Project

General

Profile

« Previous | Next » 

Revision 1777

Added by Dietmar about 12 years ago

+ add methode StripCodeFromText in class.wb to clean injection
! rebranding the admin/settings and security fixes
! a few new styling in backend wb_theme
! beginning aa lot of account changes like correction of $_SESSION indexe, security fixes
+ add head.load.min.js and head.min.js to /include/jquery/ to style HTML5 templates

View differences:

save.php
58 58 
	}
59 59 
}
60 60 

  		




  61
  
  
    
if(isset($_POST['wbmailer_routine']) && ($_POST['wbmailer_routine']=='smtp')) {


  		




  
  61
  
    
if($admin->StripCodeFromText($admin->get_post('wbmailer_routine'))=='smtp') {


  		




  62
  62
  
    

  		




  63
  
  
    
	$checkSmtpHost = (isset($_POST['wbmailer_smtp_host']) && ($_POST['wbmailer_smtp_host']=='') ? false : true);


  		




  64
  
  
    
	$checkSmtpUser = (isset($_POST['wbmailer_smtp_username']) && ($_POST['wbmailer_smtp_username']=='') ? false : true);


  		




  65
  
  
    
	$checkSmtpPassword = (isset($_POST['wbmailer_smtp_password']) && ($_POST['wbmailer_smtp_password']=='') ? false : true);


  		




  
  63
  
    
	$checkSmtpHost = (($admin->StripCodeFromText($admin->get_post('wbmailer_smtp_host'))=='') ? false : true);


  		




  
  64
  
    
//	$checkSmtpHost = (isset($_POST['wbmailer_smtp_host']) && ($_POST['wbmailer_smtp_host']=='') ? false : true);


  		




  
  65
  
    
	$checkSmtpUser = (($admin->StripCodeFromText($admin->get_post('wbmailer_smtp_username'))=='') ? false : true);


  		




  
  66
  
    
//	$checkSmtpUser = (isset($_POST['wbmailer_smtp_username']) && ($_POST['wbmailer_smtp_username']=='') ? false : true);


  		




  
  67
  
    
	$checkSmtpPassword = (($admin->StripCodeFromText($admin->get_post('wbmailer_smtp_password'))=='') ? false : true);


  		




  
  68
  
    
//	$checkSmtpPassword = (isset($_POST['wbmailer_smtp_password']) && ($_POST['wbmailer_smtp_password']=='') ? false : true);


  		




  
  69
  
    

  		




  66
  70
  
    
	if(!$checkSmtpHost || !$checkSmtpUser || !$checkSmtpPassword) {


  		




  67
  71
  
    
		$admin->print_error($TEXT['REQUIRED'].' '.$TEXT['WBMAILER_SMTP_AUTH'].


  		




  68
  72
  
    
			'<br /><strong>'.$MESSAGE['GENERIC_FILL_IN_ALL'].'</strong>', $js_back);


  		




  ......




  73
  77
  
    
// Work-out file mode


  		




  74
  78
  
    
if($advanced == '')


  		




  75
  79
  
    
{


  		




  
  80
  
    
	$file_mode = STRING_FILE_MODE;


  		




  
  81
  
    
	$dir_mode = STRING_DIR_MODE;


  		




  76
  82
  
    
	// Check if should be set to 777 or left alone


  		




  77
  
  
    
	if(isset($_POST['world_writeable']) && $_POST['world_writeable'] == 'true')


  		




  78
  
  
    
    {


  		




  79
  
  
    
		$file_mode = '0777';


  		




  80
  
  
    
		$dir_mode = '0777';


  		




  81
  
  
    
	} else {


  		




  82
  
  
    
		$file_mode = STRING_FILE_MODE;


  		




  83
  
  
    
		$dir_mode = STRING_DIR_MODE;


  		




  84
  
  
    
	}


  		




  
  83
  
    
//	if(isset($_POST['world_writeable']) && $_POST['world_writeable'] == 'true')


  		




  
  84
  
    
//    {


  		




  
  85
  
    
//		$file_mode = '0777';


  		




  
  86
  
    
//		$dir_mode = '0777';


  		




  
  87
  
    
//	} else {


  		




  
  88
  
    
//		$file_mode = STRING_FILE_MODE;


  		




  
  89
  
    
//		$dir_mode = STRING_DIR_MODE;


  		




  
  90
  
    
//	}


  		




  85
  91
  
    
} else {


  		




  86
  92
  
    
	$file_mode = STRING_FILE_MODE;


  		




  87
  93
  
    
	$dir_mode = STRING_DIR_MODE;


  		




  ......




  154
  160
  
    
	}


  		




  155
  161
  
    
}


  		




  156
  162
  
    

  		




  157
  
  
    
$allow_tags_in_fields = array('website_header', 'website_footer','website_signature');


  		




  158
  
  
    
$allow_empty_values = array('website_header','website_footer','pages_directory','page_spacer','website_signature,page_icon_dir','modules_upgrade_list');


  		




  159
  
  
    
$disallow_in_fields = array('pages_directory', 'media_directory','wb_version');


  		




  
  163
  
    
$allow_tags_in_fields = array(


  		




  
  164
  
    
    'website_header',


  		




  
  165
  
    
    'website_footer',


  		




  
  166
  
    
    'website_signature'


  		




  
  167
  
    
    );


  		




  
  168
  
    
$allow_empty_values = array(


  		




  
  169
  
    
    'website_header',


  		




  
  170
  
    
    'website_footer',


  		




  
  171
  
    
    'website_signature',


  		




  
  172
  
    
    'wysiwyg_style',


  		




  
  173
  
    
    'pages_directory',


  		




  
  174
  
    
    'page_icon_dir',


  		




  
  175
  
    
    'rename_files_on_upload',


  		




  
  176
  
    
    'page_spacer',


  		




  
  177
  
    
    'website_signature',


  		




  
  178
  
    
    'page_icon_dir',


  		




  
  179
  
    
    'modules_upgrade_list'


  		




  
  180
  
    
    );


  		




  
  181
  
    
$disallow_in_fields = array(


  		




  
  182
  
    
    'pages_directory',


  		




  
  183
  
    
    'media_directory',


  		




  
  184
  
    
    'wb_version'


  		




  
  185
  
    
    );


  		




  
  186
  
    
$StripCodeFromInput = array(


  		




  
  187
  
    
    'website_title',


  		




  
  188
  
    
    'website_description',


  		




  
  189
  
    
    'website_keywords',


  		




  
  190
  
    
    'wysiwyg_style',


  		




  
  191
  
    
    'search_module_order',


  		




  
  192
  
    
    'search_max_excerpt',


  		




  
  193
  
    
    'search_time_limit',


  		




  
  194
  
    
    'pages_directory',


  		




  
  195
  
    
    'page_icon_dir',


  		




  
  196
  
    
    'media_directory',


  		




  
  197
  
    
    'page_extension',


  		




  
  198
  
    
    'rename_files_on_upload',


  		




  
  199
  
    
    'page_spacer',


  		




  
  200
  
    
    'page_icon_dir',


  		




  
  201
  
    
    'modules_upgrade_list'


  		




  
  202
  
    
    );


  		




  160
  203
  
    

  		




  161
  204
  
    
$bRebuildAccessFiles = ( (isset( $_POST['rebuild_access_files']) && ( $_POST['rebuild_access_files'] == true )) ? true : false ) ;


  		




  162
  205
  
    

  		




  ......




  189
  232
  
    
	 			$passed = true;


  		




  190
  233
  
    
    			break;


  		




  191
  234
  
    
			case 'sec_anchor':


  		




  
  235
  
    
                $value = $admin->StripCodeFromText($value);


  		




  192
  236
  
    
				$value=(($value=='') ? 'section_' : $value);


  		




  193
  237
  
    
	 			$passed = true;


  		




  194
  238
  
    
				break;


  		




  195
  239
  
    
			case 'pages_directory':


  		




  
  240
  
    
                $value = $admin->StripCodeFromText($value);


  		




  196
  241
  
    
                $bNewPageFile = ( ( $value!= $old_settings['pages_directory'] ) ? true :  false );


  		




  197
  242
  
    
	 			$passed = $bNewPageFile;


  		




  198
  243
  
    
                $sGetId = '&amp;id='.$bNewPageFile;


  		




  ......




  208
  253
  
    
	 			$passed = true;


  		




  209
  254
  
    
				break;


  		




  210
  255
  
    
			default :


  		




  211
  
  
    
			    $passed = in_array($setting_name, $allow_empty_values);


  		




  
  256
  
    
                $passed = in_array($setting_name, $allow_empty_values);


  		




  
  257
  
    
                if(in_array($setting_name, $StripCodeFromInput) ) {


  		




  
  258
  
    
                    $value = $admin->StripCodeFromText($value);


  		




  
  259
  
    
                }


  		




  212
  260
  
    
				break;


  		




  213
  261
  
    
		}


  		




  214
  262
  
    

  		




  215
  
  
    

  		




  216
  263
  
    
	    if (!in_array($setting_name, $allow_tags_in_fields))


  		




  217
  264
  
    
	    {


  		




  218
  265
  
    
	        $value = strip_tags($value);


  		




  ......




  222
  269
  
    
	    {


  		




  223
  270
  
    
	        $value = trim($admin->add_slashes($value));


  		




  224
  271
  
    
	        $sql = 'UPDATE `'.TABLE_PREFIX.'settings` ';


  		




  225
  
  
    
	        $sql .= 'SET `value` = \''.$value.'\' ';


  		




  
  272
  
    
	        $sql .= 'SET `value` = \''.($value).'\' '; // mysql_escape_string


  		




  226
  273
  
    
	        $sql .= 'WHERE `name` != \'wb_version\' ';


  		




  227
  274
  
    
	        $sql .= 'AND `name` = \''.$setting_name.'\' ';


  		




  228
  275
  
    
	        if (!$database->query($sql))


  		




  ......




  241
  288
  
    
    }


  		




  242
  289
  
    

  		




  243
  290
  
    
}


  		




  
  291
  
    
$StripCodeFromISearch = array(


  		




  
  292
  
    
    'search_module_order',


  		




  
  293
  
    
    'search_max_excerpt',


  		




  
  294
  
    
    'search_time_limit',


  		




  
  295
  
    
    );


  		




  244
  296
  
    

  		




  245
  297
  
    
// Query current search settings in the db, then loop through them and update the db with the new value


  		




  246
  298
  
    
$sql  = 'SELECT `name`, `value` FROM `'.TABLE_PREFIX.'search` ';


  		




  ......




  255
  307
  
    
{


  		




  256
  308
  
    
	$old_value = $search_setting['value'];


  		




  257
  309
  
    
	$setting_name = $search_setting['name'];


  		




  258
  
  
    
	$post_name = 'search_'.$search_setting['name'];


  		




  
  310
  
    
	$post_name = 'search_'.$setting_name;


  		




  259
  311
  
    

  		




  260
  312
  
    
    // hold old value if post is empty


  		




  261
  313
  
    
    // check search template


  		




  262
  
  
    
    $value = ( ($admin->get_post($post_name) == '') && ($setting_name != 'template') ) ? $old_value : $admin->get_post($post_name);


  		




  
  314
  
    
    $value = ($admin->get_post($post_name));


  		




  
  315
  
    
    if(in_array($post_name, $StripCodeFromISearch) ) {


  		




  
  316
  
    
        $value = $admin->StripCodeFromText($value);


  		




  
  317
  
    
    }


  		




  
  318
  
    
    $value = ( ($value == '') && ($setting_name != 'template') ) ? $old_value : $value;


  		




  263
  319
  
    
    // $value =  ( ($admin->get_post($post_name) == '') && ($setting_name == 'template') ) ? DEFAULT_TEMPLATE : $admin->get_post($post_name);


  		




  264
  320
  
    
    if(isset($value))


  		




  265
  321
  
    
	{


  		












Also available in:  Unified diff