diff options
Diffstat (limited to 'engine/lib')
-rw-r--r-- | engine/lib/input.php | 5 | ||||
-rw-r--r-- | engine/lib/navigation.php | 17 | ||||
-rw-r--r-- | engine/lib/river.php | 3 |
3 files changed, 18 insertions, 7 deletions
diff --git a/engine/lib/input.php b/engine/lib/input.php index 84752bc7d..56ec214dc 100644 --- a/engine/lib/input.php +++ b/engine/lib/input.php @@ -10,8 +10,13 @@ /** * Get some input from variables passed on the GET or POST line. * + * If using any data obtained from get_input() in a web page, please be aware that + * it is a possible vector for a reflected XSS attack. If you are expecting an + * integer, cast it to an int. If it is a string, escape quotes. + * * Note: this function does not handle nested arrays (ex: form input of param[m][n]) * because of the filtering done in htmlawed from the filter_tags call. + * @todo Is this ^ still? * * @param string $variable The variable we want to return. * @param mixed $default A default value for the variable if it is not found. diff --git a/engine/lib/navigation.php b/engine/lib/navigation.php index cdf3d0f67..1305ee3de 100644 --- a/engine/lib/navigation.php +++ b/engine/lib/navigation.php @@ -154,17 +154,20 @@ function elgg_is_menu_item_registered($menu_name, $item_name) { } /** - * Convenience function for registering an add content button to title menu + * Convenience function for registering a button to title menu * - * The add URL must be $handler/add/$guid where $guid is the guid of the page owner. - * The label of the button is "$handler:add" so that must be defined in a + * The URL must be $handler/$name/$guid where $guid is the guid of the page owner. + * The label of the button is "$handler:$name" so that must be defined in a * language file. * + * This is used primarily to support adding an add content button + * * @param string $handler The handler to use or null to autodetect from context + * @param string $name Name of the button * @return void * @since 1.8.0 */ -function elgg_register_add_button($handler = null) { +function elgg_register_title_button($handler = null, $name = 'add') { if (elgg_is_logged_in()) { if (!$handler) { @@ -179,9 +182,9 @@ function elgg_register_add_button($handler = null) { if ($owner && $owner->canWriteToContainer()) { $guid = $owner->getGUID(); elgg_register_menu_item('title', array( - 'name' => 'add', - 'href' => "$handler/add/$guid", - 'text' => elgg_echo("$handler:add"), + 'name' => $name, + 'href' => "$handler/$name/$guid", + 'text' => elgg_echo("$handler:$name"), 'link_class' => 'elgg-button elgg-button-action', )); } diff --git a/engine/lib/river.php b/engine/lib/river.php index 36dde7f05..1a2be1e50 100644 --- a/engine/lib/river.php +++ b/engine/lib/river.php @@ -589,10 +589,13 @@ function elgg_river_page_handler($page) { elgg_set_page_owner_guid(elgg_get_logged_in_user_guid()); + // make a URL segment available in page handler script $page_type = elgg_extract(0, $page, 'all'); + $page_type = preg_replace('[\W]', '', $page_type); if ($page_type == 'owner') { $page_type = 'mine'; } + set_input('page_type', $page_type); // content filter code here $entity_type = ''; |