diff options
Diffstat (limited to 'mod')
| -rw-r--r-- | mod/blog/actions/blog/auto_save_revision.php | 2 | ||||
| -rw-r--r-- | mod/blog/actions/blog/save.php | 10 | ||||
| -rw-r--r-- | mod/blog/views/default/forms/blog/save.php | 11 | ||||
| -rw-r--r-- | mod/bookmarks/actions/bookmarks/save.php | 2 | ||||
| -rw-r--r-- | mod/embed/start.php | 2 | ||||
| -rw-r--r-- | mod/embed/views/default/js/embed/embed.php | 9 | ||||
| -rw-r--r-- | mod/file/actions/file/upload.php | 4 | ||||
| -rw-r--r-- | mod/groups/actions/discussion/save.php | 2 | ||||
| -rw-r--r-- | mod/groups/actions/groups/edit.php | 11 | ||||
| -rw-r--r-- | mod/groups/lib/groups.php | 62 | ||||
| -rw-r--r-- | mod/groups/start.php | 9 | ||||
| -rw-r--r-- | mod/groups/views/default/forms/groups/edit.php | 48 | ||||
| -rw-r--r-- | mod/groups/views/default/groups/edit.php | 4 | ||||
| -rw-r--r-- | mod/messages/pages/messages/inbox.php | 9 | ||||
| -rw-r--r-- | mod/messages/pages/messages/read.php | 9 | ||||
| -rw-r--r-- | mod/messages/pages/messages/sent.php | 9 | ||||
| -rw-r--r-- | mod/pages/actions/pages/edit.php | 5 | ||||
| -rw-r--r-- | mod/pages/views/default/pages/icon.php | 2 | ||||
| -rw-r--r-- | mod/search/views/default/search/search_box.php | 3 |
19 files changed, 138 insertions, 75 deletions
diff --git a/mod/blog/actions/blog/auto_save_revision.php b/mod/blog/actions/blog/auto_save_revision.php index 66b65c5fd..e33edfaab 100644 --- a/mod/blog/actions/blog/auto_save_revision.php +++ b/mod/blog/actions/blog/auto_save_revision.php @@ -7,7 +7,7 @@ $guid = get_input('guid'); $user = elgg_get_logged_in_user_entity(); -$title = get_input('title'); +$title = htmlspecialchars(get_input('title', '', false), ENT_QUOTES, 'UTF-8'); $description = get_input('description'); $excerpt = get_input('excerpt'); diff --git a/mod/blog/actions/blog/save.php b/mod/blog/actions/blog/save.php index 8923cd0d2..070c96398 100644 --- a/mod/blog/actions/blog/save.php +++ b/mod/blog/actions/blog/save.php @@ -57,7 +57,11 @@ $required = array('title', 'description'); // load from POST and do sanity and access checking foreach ($values as $name => $default) { - $value = get_input($name, $default); + if ($name === 'title') { + $value = htmlspecialchars(get_input('title', $default, false), ENT_QUOTES, 'UTF-8'); + } else { + $value = get_input($name, $default); + } if (in_array($name, $required) && empty($value)) { $error = elgg_echo("blog:error:missing:$name"); @@ -145,7 +149,7 @@ if (!$error) { // add to river if changing status or published, regardless of new post // because we remove it for drafts. if (($new_post || $old_status == 'draft') && $status == 'published') { - add_to_river('river/object/blog/create', 'create', elgg_get_logged_in_user_guid(), $blog->getGUID()); + add_to_river('river/object/blog/create', 'create', $blog->owner_guid, $blog->getGUID()); if ($guid) { $blog->time_created = time(); @@ -170,4 +174,4 @@ if (!$error) { } else { register_error($error); forward($error_forward_url); -}
\ No newline at end of file +} diff --git a/mod/blog/views/default/forms/blog/save.php b/mod/blog/views/default/forms/blog/save.php index a805541bd..36fa2e0e8 100644 --- a/mod/blog/views/default/forms/blog/save.php +++ b/mod/blog/views/default/forms/blog/save.php @@ -23,7 +23,7 @@ if ($vars['guid']) { $delete_link = elgg_view('output/confirmlink', array( 'href' => $delete_url, 'text' => elgg_echo('delete'), - 'class' => 'elgg-button elgg-button-delete elgg-state-disabled float-alt' + 'class' => 'elgg-button elgg-button-delete float-alt' )); } @@ -53,7 +53,7 @@ $excerpt_label = elgg_echo('blog:excerpt'); $excerpt_input = elgg_view('input/text', array( 'name' => 'excerpt', 'id' => 'blog_excerpt', - 'value' => html_entity_decode($vars['excerpt'], ENT_COMPAT, 'UTF-8') + 'value' => _elgg_html_decode($vars['excerpt']) )); $body_label = elgg_echo('blog:body'); @@ -125,9 +125,10 @@ $draft_warning $excerpt_input </div> -<label for="blog_description">$body_label</label> -$body_input -<br /> +<div> + <label for="blog_description">$body_label</label> + $body_input +</div> <div> <label for="blog_tags">$tags_label</label> diff --git a/mod/bookmarks/actions/bookmarks/save.php b/mod/bookmarks/actions/bookmarks/save.php index 3ca6bef32..46090b115 100644 --- a/mod/bookmarks/actions/bookmarks/save.php +++ b/mod/bookmarks/actions/bookmarks/save.php @@ -5,7 +5,7 @@ * @package Bookmarks */ -$title = strip_tags(get_input('title')); +$title = htmlspecialchars(get_input('title', '', false), ENT_QUOTES, 'UTF-8'); $description = get_input('description'); $address = get_input('address'); $access_id = get_input('access_id'); diff --git a/mod/embed/start.php b/mod/embed/start.php index a3ccab66b..e8a3f8c14 100644 --- a/mod/embed/start.php +++ b/mod/embed/start.php @@ -47,7 +47,7 @@ function embed_longtext_menu($hook, $type, $items, $vars) { 'name' => 'embed', 'href' => $url, 'text' => elgg_echo('embed:media'), - 'rel' => 'lightbox', + 'rel' => "embed-lightbox-{$vars['id']}", 'link_class' => "elgg-longtext-control elgg-lightbox embed-control embed-control-{$vars['id']}", 'priority' => 10, )); diff --git a/mod/embed/views/default/js/embed/embed.php b/mod/embed/views/default/js/embed/embed.php index 0c8442292..eb6153abf 100644 --- a/mod/embed/views/default/js/embed/embed.php +++ b/mod/embed/views/default/js/embed/embed.php @@ -67,6 +67,8 @@ echo elgg_view('embed/custom_insert_js'); * @return bool */ elgg.embed.submit = function(event) { + $('.embed-wrapper .elgg-form-file-upload').hide(); + $('.embed-throbber').show(); $(this).ajaxSubmit({ dataType : 'json', @@ -82,6 +84,10 @@ elgg.embed.submit = function(event) { var url = elgg.normalize_url('embed/tab/' + forward); url = elgg.embed.addContainerGUID(url); $('.embed-wrapper').parent().load(url); + } else { + // incorrect response, presumably an error has been displayed + $('.embed-throbber').hide(); + $('.embed-wrapper .elgg-form-file-upload').show(); } } }, @@ -90,9 +96,6 @@ elgg.embed.submit = function(event) { } }); - $('.elgg-form-file-upload').hide(); - $('.embed-throbber').show(); - // this was bubbling up the DOM causing a submission event.preventDefault(); event.stopPropagation(); diff --git a/mod/file/actions/file/upload.php b/mod/file/actions/file/upload.php index d72d04eb7..d6dce2528 100644 --- a/mod/file/actions/file/upload.php +++ b/mod/file/actions/file/upload.php @@ -6,7 +6,7 @@ */ // Get variables -$title = get_input("title"); +$title = htmlspecialchars(get_input('title', '', false), ENT_QUOTES, 'UTF-8'); $desc = get_input("description"); $access_id = (int) get_input("access_id"); $container_guid = (int) get_input('container_guid', 0); @@ -44,7 +44,7 @@ if ($new_file) { // if no title on new upload, grab filename if (empty($title)) { - $title = $_FILES['upload']['name']; + $title = htmlspecialchars($_FILES['upload']['name'], ENT_QUOTES, 'UTF-8'); } } else { diff --git a/mod/groups/actions/discussion/save.php b/mod/groups/actions/discussion/save.php index de4afadfb..b3e9da654 100644 --- a/mod/groups/actions/discussion/save.php +++ b/mod/groups/actions/discussion/save.php @@ -4,7 +4,7 @@ */ // Get variables -$title = get_input("title"); +$title = htmlspecialchars(get_input('title', '', false), ENT_QUOTES, 'UTF-8'); $desc = get_input("description"); $status = get_input("status"); $access_id = (int) get_input("access_id"); diff --git a/mod/groups/actions/groups/edit.php b/mod/groups/actions/groups/edit.php index df2464a65..2d7e1f023 100644 --- a/mod/groups/actions/groups/edit.php +++ b/mod/groups/actions/groups/edit.php @@ -8,15 +8,15 @@ // Load configuration global $CONFIG; +elgg_make_sticky_form('groups'); + /** * wrapper for recursive array walk decoding */ function profile_array_decoder(&$v) { - $v = html_entity_decode($v, ENT_COMPAT, 'UTF-8'); + $v = _elgg_html_decode($v); } -elgg_make_sticky_form('groups'); - // Get group fields $input = array(); foreach ($CONFIG->group as $shortname => $valuetype) { @@ -25,7 +25,7 @@ foreach ($CONFIG->group as $shortname => $valuetype) { if (is_array($input[$shortname])) { array_walk_recursive($input[$shortname], 'profile_array_decoder'); } else { - $input[$shortname] = html_entity_decode($input[$shortname], ENT_COMPAT, 'UTF-8'); + $input[$shortname] = _elgg_html_decode($input[$shortname]); } if ($valuetype == 'tags') { @@ -33,8 +33,7 @@ foreach ($CONFIG->group as $shortname => $valuetype) { } } -$input['name'] = get_input('name'); -$input['name'] = html_entity_decode($input['name'], ENT_COMPAT, 'UTF-8'); +$input['name'] = htmlspecialchars(get_input('name', '', false), ENT_QUOTES, 'UTF-8'); $user = elgg_get_logged_in_user_entity(); diff --git a/mod/groups/lib/groups.php b/mod/groups/lib/groups.php index dfbb1154b..505cacd01 100644 --- a/mod/groups/lib/groups.php +++ b/mod/groups/lib/groups.php @@ -497,3 +497,65 @@ function groups_register_profile_buttons($group) { } } } + +/** + * Prepares variables for the group edit form view. + * + * @param mixed $group ElggGroup or null. If a group, uses values from the group. + * @return array + */ +function groups_prepare_form_vars($group = null) { + $values = array( + 'name' => '', + 'membership' => ACCESS_PUBLIC, + 'vis' => ACCESS_PUBLIC, + 'guid' => null, + 'entity' => null + ); + + // handle customizable profile fields + $fields = elgg_get_config('group'); + + if ($fields) { + foreach ($fields as $name => $type) { + $values[$name] = ''; + } + } + + // handle tool options + $tools = elgg_get_config('group_tool_options'); + if ($tools) { + foreach ($tools as $group_option) { + $option_name = $group_option->name . "_enable"; + $values[$option_name] = $group_option->default_on ? 'yes' : 'no'; + } + } + + // get current group settings + if ($group) { + foreach (array_keys($values) as $field) { + if (isset($group->$field)) { + $values[$field] = $group->$field; + } + } + + if ($group->access_id != ACCESS_PUBLIC && $group->access_id != ACCESS_LOGGED_IN) { + // group only access - this is done to handle access not created when group is created + $values['vis'] = ACCESS_PRIVATE; + } + + $values['entity'] = $group; + } + + // get any sticky form settings + if (elgg_is_sticky_form('groups')) { + $sticky_values = elgg_get_sticky_values('groups'); + foreach ($sticky_values as $key => $value) { + $values[$key] = $value; + } + } + + elgg_clear_sticky_form('groups'); + + return $values; +} diff --git a/mod/groups/start.php b/mod/groups/start.php index c591410c5..9dca7dc16 100644 --- a/mod/groups/start.php +++ b/mod/groups/start.php @@ -194,6 +194,15 @@ function groups_setup_sidebar_menus() { */ function groups_page_handler($page) { + // forward old profile urls + if (is_numeric($page[0])) { + $group = get_entity($page[0]); + if (elgg_instanceof($group, 'group', '', 'ElggGroup')) { + system_message(elgg_echo('changebookmark')); + forward($group->getURL()); + } + } + elgg_load_library('elgg:groups'); if (!isset($page[0])) { diff --git a/mod/groups/views/default/forms/groups/edit.php b/mod/groups/views/default/forms/groups/edit.php index 7540d1bf9..532e89c35 100644 --- a/mod/groups/views/default/forms/groups/edit.php +++ b/mod/groups/views/default/forms/groups/edit.php @@ -5,26 +5,9 @@ * @package ElggGroups */ -if (elgg_is_sticky_form('groups')) { - $sticky_values = elgg_get_sticky_values('groups'); - elgg_clear_sticky_form('groups'); -} - -// new groups default to open membership -if (isset($sticky_values)) { - $membership = $sticky_values['membership']; - $access = $sticky_values['access_id']; -} elseif (isset($vars['entity'])) { - $membership = $vars['entity']->membership; - $access = $vars['entity']->access_id; - if ($access != ACCESS_PUBLIC && $access != ACCESS_LOGGED_IN) { - // group only - this is done to handle access not created when group is created - $access = ACCESS_PRIVATE; - } -} else { - $membership = ACCESS_PUBLIC; - $access = ACCESS_PUBLIC; -} +// only extract these elements. +$name = $membership = $vis = $entity = null; +extract($vars, EXTR_IF_EXISTS); ?> <div> @@ -35,7 +18,7 @@ if (isset($sticky_values)) { <label><?php echo elgg_echo("groups:name"); ?></label><br /> <?php echo elgg_view("input/text", array( 'name' => 'name', - 'value' => isset($sticky_values['name']) ? $sticky_values['name'] : $vars['entity']->name, + 'value' => $name )); ?> </div> @@ -53,7 +36,7 @@ if ($group_profile_fields > 0) { echo "</label>$line_break"; echo elgg_view("input/{$valtype}", array( 'name' => $shortname, - 'value' => isset($sticky_values[$shortname]) ? $sticky_values[$shortname] : $vars['entity']->$shortname, + 'value' => elgg_extract($shortname, $vars) )); echo '</div>'; } @@ -78,10 +61,6 @@ if ($group_profile_fields > 0) { <?php if (elgg_get_plugin_setting('hidden_groups', 'groups') == 'yes') { - $this_owner = $vars['entity']->owner_guid; - if (!$this_owner) { - $this_owner = elgg_get_logged_in_user_guid(); - } $access_options = array( ACCESS_PRIVATE => elgg_echo('groups:access:group'), ACCESS_LOGGED_IN => elgg_echo("LOGGED_IN"), @@ -94,7 +73,7 @@ if (elgg_get_plugin_setting('hidden_groups', 'groups') == 'yes') { <?php echo elgg_echo('groups:visibility'); ?><br /> <?php echo elgg_view('input/access', array( 'name' => 'vis', - 'value' => $access, + 'value' => $vis, 'options_values' => $access_options, )); ?> @@ -109,12 +88,7 @@ if ($tools) { usort($tools, create_function('$a,$b', 'return strcmp($a->label,$b->label);')); foreach ($tools as $group_option) { $group_option_toggle_name = $group_option->name . "_enable"; - if ($group_option->default_on) { - $group_option_default_value = 'yes'; - } else { - $group_option_default_value = 'no'; - } - $value = $vars['entity']->$group_option_toggle_name ? $vars['entity']->$group_option_toggle_name : $group_option_default_value; + $value = elgg_extract($group_option_toggle_name, $vars); ?> <div> <label> @@ -137,17 +111,17 @@ if ($tools) { <div class="elgg-foot"> <?php -if (isset($vars['entity'])) { +if (isset($entity)) { echo elgg_view('input/hidden', array( 'name' => 'group_guid', - 'value' => $vars['entity']->getGUID(), + 'value' => $entity->getGUID(), )); } echo elgg_view('input/submit', array('value' => elgg_echo('save'))); -if (isset($vars['entity'])) { - $delete_url = 'action/groups/delete?guid=' . $vars['entity']->getGUID(); +if (isset($entity)) { + $delete_url = 'action/groups/delete?guid=' . $entity->getGUID(); echo elgg_view('output/confirmlink', array( 'text' => elgg_echo('groups:delete'), 'href' => $delete_url, diff --git a/mod/groups/views/default/groups/edit.php b/mod/groups/views/default/groups/edit.php index 24a1c3f1e..5579ad54a 100644 --- a/mod/groups/views/default/groups/edit.php +++ b/mod/groups/views/default/groups/edit.php @@ -11,5 +11,5 @@ $form_vars = array( 'enctype' => 'multipart/form-data', 'class' => 'elgg-form-alt', ); -$body_vars = array('entity' => $entity); -echo elgg_view_form('groups/edit', $form_vars, $body_vars); + +echo elgg_view_form('groups/edit', $form_vars, groups_prepare_form_vars($entity)); diff --git a/mod/messages/pages/messages/inbox.php b/mod/messages/pages/messages/inbox.php index fdfc20c43..de5b8b231 100644 --- a/mod/messages/pages/messages/inbox.php +++ b/mod/messages/pages/messages/inbox.php @@ -8,8 +8,13 @@ gatekeeper(); $page_owner = elgg_get_page_owner_entity(); -if (!$page_owner) { - register_error(elgg_echo()); + +if (!$page_owner || !$page_owner->canEdit()) { + $guid = 0; + if($page_owner){ + $guid = $page_owner->getGUID(); + } + register_error(elgg_echo("pageownerunavailable", array($guid))); forward(); } diff --git a/mod/messages/pages/messages/read.php b/mod/messages/pages/messages/read.php index 19e3ecdd7..4223c6bac 100644 --- a/mod/messages/pages/messages/read.php +++ b/mod/messages/pages/messages/read.php @@ -8,8 +8,8 @@ gatekeeper(); $message = get_entity(get_input('guid')); -if (!$message) { - forward('messages/inbox'); +if (!$message || !elgg_instanceof($message, "object", "messages")) { + forward('messages/inbox/' . elgg_get_logged_in_user_entity()->username); } // mark the message as read @@ -38,8 +38,9 @@ if ($inbox) { ); $body_params = array('message' => $message); $content .= elgg_view_form('messages/reply', $form_params, $body_params); - - if (elgg_get_logged_in_user_guid() == elgg_get_page_owner_guid()) { + $from_user = get_user($message->fromId); + + if ((elgg_get_logged_in_user_guid() == elgg_get_page_owner_guid()) && $from_user) { elgg_register_menu_item('title', array( 'name' => 'reply', 'href' => '#messages-reply-form', diff --git a/mod/messages/pages/messages/sent.php b/mod/messages/pages/messages/sent.php index af06ab273..3d08cd5ee 100644 --- a/mod/messages/pages/messages/sent.php +++ b/mod/messages/pages/messages/sent.php @@ -8,8 +8,13 @@ gatekeeper(); $page_owner = elgg_get_page_owner_entity(); -if (!$page_owner) { - register_error(elgg_echo()); + +if (!$page_owner || !$page_owner->canEdit()) { + $guid = 0; + if($page_owner){ + $guid = $page_owner->getGUID(); + } + register_error(elgg_echo("pageownerunavailable", array($guid))); forward(); } diff --git a/mod/pages/actions/pages/edit.php b/mod/pages/actions/pages/edit.php index a32e4a4ba..fe5754d76 100644 --- a/mod/pages/actions/pages/edit.php +++ b/mod/pages/actions/pages/edit.php @@ -8,9 +8,10 @@ $variables = elgg_get_config('pages'); $input = array(); foreach ($variables as $name => $type) { - $input[$name] = get_input($name); if ($name == 'title') { - $input[$name] = strip_tags($input[$name]); + $input[$name] = htmlspecialchars(get_input($name, '', false), ENT_QUOTES, 'UTF-8'); + } else { + $input[$name] = get_input($name); } if ($type == 'tags') { $input[$name] = string_to_tag_array($input[$name]); diff --git a/mod/pages/views/default/pages/icon.php b/mod/pages/views/default/pages/icon.php index d3b749eb8..cba034ec4 100644 --- a/mod/pages/views/default/pages/icon.php +++ b/mod/pages/views/default/pages/icon.php @@ -21,5 +21,5 @@ if (!in_array($vars['size'], array('small', 'medium', 'large', 'tiny', 'master', ?> <a href="<?php echo $annotation->getURL(); ?>"> - <img src="<?php echo $entity->getIconURL($vars['size']); ?>" /> + <img alt="<?php echo $entity->title; ?>" src="<?php echo $entity->getIconURL($vars['size']); ?>" /> </a> diff --git a/mod/search/views/default/search/search_box.php b/mod/search/views/default/search/search_box.php index ff12ae4f0..7474a280c 100644 --- a/mod/search/views/default/search/search_box.php +++ b/mod/search/views/default/search/search_box.php @@ -32,12 +32,11 @@ if (function_exists('mb_convert_encoding')) { } $display_query = htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false); - ?> <form class="<?php echo $class; ?>" action="<?php echo elgg_get_site_url(); ?>search" method="get"> <fieldset> - <input type="text" class="search-input" size="21" name="q" value="<?php echo elgg_echo('search'); ?>" onblur="if (this.value=='') { this.value='<?php echo elgg_echo('search'); ?>' }" onfocus="if (this.value=='<?php echo elgg_echo('search'); ?>') { this.value='' };" /> + <input type="text" class="search-input" size="21" name="q" value="<?php echo $display_query; ?>" onblur="if (this.value=='') { this.value='<?php echo elgg_echo('search'); ?>' }" onfocus="if (this.value=='<?php echo elgg_echo('search'); ?>') { this.value='' };" /> <input type="hidden" name="search_type" value="all" /> <input type="submit" value="<?php echo elgg_echo('search:go'); ?>" class="search-submit-button" /> </fieldset> |