[geeklog-cvs] geeklog: Fixed wrong use of COM_allowedHTML and COM_checkHTML in...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Sat Apr 18 16:46:29 EDT 2009
details: http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/2e3298a69f73
changeset: 6960:2e3298a69f73
user: Dirk Haun <dirk at haun-online.de>
date: Sat Apr 18 22:10:44 2009 +0200
description:
Fixed wrong use of COM_allowedHTML and COM_checkHTML in plugins (bug #0000785)
diffstat:
9 files changed, 73 insertions(+), 51 deletions(-)
plugins/staticpages/services.inc.php | 2
public_html/admin/plugins/calendar/index.php | 27 +++++-----
public_html/admin/plugins/links/category.php | 6 +-
public_html/admin/plugins/links/index.php | 7 +-
public_html/admin/plugins/staticpages/index.php | 9 ++-
public_html/admin/story.php | 3 -
public_html/docs/history | 4 +
system/classes/story.class.php | 4 -
system/lib-comment.php | 62 ++++++++++++-----------
diffs (truncated from 307 to 300 lines):
diff -r a9694bc60a1a -r 2e3298a69f73 plugins/staticpages/services.inc.php
--- a/plugins/staticpages/services.inc.php Sat Apr 18 21:10:04 2009 +0200
+++ b/plugins/staticpages/services.inc.php Sat Apr 18 22:10:44 2009 +0200
@@ -353,7 +353,7 @@
$sp_title = COM_checkWords ($sp_title);
}
if ($_SP_CONF['filter_html'] == 1) {
- $sp_content = COM_checkHTML ($sp_content);
+ $sp_content = COM_checkHTML($sp_content, 'staticpages.edit');
}
$sp_title = strip_tags ($sp_title);
$sp_label = strip_tags ($sp_label);
diff -r a9694bc60a1a -r 2e3298a69f73 public_html/admin/plugins/calendar/index.php
--- a/public_html/admin/plugins/calendar/index.php Sat Apr 18 21:10:04 2009 +0200
+++ b/public_html/admin/plugins/calendar/index.php Sat Apr 18 22:10:44 2009 +0200
@@ -87,7 +87,8 @@
$event_templates->set_var('site_url', $_CONF['site_url']);
$event_templates->set_var('site_admin_url', $_CONF['site_admin_url']);
$event_templates->set_var('layout_url',$_CONF['layout_url']);
- $event_templates->set_var('lang_allowed_html', COM_allowedHTML());
+ $event_templates->set_var('lang_allowed_html',
+ COM_allowedHTML('calendar.edit'));
$event_templates->set_var('lang_postmode', $LANG_CAL_ADMIN[3]);
if ($mode <> 'editsubmission' AND !empty($A['eid'])) {
@@ -463,20 +464,22 @@
// clean 'em up
if ($postmode == 'html') {
- $description = COM_checkHTML (COM_checkWords ($description));
+ $description = COM_checkHTML(COM_checkWords($description),
+ 'calendar.edit');
} else {
$postmode = 'plaintext';
- $description = htmlspecialchars (COM_checkWords ($description));
+ $description = htmlspecialchars(COM_checkWords($description));
}
- $description = addslashes ($description);
- $title = addslashes (COM_checkHTML (COM_checkWords ($title)));
- $location = addslashes (COM_checkHTML (COM_checkWords ($location)));
- $address1 = addslashes (COM_checkHTML (COM_checkWords ($address1)));
- $address2 = addslashes (COM_checkHTML (COM_checkWords ($address2)));
- $city = addslashes (COM_checkHTML (COM_checkWords ($city)));
- $zipcode = addslashes (COM_checkHTML (COM_checkWords ($zipcode)));
- $event_type = addslashes (strip_tags (COM_checkWords ($event_type)));
- $url = addslashes (strip_tags ($url));
+ $description = addslashes($description);
+ $title = addslashes(strip_tags(COM_checkWords($title)));
+ $location = addslashes(COM_checkHTML(COM_checkWords($location),
+ 'calendar.edit'));
+ $address1 = addslashes(strip_tags(COM_checkWords($address1)));
+ $address2 = addslashes(strip_tags(COM_checkWords($address2)));
+ $city = addslashes(strip_tags(COM_checkWords($city)));
+ $zipcode = addslashes(strip_tags(COM_checkWords($zipcode)));
+ $event_type = addslashes(strip_tags(COM_checkWords($event_type)));
+ $url = addslashes(strip_tags($url));
if ($allday == 0) {
// Add 12 to make time on 24 hour clock if needed
diff -r a9694bc60a1a -r 2e3298a69f73 public_html/admin/plugins/links/category.php
--- a/public_html/admin/plugins/links/category.php Sat Apr 18 21:10:04 2009 +0200
+++ b/public_html/admin/plugins/links/category.php Sat Apr 18 22:10:44 2009 +0200
@@ -316,8 +316,10 @@
}
// clean 'em up
- $description = addslashes(COM_checkHTML(COM_checkWords($description)));
- $category = addslashes(COM_checkHTML(COM_checkWords($category)));
+ $description = addslashes(COM_checkHTML(COM_checkWords($description),
+ 'links.edit'));
+ $category = addslashes(COM_checkHTML(COM_checkWords($category),
+ 'links.edit'));
$pid = addslashes(strip_tags($pid));
$cid = addslashes(strip_tags($cid));
$old_cid = addslashes(strip_tags($old_cid));
diff -r a9694bc60a1a -r 2e3298a69f73 public_html/admin/plugins/links/index.php
--- a/public_html/admin/plugins/links/index.php Sat Apr 18 21:10:04 2009 +0200
+++ b/public_html/admin/plugins/links/index.php Sat Apr 18 22:10:44 2009 +0200
@@ -254,9 +254,10 @@
}
// clean 'em up
- $description = addslashes (COM_checkHTML (COM_checkWords ($description)));
- $title = addslashes (COM_checkHTML (COM_checkWords ($title)));
- $cid = addslashes ($cid);
+ $description = addslashes(COM_checkHTML(COM_checkWords($description),
+ 'links.edit'));
+ $title = addslashes(strip_tags(COM_checkWords($title)));
+ $cid = addslashes($cid);
if (empty ($owner_id)) {
// this is new link from admin, set default values
diff -r a9694bc60a1a -r 2e3298a69f73 public_html/admin/plugins/staticpages/index.php
--- a/public_html/admin/plugins/staticpages/index.php Sat Apr 18 21:10:04 2009 +0200
+++ b/public_html/admin/plugins/staticpages/index.php Sat Apr 18 22:10:44 2009 +0200
@@ -362,9 +362,11 @@
}
$sp_template->set_var('sp_content', $content);
if ($_SP_CONF['filter_html'] == 1) {
- $sp_template->set_var('lang_allowedhtml', COM_allowedHTML());
+ $sp_template->set_var('lang_allowedhtml',
+ COM_allowedHTML('staticpages.edit'));
} else {
- $sp_template->set_var('lang_allowedhtml', $LANG_STATIC['all_html_allowed']);
+ $sp_template->set_var('lang_allowedhtml',
+ $LANG_STATIC['all_html_allowed']);
}
$sp_template->set_var ('lang_hits', $LANG_STATIC['hits']);
if (empty ($A['sp_hits'])) {
@@ -476,7 +478,8 @@
if (empty ($A['unixdate'])) {
$A['unixdate'] = time ();
}
- $A['sp_content'] = COM_checkHTML (COM_checkWords ($A['sp_content']));
+ $A['sp_content'] = COM_checkHTML(COM_checkWords($A['sp_content']),
+ 'staticpages.edit');
}
if (isset ($A['sp_title'])) {
$A['sp_title'] = strip_tags ($A['sp_title']);
diff -r a9694bc60a1a -r 2e3298a69f73 public_html/admin/story.php
--- a/public_html/admin/story.php Sat Apr 18 21:10:04 2009 +0200
+++ b/public_html/admin/story.php Sat Apr 18 22:10:44 2009 +0200
@@ -660,7 +660,8 @@
}
}
$story_templates->set_var('post_options',$post_options );
- $story_templates->set_var('lang_allowed_html', COM_allowedHTML());
+ $story_templates->set_var('lang_allowed_html',
+ COM_allowedHTML('story.edit'));
$fileinputs = '';
$saved_images = '';
if ($_CONF['maximagesperarticle'] > 0) {
diff -r a9694bc60a1a -r 2e3298a69f73 public_html/docs/history
--- a/public_html/docs/history Sat Apr 18 21:10:04 2009 +0200
+++ b/public_html/docs/history Sat Apr 18 22:10:44 2009 +0200
@@ -11,6 +11,10 @@
+ Comment moderation and editable comments, by Jared Wenerd
Other changes:
+- Fixed wrong use of COM_allowedHTML and COM_checkHTML in plugins: Functions
+ were called without specific permissions, so they defaulted to 'story.edit'.
+ I.e. as a Story Admin, you could use the admin_html set in events, but as a
+ Calendar admin, you could not ... (bug #0000785) [Dirk]
- Added missing finish() calls for some templates, e.g. header.thtml
(bug #0000855) [Dirk]
- Moved documentation to docs/english so that it can be translated
diff -r a9694bc60a1a -r 2e3298a69f73 system/classes/story.class.php
--- a/system/classes/story.class.php Sat Apr 18 21:10:04 2009 +0200
+++ b/system/classes/story.class.php Sat Apr 18 22:10:44 2009 +0200
@@ -1908,8 +1908,8 @@
}
$this->_title = htmlspecialchars(strip_tags(COM_checkWords($title)));
- $this->_introtext = COM_checkHTML(COM_checkWords($intro));
- $this->_bodytext = COM_checkHTML(COM_checkWords($body));
+ $this->_introtext = COM_checkHTML(COM_checkWords($intro), 'story.edit');
+ $this->_bodytext = COM_checkHTML(COM_checkWords($body), 'story.edit');
}
diff -r a9694bc60a1a -r 2e3298a69f73 system/lib-comment.php
--- a/system/lib-comment.php Sat Apr 18 21:10:04 2009 +0200
+++ b/system/lib-comment.php Sat Apr 18 22:10:44 2009 +0200
@@ -52,7 +52,7 @@
*
* @param string $sid ID of item in question
* @param string $title Title of item
-* @param string $type Type of item (i.e. story, photo, etc)
+* @param string $type Type of item (i.e. article, photo, etc)
* @param string $order Order that comments are displayed in
* @param string $mode Mode (nested, flat, etc.)
* @param int $ccode Comment code: -1=no comments, 0=allowed, 1=closed
@@ -813,9 +813,10 @@
$fakepostmode = $postmode;
if ($postmode == 'html') {
- $comment = COM_checkWords (COM_checkHTML (COM_stripslashes ($comment)));
+ $html_perm = ($type == 'article') ? 'story.edit' : "$type.edit";
+ $comment = COM_checkWords(COM_checkHTML(COM_stripslashes($comment), $html_perm));
} else {
- $comment = htmlspecialchars (COM_checkWords (COM_stripslashes ($comment)));
+ $comment = htmlspecialchars(COM_checkWords(COM_stripslashes($comment)));
$newcomment = COM_makeClickableLinks ($comment);
if (strcmp ($comment, $newcomment) != 0) {
$comment = nl2br ($newcomment);
@@ -832,12 +833,12 @@
$_POST['title'] = $title;
$newcomment = $comment;
- if ($mode == $LANG03[28] ) { //for preview
- $newcomment = CMT_prepareText($comment, $postmode, true, $cid);
+ if ($mode == $LANG03[28] ) { // for preview
+ $newcomment = CMT_prepareText($comment, $postmode, $type, true, $cid);
} elseif ($mode == $LANG03[34]) {
- $newcomment = CMT_prepareText($comment, $postmode, true);
+ $newcomment = CMT_prepareText($comment, $postmode, $type, true);
} else {
- $newcomment = CMT_prepareText($comment, $postmode);
+ $newcomment = CMT_prepareText($comment, $postmode, $type);
}
$_POST['comment'] = $newcomment;
@@ -982,8 +983,11 @@
$comment_template->set_var('lang_comment', $LANG03[9]);
$comment_template->set_var('comment', $commenttext);
$comment_template->set_var('lang_postmode', $LANG03[2]);
- $comment_template->set_var('postmode_options', COM_optionList($_TABLES['postmodes'],'code,name',$postmode));
- $comment_template->set_var('allowed_html', COM_allowedHTML());
+ $comment_template->set_var('postmode_options',
+ COM_optionList($_TABLES['postmodes'], 'code,name', $postmode));
+ $comment_template->set_var('allowed_html',
+ COM_allowedHTML($type == 'article'
+ ? 'story.edit' : "$type.edit"));
$comment_template->set_var('lang_importantstuff', $LANG03[18]);
$comment_template->set_var('lang_instr_line1', $LANG03[19]);
$comment_template->set_var('lang_instr_line2', $LANG03[20]);
@@ -1108,7 +1112,7 @@
return $someError;
}
- $comment = addslashes(CMT_prepareText($comment, $postmode));
+ $comment = addslashes(CMT_prepareText($comment, $postmode, $type));
$title = addslashes(COM_checkWords(strip_tags($title)));
if (isset($_POST['username']) && strcmp($_POST['username'],$LANG03[24]) != 0
&& $uid == 1) {
@@ -1513,10 +1517,10 @@
$display = '';
- $type = COM_applyFilter ($_POST['type']);
- $sid = COM_applyFilter ($_POST['sid']);
- $cid = COM_applyFilter ($_POST['cid']);
- $postmode = COM_applyFilter ($_POST['postmode']);
+ $type = COM_applyFilter($_POST['type']);
+ $sid = COM_applyFilter($_POST['sid']);
+ $cid = COM_applyFilter($_POST['cid']);
+ $postmode = COM_applyFilter($_POST['postmode']);
$commentuid = DB_getItem ($_TABLES['comments'], 'uid', "cid = '$cid'");
if ( empty($_USER['uid'])) {
@@ -1525,11 +1529,10 @@
$uid = $_USER['uid'];
}
- //check for bad input
- if (empty ($sid) || empty ($_POST['title']) || empty ($_POST['comment']) || !is_numeric ($cid)
- || $cid < 1 ) {
- COM_errorLog("CMT_handleEditSubmit(): {{$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried "
- . 'to edit a comment with one or more missing values.');
+ // check for bad input
+ if (empty($sid) || empty($_POST['title']) || empty($_POST['comment']) ||
+ !is_numeric($cid) || ($cid < 1)) {
+ COM_errorLog("CMT_handleEditSubmit(): {{$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried to edit a comment with one or more missing values.");
return COM_refresh($_CONF['site_url'] . '/index.php');
} elseif ( $uid != $commentuid && !SEC_hasRights( 'comment.moderate' ) ) {
//check permissions
@@ -1538,7 +1541,7 @@
return COM_refresh($_CONF['site_url'] . '/index.php');
}
- $comment = CMT_prepareText($_POST['comment'], $postmode);
+ $comment = CMT_prepareText($_POST['comment'], $postmode, $type);
$title = COM_checkWords (strip_tags (COM_stripslashes ($_POST['title'])));
if ($mode == $LANG03[35]) {
@@ -1573,7 +1576,9 @@
. 'to submit a comment with invalid $title and/or $comment.');
return COM_refresh($_CONF['site_url'] . '/index.php');
}
- return COM_refresh (COM_buildUrl ($_CONF['site_url'] . "/article.php?story=$sid"));
+
+ return COM_refresh(COM_buildUrl($_CONF['site_url']
+ . "/article.php?story=$sid"));
}
/**
@@ -1581,21 +1586,24 @@
*
* @copyright Jared Wenerd 2008
* @author Jared Wenerd, wenerd87 AT gmail DOT com
- * @param string $comment comment text
- * @param string $postmode ('html', 'plaintext',..)
+ * @param string $comment comment text
+ * @param string $postmode ('html', 'plaintext', ...)
+ * @param string $type Type of item (article, poll, etc.)
* @param bool $edit if true append edit tag
* @param int $cid commentid if editing comment (for proper sig)
* @return string of comment text
*/
-function CMT_prepareText($comment, $postmode, $edit = false, $cid = null)
+function CMT_prepareText($comment, $postmode, $type, $edit = false, $cid = null)
{
global $_USER, $_TABLES, $LANG03, $_CONF;
if ($postmode == 'html') {
- $comment = COM_checkWords (COM_checkHTML (COM_stripslashes ($comment)));
+ $html_perm = ($type == 'article') ? 'story.edit' : "$type.edit";
+ $comment = COM_checkWords(COM_checkHTML(COM_stripslashes($comment),
+ $html_perm));
} else {
More information about the geeklog-cvs
mailing list