aboutsummaryrefslogtreecommitdiff
path: root/engine/lib
diff options
context:
space:
mode:
Diffstat (limited to 'engine/lib')
-rw-r--r--engine/lib/input.php5
-rw-r--r--engine/lib/navigation.php17
-rw-r--r--engine/lib/river.php3
3 files changed, 18 insertions, 7 deletions
diff --git a/engine/lib/input.php b/engine/lib/input.php
index 84752bc7d..56ec214dc 100644
--- a/engine/lib/input.php
+++ b/engine/lib/input.php
@@ -10,8 +10,13 @@
/**
* Get some input from variables passed on the GET or POST line.
*
+ * If using any data obtained from get_input() in a web page, please be aware that
+ * it is a possible vector for a reflected XSS attack. If you are expecting an
+ * integer, cast it to an int. If it is a string, escape quotes.
+ *
* Note: this function does not handle nested arrays (ex: form input of param[m][n])
* because of the filtering done in htmlawed from the filter_tags call.
+ * @todo Is this ^ still?
*
* @param string $variable The variable we want to return.
* @param mixed $default A default value for the variable if it is not found.
diff --git a/engine/lib/navigation.php b/engine/lib/navigation.php
index cdf3d0f67..1305ee3de 100644
--- a/engine/lib/navigation.php
+++ b/engine/lib/navigation.php
@@ -154,17 +154,20 @@ function elgg_is_menu_item_registered($menu_name, $item_name) {
}
/**
- * Convenience function for registering an add content button to title menu
+ * Convenience function for registering a button to title menu
*
- * The add URL must be $handler/add/$guid where $guid is the guid of the page owner.
- * The label of the button is "$handler:add" so that must be defined in a
+ * The URL must be $handler/$name/$guid where $guid is the guid of the page owner.
+ * The label of the button is "$handler:$name" so that must be defined in a
* language file.
*
+ * This is used primarily to support adding an add content button
+ *
* @param string $handler The handler to use or null to autodetect from context
+ * @param string $name Name of the button
* @return void
* @since 1.8.0
*/
-function elgg_register_add_button($handler = null) {
+function elgg_register_title_button($handler = null, $name = 'add') {
if (elgg_is_logged_in()) {
if (!$handler) {
@@ -179,9 +182,9 @@ function elgg_register_add_button($handler = null) {
if ($owner && $owner->canWriteToContainer()) {
$guid = $owner->getGUID();
elgg_register_menu_item('title', array(
- 'name' => 'add',
- 'href' => "$handler/add/$guid",
- 'text' => elgg_echo("$handler:add"),
+ 'name' => $name,
+ 'href' => "$handler/$name/$guid",
+ 'text' => elgg_echo("$handler:$name"),
'link_class' => 'elgg-button elgg-button-action',
));
}
diff --git a/engine/lib/river.php b/engine/lib/river.php
index 36dde7f05..1a2be1e50 100644
--- a/engine/lib/river.php
+++ b/engine/lib/river.php
@@ -589,10 +589,13 @@ function elgg_river_page_handler($page) {
elgg_set_page_owner_guid(elgg_get_logged_in_user_guid());
+ // make a URL segment available in page handler script
$page_type = elgg_extract(0, $page, 'all');
+ $page_type = preg_replace('[\W]', '', $page_type);
if ($page_type == 'owner') {
$page_type = 'mine';
}
+ set_input('page_type', $page_type);
// content filter code here
$entity_type = '';