 0 && strpos($subtype, "%site") === false && $subtype[0] != '#' && rtrim($subtype) != '') {
$subtype = 'http://' . $subtype;
}
break;
case 7:
$subtype = COM_applyFilter($_POST['phpfunction']);
break;
case 9:
$subtype = COM_applyFIlter($_POST['topicname']);
break;
default:
$subtype = '';
break;
}
$active = COM_applyFilter($_POST['menuactive'], true);
$url = '';
if (isset($_POST['menuurl']) && $_POST['menuurl'] != '') {
$url = trim(DB_escapeString(COM_applyFilter($_POST['menuurl'])));
if (strpos($url, "http") !== 0 && strpos($url, "%site") === false && $url[0] != '#' && rtrim($url) != '') {
$url = 'http://' . $url;
}
}
$group_id = COM_applyFilter($_POST['group'], true);
$aid = COM_applyFilter($_POST['menuorder'], true);
$aorder = DB_getItem($_TABLES['menu_elements'], 'element_order', 'id=' . $aid);
$neworder = $aorder + 1;
$sql = "UPDATE {$_TABLES['menu_elements']} SET pid=" . (int) $pid . ", element_order=" . (int) $neworder . ", element_label='{$label}', element_type='{$type}', element_subtype='{$subtype}', element_active={$active}, element_url='{$url}', element_target='" . DB_escapeString($target) . "', group_id=" . (int) $group_id . " WHERE id=" . (int) $id;
DB_query($sql);
$menu->reorderMenu($pid);
}
} else {
echo $LANG_FMERR['download4'];
exit;
}
// Check and see if any user has selected files to be downloaded as an archived
} elseif (isset($_POST['multiaction']) and $_POST['multiaction'] == 'archive' and !empty($_POST['checkeditems'])) {
// delete any older zip archives that were created
$archiveDirectory = "{$_FMCONF['storage_path']}tmp/";
if (!file_exists($archiveDirectory)) {
@mkdir($archiveDirectory);
}
$fd = opendir($archiveDirectory);
while (false !== ($file = @readdir($fd))) {
if ($file != '.' && $file != '..' && $file != 'CVS' && preg_match('/\\.zip$/i', $file)) {
$ftimestamp = @fileatime("{$archiveDirectory}{$file}");
if ($ftimestamp < time() - 600) {
COM_errorLog("Nexfile: Remove tmp archive file : {$file}");
@unlink("{$archiveDirectory}{$file}");
}
}
}
$filter = new sanitizer();
$cid = $filter->getDbData('int', $_POST['cid']);
$fileitems = $filter->getDbData('text', $_POST['checkeditems']);
$files = explode(',', $fileitems);
include 'lib-archive.php';
nexdoc_createArchiveFromFiles($cid, $fileitems);
} else {
echo $LANG_FMERR['download4'];
exit;
}
function DBADMIN_backupTableAjax()
{
global $_VARS;
if (!COM_isAjax()) {
die;
}
$retval = array();
if (!isset($_VARS['_dbback_allstructs'])) {
$_VARS['_dbback_allstructs'] = 0;
}
$filename = '';
$filter = sanitizer::getInstance();
if (isset($_POST['backup_filename'])) {
$filename = $_POST['backup_filename'];
$filename = $filter->sanitizeFilename($filename, true);
}
$table = COM_applyFilter($_POST['table']);
if (isset($_POST['start'])) {
$start = COM_applyFilter($_POST['start'], true);
} else {
$start = 0;
}
$backup = new dbBackup();
$backup->setBackupFilename($filename);
list($rc, $sessionCounter, $recordCounter) = $backup->backupTable($table, $_VARS['_dbback_allstructs'], $start);
switch ($rc) {
case 1:
$retval['errorCode'] = 2;
$retval['startrecord'] = $recordCounter;
$retval['processed'] = $sessionCounter;
$return["json"] = json_encode($retval);
echo json_encode($return);
exit;
case -2:
// serious error
$retval['errorCode'] = 3;
$return["json"] = json_encode($retval);
echo json_encode($return);
exit;
default:
$retval['errorCode'] = 0;
$retval['processed'] = $sessionCounter;
$return["json"] = json_encode($retval);
echo json_encode($return);
exit;
}
exit;
}
/**
* Email story to a friend
*
* @param string $sid id of story to email
* @param string $to name of person / friend to email
* @param string $toemail friend's email address
* @param string $from name of person sending the email
* @param string $fromemail sender's email address
* @param string $shortmsg short intro text to send with the story
* @return string Meta refresh
*
* Modification History
*
* Date Author Description
* ---- ------ -----------
* 4/17/01 Tony Bibbs Code now allows anonymous users to send email
* and it allows user to input a message as well
* Thanks to Yngve Wassvik Bergheim for some of
* this code
*
*/
function mailstory($sid, $to, $toemail, $from, $fromemail, $shortmsg, $html = 0)
{
global $_CONF, $_TABLES, $_USER, $LANG01, $LANG08;
$dt = new Date('now', $_USER['tzid']);
$storyurl = COM_buildUrl($_CONF['site_url'] . '/article.php?story=' . $sid);
if ($_CONF['url_rewrite']) {
$retURL = $storyurl . '?msg=85';
} else {
$retURL = $storyurl . '&msg=85';
}
// check for correct $_CONF permission
if (COM_isAnonUser() && ($_CONF['loginrequired'] == 1 || $_CONF['emailstoryloginrequired'] == 1)) {
echo COM_refresh($retURL);
exit;
}
// check if emailing of stories is disabled
if ($_CONF['hideemailicon'] == 1) {
echo COM_refresh($retURL);
exit;
}
// check mail speedlimit
COM_clearSpeedlimit($_CONF['speedlimit'], 'mail');
if (COM_checkSpeedlimit('mail') > 0) {
echo COM_refresh($retURL);
exit;
}
$filter = sanitizer::getInstance();
if ($html) {
$filter->setPostmode('html');
} else {
$filter->setPostmode('text');
}
$allowedElements = $filter->makeAllowedElements($_CONF['htmlfilter_default']);
$filter->setAllowedElements($allowedElements);
$filter->setCensorData(true);
$filter->setReplaceTags(true);
$filter->setNamespace('glfusion', 'mail_story');
$sql = "SELECT uid,title,introtext,bodytext,story_image,commentcode,UNIX_TIMESTAMP(date) AS day,postmode FROM {$_TABLES['stories']} WHERE sid = '" . DB_escapeString($sid) . "'" . COM_getTopicSql('AND') . COM_getPermSql('AND');
$result = DB_query($sql);
if (DB_numRows($result) == 0) {
return COM_refresh($_CONF['site_url'] . '/index.php');
}
$A = DB_fetchArray($result);
$result = PLG_checkforSpam($shortmsg, $_CONF['spamx']);
if ($result > 0) {
COM_updateSpeedlimit('mail');
COM_displayMessageAndAbort($result, 'spamx', 403, 'Forbidden');
}
USES_lib_html2text();
$T = new Template($_CONF['path_layout'] . 'email/');
$T->set_file(array('html_msg' => 'mailstory_html.thtml', 'text_msg' => 'mailstory_text.thtml'));
// filter any HTML from the short message
$shortmsg = $filter->filterHTML($shortmsg);
$html2txt = new html2text($shortmsg, false);
$shortmsg_text = $html2txt->get_text();
$story_body = COM_truncateHTML($A['introtext'], 512);
$html2txt = new html2text($story_body, false);
$story_body_text = $html2txt->get_text();
$dt->setTimestamp($A['day']);
$story_date = $dt->format($_CONF['date'], true);
$story_title = COM_undoSpecialChars($A['title']);
$story_url = COM_buildUrl($_CONF['site_url'] . '/article.php?story=' . $sid);
if ($_CONF['contributedbyline'] == 1) {
$author = COM_getDisplayName($A['uid']);
} else {
$author = '';
}
if ($A['story_image'] != '') {
$story_image = $_CONF['site_url'] . $A['story_image'];
} else {
$story_image = '';
}
$T->set_var(array('shortmsg_html' => $shortmsg, 'shortmsg_text' => $shortmsg_text, 'story_title' => $story_title, 'story_date' => $story_date, 'story_url' => $story_url, 'author' => $author, 'story_image' => $story_image, 'story_body_html' => $story_body, 'story_body_text' => $story_body_text, 'lang_by' => $LANG01[1], 'site_name' => $_CONF['site_name'], 'from_name' => $from, 'disclaimer' => sprintf($LANG08[23], $from, $fromemail)));
$T->parse('message_body_html', 'html_msg');
$message_body_html = $T->finish($T->get_var('message_body_html'));
$T->parse('message_body_text', 'text_msg');
$message_body_text = $T->finish($T->get_var('message_body_text'));
$msgData = array('htmlmessage' => $message_body_html, 'textmessage' => $message_body_text, 'subject' => $story_title, 'from' => array('email' => $_CONF['site_mail'], 'name' => $from), 'to' => array('email' => $toemail, 'name' => $to));
$mailto = array();
$mailfrom = array();
$mailto = COM_formatEmailAddress($to, $toemail);
$mailfrom = COM_formatEmailAddress($from, $fromemail);
$subject = COM_undoSpecialChars(strip_tags('Re: ' . $A['title']));
$rc = COM_mail($mailto, $msgData['subject'], $msgData['htmlmessage'], $mailfrom, true, 0, '', $msgData['textmessage']);
COM_updateSpeedlimit('mail');
if ($rc) {
if ($_CONF['url_rewrite']) {
$retval = COM_refresh($storyurl . '?msg=27');
} else {
$retval = COM_refresh($storyurl . '&msg=27');
}
} else {
// Increment numemails counter for story
DB_query("UPDATE {$_TABLES['stories']} SET numemails = numemails + 1 WHERE sid = '" . DB_escapeString($sid) . "'");
if ($_CONF['url_rewrite']) {
$retval = COM_refresh($storyurl . '?msg=26');
} else {
$retval = COM_refresh($storyurl . '&msg=26');
}
}
echo COM_refresh($retval);
exit;
}
// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
// | GNU General Public License for more details. |
// | |
// | You should have received a copy of the GNU General Public License |
// | along with this program; if not, write to the Free Software Foundation, |
// | Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
// | |
// +---------------------------------------------------------------------------+
//
include '../lib-common.php';
include 'library.php';
if (!SEC_inGroup($_FMCONF['access_mode'])) {
echo COM_refresh($_CONF['site_url']);
exit;
}
$filter = new sanitizer();
$filter->cleanData('int', array('cid' => $_REQUEST['cid'], 'fid' => $_GET['fid']));
$filter->cleanData('char', array('op' => $_REQUEST['op']));
$_CLEAN = $filter->getCleanData();
$cid = $_CLEAN['int']['cid'];
$fid = $_CLEAN['int']['fid'];
if ($fid > 0 and empty($cid)) {
$cid = DB_getItem($_TABLES['nxfile_files'], 'cid', "fid={$fid} AND status=1");
$pid = DB_getItem($_TABLES['nxfile_categories'], 'pid', "cid={$cid}");
if (empty($cid) or !fm_getPermission($cid, 'view') or $pid > 0 and !fm_getPermission($pid, 'view')) {
$fid = 0;
$cid = 0;
}
} elseif ($cid > 0) {
if (!fm_getPermission($cid, 'view')) {
$cid = 0;
/**
* Cleans (filters) HTML - only allows HTML tags specified in the
* $_FF_CONF['allowed_html'] string. This function is designed to be called
* by the stringparser class to filter everything except [code] blocks.
*
* @param string $message The topic post to filter
* @return string filtered HTML code
*/
function _ff_cleanHTML($message)
{
global $_CONF, $_FF_CONF;
$filter = sanitizer::getInstance();
$AllowedElements = $filter->makeAllowedElements($_FF_CONF['allowed_html']);
$filter->setAllowedelements($AllowedElements);
$filter->setNamespace('forum', 'post');
$filter->setPostmode('html');
return $filter->filterHTML($message);
}
/**
* Email story to a friend
*
* @param string $sid id of story to email
* @param string $to name of person / friend to email
* @param string $toemail friend's email address
* @param string $from name of person sending the email
* @param string $fromemail sender's email address
* @param string $shortmsg short intro text to send with the story
* @return string Meta refresh
*
* Modification History
*
* Date Author Description
* ---- ------ -----------
* 4/17/01 Tony Bibbs Code now allows anonymous users to send email
* and it allows user to input a message as well
* Thanks to Yngve Wassvik Bergheim for some of
* this code
*
*/
function mailstory($sid, $to, $toemail, $from, $fromemail, $shortmsg, $html = 0)
{
global $_CONF, $_TABLES, $_USER, $LANG01, $LANG08;
$dt = new Date('now', $_USER['tzid']);
$storyurl = COM_buildUrl($_CONF['site_url'] . '/article.php?story=' . $sid);
if ($_CONF['url_rewrite']) {
$retURL = $storyurl . '?msg=85';
} else {
$retURL = $storyurl . '&msg=85';
}
// check for correct $_CONF permission
if (COM_isAnonUser() && ($_CONF['loginrequired'] == 1 || $_CONF['emailstoryloginrequired'] == 1)) {
echo COM_refresh($retURL);
exit;
}
// check if emailing of stories is disabled
if ($_CONF['hideemailicon'] == 1) {
echo COM_refresh($retURL);
exit;
}
// check mail speedlimit
COM_clearSpeedlimit($_CONF['speedlimit'], 'mail');
if (COM_checkSpeedlimit('mail') > 0) {
echo COM_refresh($retURL);
exit;
}
$filter = sanitizer::getInstance();
if ($html) {
$filter->setPostmode('html');
} else {
$filter->setPostmode('text');
}
$allowedElements = $filter->makeAllowedElements($_CONF['htmlfilter_default']);
$filter->setAllowedElements($allowedElements);
$filter->setCensorData(true);
$filter->setReplaceTags(true);
$filter->setNamespace('glfusion', 'mail_story');
$sql = "SELECT uid,title,introtext,bodytext,commentcode,UNIX_TIMESTAMP(date) AS day,postmode FROM {$_TABLES['stories']} WHERE sid = '" . DB_escapeString($sid) . "'" . COM_getTopicSql('AND') . COM_getPermSql('AND');
$result = DB_query($sql);
if (DB_numRows($result) == 0) {
return COM_refresh($_CONF['site_url'] . '/index.php');
}
$A = DB_fetchArray($result);
$mailtext = sprintf($LANG08[23], $from, $fromemail) . LB;
if (strlen($shortmsg) > 0) {
if ($html) {
$shortmsg = $filter->filterHTML($shortmsg);
}
$mailtext .= LB . sprintf($LANG08[28], $from) . $shortmsg . LB;
}
// just to make sure this isn't an attempt at spamming users ...
$result = PLG_checkforSpam($mailtext, $_CONF['spamx']);
if ($result > 0) {
COM_updateSpeedlimit('mail');
COM_displayMessageAndAbort($result, 'spamx', 403, 'Forbidden');
}
$dt->setTimestamp($A['day']);
if ($html) {
$mailtext .= '<p>------------------------------------------------------------</p>' . '<p>' . COM_undoSpecialChars($A['title']) . '</p>' . '<p>' . $dt->format($_CONF['date'], true) . '</p>';
} else {
$mailtext .= '------------------------------------------------------------' . LB . LB . COM_undoSpecialChars($A['title']) . LB . $dt->format($_CONF['date'], true) . LB;
}
if ($_CONF['contributedbyline'] == 1) {
$author = COM_getDisplayName($A['uid']);
$mailtext .= $LANG01[1] . ' ' . $author . LB;
}
if ($html) {
$mailtext .= '<p>' . $filter->displayText($A['introtext']) . '<br />' . $filter->displayText($A['bodytext']) . '</p>' . '<p>------------------------------------------------------------</p>';
} else {
$mailtext .= $filter->displayText($A['introtext']) . LB . $filter->displayText($A['bodytext']) . LB . LB . '------------------------------------------------------------' . LB;
}
if ($A['commentcode'] == 0) {
// comments allowed
$mailtext .= $LANG08[24] . LB . COM_buildUrl($_CONF['site_url'] . '/article.php?story=' . $sid . '#comments');
} else {
// comments not allowed - just add the story's URL
$mailtext .= $LANG08[33] . LB . COM_buildUrl($_CONF['site_url'] . '/article.php?story=' . $sid);
}
$mailto = array();
$mailfrom = array();
$mailto = COM_formatEmailAddress($to, $toemail);
$mailfrom = COM_formatEmailAddress($from, $fromemail);
$subject = COM_undoSpecialChars(strip_tags('Re: ' . $A['title']));
$rc = COM_mail($mailto, $subject, $mailtext, $mailfrom, $html);
COM_updateSpeedlimit('mail');
if ($rc) {
if ($_CONF['url_rewrite']) {
$retval = COM_refresh($storyurl . '?msg=27');
} else {
$retval = COM_refresh($storyurl . '&msg=27');
}
} else {
// Increment numemails counter for story
DB_query("UPDATE {$_TABLES['stories']} SET numemails = numemails + 1 WHERE sid = '" . DB_escapeString($sid) . "'");
if ($_CONF['url_rewrite']) {
$retval = COM_refresh($storyurl . '?msg=26');
} else {
$retval = COM_refresh($storyurl . '&msg=26');
}
}
echo COM_refresh($retval);
exit;
}
/**
* This is the importantest bit. This function must load the title, intro
* and body of the article from the post array, providing all appropriate
* conversions of HTML mode content into the nice safe form that glFusion
* can then (simply) spit back out into the page on render. After doing a
* magic tags replacement.
*
* This DOES NOT DB_escapeString! We do that on DB store, because we want to
* keep our internal variables in "display mode", not in db mode or anything.
*
* @param $title string posttitle, only had stripslashes if necessary
* @param $intro string introtext, only had stripslashes if necessary
* @param $body string bodytext, only had stripslashes if necessary
* @return nothing
* @access private
*/
function _htmlLoadStory($title, $intro, $body)
{
global $_CONF;
$this->_title = htmlspecialchars(strip_tags(COM_checkWords($title)));
$filter = sanitizer::getInstance();
$filter->setPostmode($this->_postmode);
$allowedElements = $filter->makeAllowedElements($_CONF['htmlfilter_story']);
$filter->setAllowedElements($allowedElements);
$filter->setCensorData(true);
$filter->setNamespace('glfusion', 'story');
$this->_introtext = $filter->filterHTML($intro);
$this->_bodytext = $filter->filterHTML($body);
}
function FF_previewPost($postData, $mode)
{
global $_CONF, $_TABLES, $_FF_CONF, $_USER;
$retval = '';
$postData['name'] = @htmlspecialchars(strip_tags(COM_checkWords(trim(USER_sanitizeName(urldecode($_POST['name']))))), ENT_QUOTES, COM_getEncodingt());
if (!isset($postData['uid'])) {
if (COM_isAnonUser()) {
$postData['uid'] = 1;
} else {
$postData['uid'] = $_USER['uid'];
}
}
$status = 0;
if (isset($postData['disable_bbcode']) && $postData['disable_bbcode'] == 1) {
$disable_bbcode_val = ' checked="checked"';
$status += DISABLE_BBCODE;
} else {
$disable_bbcode_val = '';
}
if (isset($postData['disable_smilies']) && $postData['disable_smilies'] == 1) {
$disable_smilies_val = ' checked="checked"';
$status += DISABLE_SMILIES;
} else {
$disable_smilies_val = '';
}
if (isset($postData['disable_urlparse']) && $postData['disable_urlparse'] == 1) {
$disable_urlparse_val = ' checked="checked"';
$status += DISABLE_URLPARSE;
} else {
$disable_urlparse_val = '';
}
$postData['status'] = $status;
$postData['date'] = time();
if (isset($postData['modedit']) && $postData['modedit'] == 1) {
if (isset($postData['locked_switch']) && $postData['locked_switch'] == 1) {
$postData['locked'] = 1;
}
if (isset($postData['sticky_switch']) && $postData['sticky_switch'] == 1) {
$postData['sticky'] = 1;
}
} else {
$postData['locked'] = 0;
$postData['sticky'] = 0;
}
if (!isset($postData['pid'])) {
$postData['pid'] = 0;
}
if (!isset($postData['views'])) {
$postData['views'] = 0;
}
/* Check for any uploaded files */
$UploadErrors = '';
if ($mode == 'edittopic') {
/* Check for any uploaded files */
if (isset($postData['id']) && $postData['id'] > 0) {
$UploadErrors = _ff_check4files($postData['id']);
$postData['numAttachments'] = DB_count($_TABLES['ff_attachments'], 'topic_id', (int) $postData['id']);
}
} else {
/* Check for any uploaded files */
if (isset($postData['uniqueid']) && $postData['uniqueid'] > 0) {
$UploadErrors = _ff_check4files($postData['uniqueid'], true);
$postData['numAttachments'] = DB_count($_TABLES['ff_attachments'], array('topic_id', 'tempfile'), array((int) $postData['uniqueid'], 1));
}
}
$previewTemplate = new Template($_CONF['path'] . 'plugins/forum/templates/');
$previewTemplate->set_file('preview', 'topic_preview.thtml');
if ($UploadErrors) {
$previewTemplate->set_var('error_msg', $UploadErrors);
}
if (!isset($postData['date'])) {
$postData['date'] = time();
}
$filter = sanitizer::getInstance();
$AllowedElements = $filter->makeAllowedElements($_FF_CONF['allowed_html']);
$filter->setAllowedelements($AllowedElements);
$filter->setNamespace('forum', 'post');
$filter->setPostmode($postData['postmode']);
$postData['comment'] = $filter->filterHTML($postData['comment']);
FF_showtopic($postData, 'preview', 1, 0, $previewTemplate);
$previewTemplate->parse('output', 'preview');
$retval .= $previewTemplate->finish($previewTemplate->get_var('output'));
return $retval;
}
/**
* Filters comment text and appends necessary tags (sig and/or edit)
*
* @copyright Jared Wenerd 2008
* @author Jared Wenerd <wenerd87 AT gmail DOT com>
* @param string $comment comment text
* @param string $postmode ('html', 'plaintext',..)
* @param bool $edit if true append edit tag
* @param int $cid commentid if editing comment (for proper sig)
* @return string of comment text
*/
function CMT_prepareText($comment, $postmode, $edit = false, $cid = null)
{
global $_USER, $_TABLES, $LANG03, $_CONF;
$filter = sanitizer::getInstance();
$filter->setPostmode($postmode);
$filter->setCensorData(true);
$filter->setNamespace('glfusion', 'comment');
$AllowedElements = $filter->makeAllowedElements($_CONF['htmlfilter_comment']);
$filter->setAllowedElements($AllowedElements);
$comment = $filter->filterData($comment);
// does not censor...
$comment = $filter->censor($comment);
if (COM_isAnonUser()) {
$uid = 1;
} elseif ($edit && is_numeric($cid)) {
//if comment moderator
$uid = DB_getItem($_TABLES['comments'], 'uid', "cid = " . (int) $cid);
} else {
$uid = $_USER['uid'];
}
$sig = '';
if ($uid > 1) {
$sig = DB_getItem($_TABLES['users'], 'sig', "uid = " . (int) $uid);
if (!empty($sig)) {
$comment .= '<!-- COMMENTSIG --><div class="comment-sig">';
if ($postmode == 'html') {
$comment .= nl2br(LB . '---' . LB . $sig);
} else {
$comment .= nl2br(LB . '---' . LB . $sig);
}
$comment .= '</div><!-- /COMMENTSIG -->';
}
}
return $comment;
}
/**
* Try to figure out our current URL, including all parameters.
*
* This is an ugly hack since there's no single variable that returns what
* we want and the variables used here may not be available on all servers
* and / or setups.
*
* Seems to work on Apache (1.3.x and 2.x), IIS, and Zeus ...
*
* @return string complete URL, e.g. 'http://www.example.com/blah.php?foo=bar'
*
*/
function COM_getCurrentURL()
{
global $_CONF;
$thisUrl = '';
if (empty($_SERVER['SCRIPT_URI'])) {
if (!empty($_SERVER['DOCUMENT_URI'])) {
$document_uri = $_SERVER['DOCUMENT_URI'];
$first_slash = strpos($_CONF['site_url'], '/');
if ($first_slash === false) {
// special case - assume it's okay
$thisUrl = $_CONF['site_url'] . $document_uri;
} else {
if ($first_slash + 1 == strrpos($_CONF['site_url'], '/')) {
// site is in the document root
$thisUrl = $_CONF['site_url'] . $document_uri;
} else {
// extract server name first
$pos = strpos($_CONF['site_url'], '/', $first_slash + 2);
$thisUrl = substr($_CONF['site_url'], 0, $pos) . $document_uri;
}
}
}
} else {
$thisUrl = $_SERVER['SCRIPT_URI'];
}
if (!empty($thisUrl) && !empty($_SERVER['QUERY_STRING']) && strpos($thisUrl, '?') === false) {
$thisUrl .= '?' . $_SERVER['QUERY_STRING'];
}
if (empty($thisUrl)) {
$requestUri = $_SERVER['REQUEST_URI'];
if (empty($_SERVER['REQUEST_URI'])) {
// on a Zeus webserver, prefer PATH_INFO over SCRIPT_NAME
if (empty($_SERVER['PATH_INFO'])) {
$requestUri = $_SERVER['SCRIPT_NAME'];
} else {
$requestUri = $_SERVER['PATH_INFO'];
}
if (!empty($_SERVER['QUERY_STRING'])) {
$requestUri .= '?' . $_SERVER['QUERY_STRING'];
}
}
$firstslash = strpos($_CONF['site_url'], '/');
if ($firstslash === false) {
// special case - assume it's okay
$thisUrl = $_CONF['site_url'] . $requestUri;
} else {
if ($firstslash + 1 == strrpos($_CONF['site_url'], '/')) {
// site is in the document root
$thisUrl = $_CONF['site_url'] . $requestUri;
} else {
// extract server name first
$pos = strpos($_CONF['site_url'], '/', $firstslash + 2);
$thisUrl = substr($_CONF['site_url'], 0, $pos) . $requestUri;
}
}
}
$filter = sanitizer::getInstance();
$thisUrl = $filter->sanitizeURL($thisUrl);
return $thisUrl;
}
function board_edit_forum($id, $statusText = '')
{
global $_CONF, $_FF_CONF, $_TABLES, $LANG_GF00, $LANG_GF01, $LANG_GF06, $LANG_GF93, $LANG_ADMIN;
$retval = '';
$menu_arr = array();
$filter = sanitizer::getInstance();
$T = new Template($_CONF['path'] . 'plugins/forum/templates/admin/');
$T->set_file('boards_edtforum', 'boards_edtforum.thtml');
$T->set_var('block_start', COM_startBlock($LANG_GF93['gfboard'], '', COM_getBlockTemplate('_admin_block', 'header')));
$menu_arr = FF_adminNav();
$T->set_var('admin_menu', ADMIN_createMenu($menu_arr, $LANG_GF00['instructions'], $_CONF['site_url'] . '/forum/images/forum.png'));
if (empty($statusText)) {
// first time in - pull data from database...
$sql = "SELECT forum_name,forum_cat,forum_dscp,grp_id,use_attachment_grpid,forum_order,is_hidden,is_readonly,no_newposts ";
$sql .= "FROM {$_TABLES['ff_forums']} WHERE forum_id=" . (int) $id;
$resForum = DB_query($sql);
list($forum_name, $forum_category, $forum_dscp, $privgroup, $attachgroup, $forum_order, $is_hidden, $is_readonly, $no_newposts) = DB_fetchArray($resForum);
} else {
// grab the posted data
$forum_name = $_POST['name'];
$forum_category = COM_applyFilter($_POST['category'], true);
$forum_dscp = $_POST['dscp'];
$privgroup = COM_applyFilter($_POST['privgroup'], true);
$attachgroup = COM_applyFilter($_POST['attachmentgroup'], true);
$forum_order = 0;
$is_hidden = isset($_POST['is_hidden']) ? 1 : 0;
$is_readonly = isset($_POST['is_readonly']) ? 1 : 0;
$no_newposts = isset($_POST['no_newposts']) ? 1 : 0;
$forum_name = $filter->editableText($forum_name);
$forum_dscp = $filter->editableText($forum_dscp);
}
$title = sprintf($LANG_GF93['editforumnote'], $forum_name);
// build select lists
$resGroups = DB_query("SELECT DISTINCT grp_id,grp_name FROM {$_TABLES['groups']} ORDER BY grp_name ASC ");
$nrows = DB_numRows($resGroups);
$grouplist = '';
$attachgrouplist = '';
while (list($grp, $name) = DB_fetchArray($resGroups)) {
if ($grp == $privgroup) {
$grouplist .= '<option value="' . $grp . '" selected="selected">' . $name . '</option>';
} else {
$grouplist .= '<option value="' . $grp . '">' . ucfirst($name) . '</option>';
}
if ($grp == $attachgroup) {
$attachgrouplist .= '<option value="' . $grp . '" selected="selected">' . ucfirst($name) . '</option>';
} else {
$attachgrouplist .= '<option value="' . $grp . '">' . ucfirst($name) . '</option>';
}
}
$catSelect = '<select name="category">';
$catResult = DB_query("SELECT * FROM {$_TABLES['ff_categories']} ORDER BY cat_order ASC");
while (($C = DB_fetchArray($catResult)) != FALSE) {
$catSelect .= '<option value="' . $C['id'] . '" ' . ($C['id'] == $forum_category ? ' selected="selected"' : '') . '>' . $C['cat_name'] . '</option>';
}
$catSelect .= '</select>';
$order_select = '<option value="0">' . 'First Position' . '</option>' . LB;
$result = DB_query("SELECT forum_id,forum_name,forum_order FROM {$_TABLES['ff_forums']} WHERE forum_cat=" . (int) $forum_category . " ORDER BY forum_order ASC");
$order = 10;
while ($row = DB_fetchArray($result)) {
if ($forum_order != $order) {
$test_order = $order + 10;
$order_select .= '<option value="' . $row['forum_id'] . '"' . ($forum_order == $test_order ? ' selected="selected"' : '') . '>' . $row['forum_name'] . '</option>' . LB;
}
$order += 10;
}
$T->set_var(array('order_list' => $order_select, 'phpself' => $_CONF['site_admin_url'] . '/plugins/forum/boards.php', 's_form_action' => $_CONF['site_admin_url'] . '/plugins/forum/boards.php', 'title' => sprintf($LANG_GF93['editforumnote'], $forum_name), 'cat_select' => $catSelect, 'lang_category' => $LANG_GF01['category'], 'id' => $id, 'mode' => 'saveeditforum', 'category_id' => $forum_category, 'forum_name' => $forum_name, 'forum_dscp' => $forum_dscp, 'forum_order' => $forum_order, 'chk_hidden' => $is_hidden ? 'checked="checked"' : '', 'chk_readonly' => $is_readonly ? 'checked="checked"' : '', 'chk_newposts' => $no_newposts ? 'checked="checked"' : '', 'LANG_DESCRIPTION' => $LANG_GF01['DESCRIPTION'], 'LANG_NAME' => $LANG_GF01['NAME'], 'LANG_GROUPACCESS' => $LANG_GF93['groupaccess'], 'LANG_ATTACHACCESS' => $LANG_GF93['attachaccess'], 'LANG_readonly' => $LANG_GF93['readonly'], 'LANG_readonlydscp' => $LANG_GF93['readonlydscp'], 'LANG_hidden' => $LANG_GF93['hidden'], 'LANG_hiddendscp' => $LANG_GF93['hiddendscp'], 'LANG_hideposts' => $LANG_GF93['hideposts'], 'LANG_hidepostsdscp' => $LANG_GF93['hidepostsdscp'], 'grouplist' => $grouplist, 'attachmentgrouplist' => $attachgrouplist, 'LANG_SAVE' => $LANG_GF01['SAVE'], 'LANG_CANCEL' => $LANG_GF01['CANCEL'], 'block_end' => COM_endBlock(COM_getBlockTemplate('_admin_block', 'footer')), 'status_text' => $statusText));
$T->parse('output', 'boards_edtforum');
$retval .= $T->finish($T->get_var('output'));
return $retval;
}
/**
* Saves a block
*
* @param string $bid Block ID
* @param string $name Block name
* @param string $title Block title
* @param string $type Type of block
* @param int $blockorder Order block appears relative to the others
* @param string $content Content of block
* @param string $tid Topic block should appear in
* @param string $rdfurl URL to headline feed for portal blocks
* @param string $rdfupdated Date RSS/RDF feed was last updated
* @param string $rdflimit max. number of entries to import from feed
* @param string $phpblockfn Name of php function to call to get content
* @param int $onleft Flag indicates if block shows up on left or right
* @param int $owner_id ID of owner
* @param int $group_id ID of group block belongs to
* @param array $perm_owner Permissions the owner has on the object
* @param array $perm_group Permissions the group has on the object
* @param array $perm_members Permissions the logged in members have
* @param array $perm_anon Permissinos anonymous users have
* @param int $is_enabled Flag, indicates if block is enabled or not
* @param int $allow_autotags Flag, indicates if autotags are enabed or not
* @return string HTML redirect or error message
*
*/
function BLOCK_save($bid, $name, $title, $help, $type, $blockorder, $content, $tid, $rdfurl, $rdfupdated, $rdflimit, $phpblockfn, $onleft, $owner_id, $group_id, $perm_owner, $perm_group, $perm_members, $perm_anon, $is_enabled, $allow_autotags)
{
global $_CONF, $_TABLES, $LANG01, $LANG21, $MESSAGE;
$retval = '';
$B['bid'] = (int) $bid;
$B['name'] = $name;
$B['title'] = $title;
$B['type'] = $type;
$B['blockorder'] = $blockorder;
$B['content'] = $content;
$B['tid'] = $tid;
$B['rdfurl'] = $rdfurl;
$B['rdfupdated'] = $rdfupdated;
$B['rdflimit'] = $rdflimit;
$B['phpblockfn'] = $phpblockfn;
$B['onleft'] = $onleft;
$B['owner_id'] = $owner_id;
$B['group_id'] = $group_id;
$B['perm_owner'] = $perm_owner;
$B['perm_group'] = $perm_group;
$B['perm_members'] = $perm_members;
$B['perm_anon'] = $perm_anon;
$B['is_enabled'] = $is_enabled;
$B['allow_autotags'] = $allow_autotags;
$bid = (int) $bid;
$MenuElementAllowedHTML = "i[class|style],div[class|style],span[class|style],img[src|class|style],em,strong,del,ins,q,abbr,dfn,small";
$filter = sanitizer::getInstance();
$allowedElements = $filter->makeAllowedElements($MenuElementAllowedHTML);
$filter->setAllowedElements($allowedElements);
$filter->setPostmode('html');
$title = $filter->filterHTML($title);
$title = DB_escapeString($title);
$phpblockfn = DB_escapeString(trim($phpblockfn));
if (empty($title) || !BLOCK_validateName($name)) {
if (empty($title)) {
$msg = $LANG21[64];
} else {
$msg = $LANG21[70];
}
SEC_setCookie($_CONF['cookie_name'] . 'adveditor', SEC_createTokenGeneral('advancededitor'), time() + 1200, $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure'], false);
$retval .= COM_siteHeader('menu', $LANG21[63]) . COM_showMessageText($msg, $LANG21[63], true) . BLOCK_edit($bid, $B) . COM_siteFooter();
return $retval;
}
// Convert array values to numeric permission values
list($perm_owner, $perm_group, $perm_members, $perm_anon) = SEC_getPermissionValues($perm_owner, $perm_group, $perm_members, $perm_anon);
$access = 0;
if ($bid > 0 && DB_count($_TABLES['blocks'], 'bid', $bid) > 0) {
$result = DB_query("SELECT owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon FROM {$_TABLES['blocks']} WHERE bid = '{$bid}'");
$A = DB_fetchArray($result);
$access = SEC_hasAccess($A['owner_id'], $A['group_id'], $A['perm_owner'], $A['perm_group'], $A['perm_members'], $A['perm_anon']);
} else {
$access = SEC_hasAccess($owner_id, $group_id, $perm_owner, $perm_group, $perm_members, $perm_anon);
}
if ($access < 3 || !BLOCK_hasTopicAccess($tid) || !SEC_inGroup($group_id)) {
$retval .= COM_siteHeader('menu', $MESSAGE[30]);
$retval .= COM_showMessageText($MESSAGE[33], $MESSAGE[30], true);
$retval .= COM_siteFooter();
COM_accessLog("User {$_USER['username']} tried to illegally create or edit block {$bid}.");
return $retval;
} elseif ($type == 'normal' && !empty($title) && !empty($content) or $type == 'portal' && !empty($title) && !empty($rdfurl) or $type == 'gldefault' && strlen($blockorder) > 0 or $type == 'phpblock' && !empty($phpblockfn) && !empty($title)) {
if ($is_enabled == 'on') {
$is_enabled = 1;
} else {
$is_enabled = 0;
}
if ($allow_autotags == 1) {
$allow_autotags = 1;
} else {
$allow_autotags = 0;
}
if ($type == 'portal') {
$content = '';
$rdfupdated = '';
$phpblockfn = '';
// get rid of possible extra prefixes (e.g. "feed://http://...")
if (substr($rdfurl, 0, 4) == 'rss:') {
$rdfurl = substr($rdfurl, 4);
} else {
if (substr($rdfurl, 0, 5) == 'feed:') {
$rdfurl = substr($rdfurl, 5);
}
}
if (substr($rdfurl, 0, 2) == '//') {
$rdfurl = substr($rdfurl, 2);
}
$rdfurl = COM_sanitizeUrl($rdfurl, array('http', 'https'));
}
if ($type == 'gldefault') {
if ($name != 'older_stories') {
$content = '';
}
$rdfurl = '';
$rdfupdated = '';
$rdflimit = 0;
$phpblockfn = '';
}
if ($type == 'phpblock') {
// NOTE: PHP Blocks must be within a function and the function
// must start with phpblock_ as the prefix. This will prevent
// the arbitrary execution of code
if (!stristr($phpblockfn, 'phpblock_')) {
$retval .= COM_siteHeader('menu', $LANG21[37]) . COM_showMessageText($LANG21[38], $LANG21[37], true) . BLOCK_edit($bid, $B) . COM_siteFooter();
return $retval;
}
$content = '';
$rdfurl = '';
$rdfupdated = '';
$rdflimit = 0;
}
if ($type == 'normal') {
$rdfurl = '';
$rdfupdated = '';
$rdflimit = 0;
$phpblockfn = '';
$content = DB_escapeString($content);
}
if ($rdflimit < 0) {
$rdflimit = 0;
}
if (!empty($rdfurl)) {
$rdfurl = DB_escapeString($rdfurl);
}
if (empty($rdfupdated)) {
$rdfupdated = '1000-01-01 00:00:00';
}
$name = DB_escapeString($name);
if ($bid > 0) {
DB_save($_TABLES['blocks'], 'bid,name,title,help,type,blockorder,content,tid,rdfurl,rdfupdated,rdflimit,phpblockfn,onleft,owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon,is_enabled,allow_autotags,rdf_last_modified,rdf_etag', "{$bid},'{$name}','{$title}','{$help}','{$type}','{$blockorder}','{$content}','{$tid}','{$rdfurl}','{$rdfupdated}','{$rdflimit}','{$phpblockfn}',{$onleft},{$owner_id},{$group_id},{$perm_owner},{$perm_group},{$perm_members},{$perm_anon},{$is_enabled},{$allow_autotags},NULL,NULL");
} else {
$sql = "INSERT INTO {$_TABLES['blocks']} " . '(name,title,help,type,blockorder,content,tid,rdfurl,rdfupdated,rdflimit,phpblockfn,onleft,owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon,is_enabled,allow_autotags) ' . "VALUES ('{$name}','{$title}','{$help}','{$type}','{$blockorder}','{$content}','{$tid}','{$rdfurl}','{$rdfupdated}','{$rdflimit}','{$phpblockfn}',{$onleft},{$owner_id},{$group_id},{$perm_owner},{$perm_group},{$perm_members},{$perm_anon},{$is_enabled},{$allow_autotags})";
DB_query($sql);
$bid = DB_insertId();
}
if ($type == 'gldefault' && $name == 'older_stories') {
COM_olderStuff();
}
CTL_clearCache();
COM_setMessage(11);
return COM_refresh($_CONF['site_admin_url'] . '/block.php');
} else {
SEC_setCookie($_CONF['cookie_name'] . 'adveditor', SEC_createTokenGeneral('advancededitor'), time() + 1200, $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure'], false);
$retval .= COM_siteHeader('menu', $LANG21[32]);
if ($type == 'portal') {
// Portal block is missing fields
$msg = $LANG21[33];
} else {
if ($type == 'phpblock') {
// PHP Block is missing field
$msg = $LANG21[34];
} else {
if ($type == 'normal') {
// Normal block is missing field
$msg = $LANG21[35];
} else {
if ($type == 'gldefault') {
// Default glFusion field missing
$msg = $LANG21[42];
} else {
// Layout block missing content
$msg = $LANG21[36];
}
}
}
}
$retval .= COM_showMessageText($msg, $LANG21[32], true);
$retval .= BLOCK_edit($bid, $B);
$retval .= COM_siteFooter();
}
return $retval;
}
function gf_check4files($id, $tempfile = false)
{
global $_FILES, $_CONF, $_TABLES, $_USER, $CONF_FORUM, $LANG_GF00;
global $_FM_TABLES, $CONF_FORUM, $filemgmt_FileStore, $_FMCONF;
$filelinks = '';
$uploadfile = $_FILES['file_forum'];
$cid = COM_applyFilter($_POST['filemgmtcat'], true);
$use_filestore = false;
if ($uploadfile['name'] != '') {
if ($_POST['chk_usefilemgmt'] == 1 and $cid > 0) {
$filename = $uploadfile['name'];
$pos = strrpos($uploadfile['name'], '.') + 1;
$ext = strtolower(substr($uploadfile['name'], $pos));
$use_filestore = true;
} else {
$uploadfilename = ppRandomFilename();
$pos = strrpos($uploadfile['name'], '.') + 1;
$ext = strtolower(substr($uploadfile['name'], $pos));
$filename = "{$uploadfilename}.{$ext}";
//COM_errorlog("Forum file upload: Original file: {$uploadfile['name']} and new filename: $filename");
}
if ($use_filestore) {
if ($CONF_FORUM['filestorage_plugin'] == 'filemgmt') {
$filestore_path = $filemgmt_FileStore;
} elseif ($CONF_FORUM['filestorage_plugin'] == 'nexfile') {
$filestore_path = $_FMCONF['storage_path'] . "{$cid}/";
} else {
$filestore_path = $CONF_FORUM['uploadpath'];
}
} else {
$filestore_path = $CONF_FORUM['uploadpath'];
}
if (gf_uploadfile($filename, $uploadfile, $CONF_FORUM['allowablefiletypes'], $filestore_path)) {
require_once $_CONF['path'] . 'plugins/forum/simpleimage.class.php';
if (array_key_exists($uploadfile['type'], $CONF_FORUM['inlineimageypes'])) {
if ($_POST['chk_usefilemgmt'] == 1) {
$srcImage = "{$filemgmt_FileStore}{$filename}";
$destImage = "{$CONF_FORUM['uploadpath']}/tn/{$filename}";
} else {
$srcImage = "{$CONF_FORUM['uploadpath']}/{$filename}";
$destImage = "{$CONF_FORUM['uploadpath']}/tn/{$uploadfilename}.{$ext}";
}
$image = new SimpleImage();
$image->load($srcImage);
$image->resize($CONF_FORUM['inlineimage_height'], $CONF_FORUM['inlineimage_width']);
$image->save($destImage);
}
// Store both the created filename and the real file source filename
$realfilename = $filename;
$filename = "{$filename}:{$uploadfile['name']}";
$pos = strrpos($filename, '.') + 1;
$fileExtension = substr($filename, $pos);
$filter = new sanitizer();
$mimetype = $filter->getCleanData('text', $uploadfile['type']);
if ($tempfile) {
$temp = 1;
} else {
$temp = 0;
}
if ($use_filestore) {
// Check and see if nexfile or the filemgmt plugin is being used
if ($CONF_FORUM['filestorage_plugin'] == 'nexfile') {
$sql = "INSERT INTO {$_TABLES['nxfile_files']} " . "(cid,fname,title,version,ftype,size,mimetype,extension,submitter,status,date) " . "VALUES ('{$cid}','{$realfilename}','{$realfilename}','1','file','{$uploadfile['size']}'," . "'{$mimetype}','{$fileExtension}','{$_USER['uid']}','1',UNIX_TIMESTAMP())";
DB_query($sql);
$fid = DB_insertId();
DB_query("INSERT INTO {$_TABLES['nxfile_filedetail']} (fid,description,hits,rating,votes,comments)\r\n VALUES ('{$fid}','','0','0','0','0')");
DB_query("INSERT INTO {$_TABLES['nxfile_fileversions']} (fid,fname,ftype,version,size,notes,date,uid,status)\r\n VALUES ('{$fid}','{$realfilename}','file','1','{$uploadfile['size']}','',UNIX_TIMESTAMP(),'{$_USER['uid']}','1')");
DB_query("INSERT INTO {$_TABLES['gf_attachments']} (topic_id,repository_id,filename,tempfile)\r\n VALUES ('{$id}',{$fid},'{$filename}',{$temp})");
} elseif ($CONF_FORUM['filestorage_plugin'] == 'filemgmt') {
$sql = "INSERT INTO {$_FM_TABLES['filemgmt_filedetail']} (cid, title, url, size, submitter, status,date ) ";
$sql .= "VALUES ('{$cid}', '{$realfilename}', '{$realfilename}', '{$uploadfile['size']}', '{$_USER['uid']}', 1, UNIX_TIMESTAMP())";
DB_query($sql);
$newid = DB_insertID();
DB_query("INSERT INTO {$_TABLES['gf_attachments']} (topic_id,repository_id,filename,tempfile)\r\n VALUES ('{$id}',{$newid},'{$filename}',{$temp})");
$description = ppPrepareForDB($_POST['filemgmt_desc']);
DB_query("INSERT INTO {$_FM_TABLES['filemgmt_filedesc']} (lid, description) VALUES ({$newid}, '{$description}')");
}
} else {
DB_query("INSERT INTO {$_TABLES['gf_attachments']} (topic_id,filename,tempfile)\r\n VALUES ('{$id}','{$filename}',{$temp})");
}
} else {
COM_errorlog("upload error:" . $GLOBALS['gf_errmsg']);
$errmsg = $GLOBALS['gf_errmsg'];
}
}
if (!$tempfile and $_POST['uniqueid'] > 0 and DB_COUNT($_TABLES['gf_topic'], 'id', $id)) {
DB_query("UPDATE {$_TABLES['gf_attachments']} SET topic_id={$id}, tempfile=0 WHERE topic_id={$_POST['uniqueid']}");
}
return $filelinks;
}
