Merged [6248] - [6252] into trunk.

git-svn-id: http://code.elgg.org/elgg/trunk@6284 36083f99-b078-4883-b0ff-0f9b5a30f544

4 files changed, 26 insertions, 19 deletions

diff --git a/engine/handlers/pagehandler.php b/engine/handlers/pagehandler.php
index 24bef4d03..2e98c071a 100644
--- a/engine/handlers/pagehandler.php
+++ b/engine/handlers/pagehandler.php
@@ -2,6 +2,8 @@
 /**
  * Elgg page handler
  *
+ * If page_handler() fails, send to front page.
+ *
  * @package Elgg
  * @subpackage Core
  * @author Curverider Ltd
diff --git a/engine/lib/pagehandler.php b/engine/lib/pagehandler.php
index 490b81159..a6143a4e6 100644
--- a/engine/lib/pagehandler.php
+++ b/engine/lib/pagehandler.php
@@ -9,7 +9,9 @@
  */
 
 /**
- * Turns the current page over to the page handler, allowing registered handlers to take over
+ * Turns the current page over to the page handler, allowing registered handlers to take over.
+ *
+ * If a page handler returns FALSE, the request is handed over to the default_page_handler.
  *
  * @param string $handler The name of the handler type (eg 'blog')
  * @param array $page The parameters to the page, as an array (exploded by '/' slashes)
@@ -84,7 +86,8 @@ function register_page_handler($handler, $function) {
 }
 
 /**
- * A default page handler that attempts to load the actual file at a given page handler location
+ * A default page handler
+ * Tries to locate a suitable file to include. Only works for core pages, not plugins.
  *
  * @param array $page The page URL elements
  * @param string $handler The base handler
@@ -92,25 +95,25 @@ function register_page_handler($handler, $function) {
  */
 function default_page_handler($page, $handler) {
 	global $CONFIG;
-	$script = "";
 
-	$page = implode('/',$page);
-	if (($questionmark = strripos($page, '?'))) {
-		$page = substr($page, 0, $questionmark);
-	}
-	$script = str_replace("..","",$script);
+	$page = implode('/', $page);
+
+	// protect against including arbitary files
+	$page = str_replace("..", "", $page);
+	
 	$callpath = $CONFIG->path . $handler . "/" . $page;
-	if (!file_exists($callpath) || is_dir($callpath) || substr_count($callpath,'.php') == 0) {
-			if (substr($callpath,strlen($callpath) - 1, 1) != "/") {
-				$callpath .= "/";
-			}
-			$callpath .= "index.php";
-			if (!include($callpath)) {
-				return false;
+	if (is_dir($callpath)) {
+		$callpath = sanitise_filepath($callpath);
+		$callpath .= "index.php";
+		if (file_exists($callpath)) {
+			if (include($callpath)) {
+				return TRUE;
 			}
-	} else {
+		}
+	} else if (file_exists($callpath)) {
 		include($callpath);
+		return TRUE;
 	}
 
-	return true;
-}
\ No newline at end of file
+	return FALSE;
+}
diff --git a/mod/tinymce/views/default/input/longtext.php b/mod/tinymce/views/default/input/longtext.php
index f02662ca5..523931abe 100644
--- a/mod/tinymce/views/default/input/longtext.php
+++ b/mod/tinymce/views/default/input/longtext.php
@@ -40,6 +40,8 @@ tinyMCE.init({
 	theme : "advanced",
 	plugins : "safari,spellchecker,autosave,fullscreen,preview,paste",
 	relative_urls : false,
+	remove_script_host : false,
+	document_base_url : "<?php echo $vars['url']; ?>",
 	theme_advanced_buttons1 : "bold,italic,underline,separator,strikethrough,bullist,numlist,undo,redo,link,unlink,image,blockquote,code,pastetext,pasteword,more,fullscreen,",
 	theme_advanced_buttons2 : "",
 	theme_advanced_buttons3 : "",
diff --git a/views/default/input/pulldown.php b/views/default/input/pulldown.php
index a9663ef82..415ab3ad8 100644
--- a/views/default/input/pulldown.php
+++ b/views/default/input/pulldown.php
@@ -47,7 +47,7 @@ if ($vars['options_values']) {
 	foreach($vars['options'] as $option) {
 		$encoded_option = htmlentities($option, ENT_QUOTES, 'UTF-8');
 
-		if ((string)$value == (string)$vars['value']) {
+		if ((string)$option == (string)$vars['value']) {
 			echo "<option selected=\"selected\">$encoded_option</option>";
 		} else {
 			echo "<option>$encoded_option</option>";