From b4ad258a325ebda8b78641f31b10dbd04fb724ce Mon Sep 17 00:00:00 2001 From: Ismayil Khayredinov Date: Thu, 5 Apr 2012 13:10:02 +0200 Subject: Fixes #4395: Register group profile title buttons earlier --- mod/groups/lib/groups.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mod/groups/lib/groups.php b/mod/groups/lib/groups.php index 7798e5dc3..f8ff2d74b 100644 --- a/mod/groups/lib/groups.php +++ b/mod/groups/lib/groups.php @@ -245,6 +245,8 @@ function groups_handle_profile_page($guid) { elgg_push_breadcrumb($group->name); + groups_register_profile_buttons($group); + $content = elgg_view('groups/profile/layout', array('entity' => $group)); if (group_gatekeeper(false)) { $sidebar = elgg_view('groups/sidebar/members', array('entity' => $group)); @@ -252,8 +254,6 @@ function groups_handle_profile_page($guid) { $sidebar = ''; } - groups_register_profile_buttons($group); - $params = array( 'content' => $content, 'sidebar' => $sidebar, -- cgit v1.2.3 From 76978dd5620b5664e68a3a4068d5bd07771fe7ea Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Tue, 17 Apr 2012 00:13:46 -0400 Subject: Fixes #4432: Do not escape ORDER BY/GROUP BY clauses in elgg_get_entities --- engine/lib/entities.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/engine/lib/entities.php b/engine/lib/entities.php index 4875b2c2f..7fe913888 100644 --- a/engine/lib/entities.php +++ b/engine/lib/entities.php @@ -915,11 +915,11 @@ function elgg_get_entities(array $options = array()) { } if (!$options['count']) { - if ($options['group_by'] = sanitise_string($options['group_by'])) { + if ($options['group_by']) { $query .= " GROUP BY {$options['group_by']}"; } - if ($options['order_by'] = sanitise_string($options['order_by'])) { + if ($options['order_by']) { $query .= " ORDER BY {$options['order_by']}"; } -- cgit v1.2.3 From 7e59ef7adec3b716aabc9c61c485ceb17e5d1f68 Mon Sep 17 00:00:00 2001 From: Jerome Bakker Date: Wed, 18 Apr 2012 15:06:00 +0200 Subject: fixes #3405 Memcache: fault in contructor can cause site to go into English language --- engine/classes/ElggMemcache.php | 6 +++--- languages/en.php | 5 ----- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/engine/classes/ElggMemcache.php b/engine/classes/ElggMemcache.php index f27b017d0..d9539b9cb 100644 --- a/engine/classes/ElggMemcache.php +++ b/engine/classes/ElggMemcache.php @@ -40,7 +40,7 @@ class ElggMemcache extends ElggSharedMemoryCache { // Do we have memcache? if (!class_exists('Memcache')) { - throw new ConfigurationException(elgg_echo('memcache:notinstalled')); + throw new ConfigurationException('PHP memcache module not installed, you must install php5-memcache'); } // Create memcache object @@ -48,7 +48,7 @@ class ElggMemcache extends ElggSharedMemoryCache { // Now add servers if (!$CONFIG->memcache_servers) { - throw new ConfigurationException(elgg_echo('memcache:noservers')); + throw new ConfigurationException('No memcache servers defined, please populate the $CONFIG->memcache_servers variable'); } if (is_callable(array($this->memcache, 'addServer'))) { @@ -85,7 +85,7 @@ class ElggMemcache extends ElggSharedMemoryCache { // Get version $this->version = $this->memcache->getVersion(); if (version_compare($this->version, ElggMemcache::$MINSERVERVERSION, '<')) { - $msg = elgg_echo('memcache:versiontoolow', + $msg = vsprintf('Memcache needs at least version %s to run, you are running %s', array(ElggMemcache::$MINSERVERVERSION, $this->version )); diff --git a/languages/en.php b/languages/en.php index 14df3db34..7ff484a8f 100644 --- a/languages/en.php +++ b/languages/en.php @@ -229,11 +229,6 @@ $english = array( 'LoginException:AccountLocked' => 'Your account has been locked for too many log in failures.', 'LoginException:ChangePasswordFailure' => 'Failed current password check.', - 'memcache:notinstalled' => 'PHP memcache module not installed, you must install php5-memcache', - 'memcache:noservers' => 'No memcache servers defined, please populate the $CONFIG->memcache_servers variable', - 'memcache:versiontoolow' => 'Memcache needs at least version %s to run, you are running %s', - 'memcache:noaddserver' => 'Multiple server support disabled, you may need to upgrade your PECL memcache library', - 'deprecatedfunction' => 'Warning: This code uses the deprecated function \'%s\' and is not compatible with this version of Elgg', 'pageownerunavailable' => 'Warning: The page owner %d is not accessible!', -- cgit v1.2.3 From 7e04c0e841f99633240b115ae0242a8b7d42cf25 Mon Sep 17 00:00:00 2001 From: Miguel Rodríguez Pérez Date: Thu, 31 May 2012 12:06:08 +0200 Subject: Respect site default language from javascript elgg_echo The current implementation hardcoded 'en' as the site default language. This patch uses the site's configure default language as the default one. --- js/lib/languages.js | 2 -- views/default/js/elgg.php | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/js/lib/languages.js b/js/lib/languages.js index bfa858364..a8ba72c31 100644 --- a/js/lib/languages.js +++ b/js/lib/languages.js @@ -4,8 +4,6 @@ */ elgg.provide('elgg.config.translations'); -elgg.config.language = 'en'; - /** * Analagous to the php version. Merges translations for a * given language into the current translations map. diff --git a/views/default/js/elgg.php b/views/default/js/elgg.php index 133e128a4..6460e93d6 100644 --- a/views/default/js/elgg.php +++ b/views/default/js/elgg.php @@ -57,6 +57,7 @@ elgg.release = ''; elgg.config.wwwroot = ''; elgg.security.interval = 5 * 60 * 1000; elgg.config.domReady = false; +elgg.config.language = 'language) ? $CONFIG->language : 'en'; ?>'; elgg.config.languageReady = false; //After the DOM is ready -- cgit v1.2.3 From e3222535a07e39ffe506eb9688db515798ebf2a4 Mon Sep 17 00:00:00 2001 From: cash Date: Tue, 19 Jun 2012 19:35:55 -0400 Subject: Fixes #4606 made unlike code consistent and functional --- mod/likes/actions/likes/delete.php | 17 ++++++----------- mod/likes/languages/en.php | 1 + mod/likes/views/default/annotation/likes.php | 4 ++-- mod/likes/views/default/likes/button.php | 8 +++++++- 4 files changed, 16 insertions(+), 14 deletions(-) diff --git a/mod/likes/actions/likes/delete.php b/mod/likes/actions/likes/delete.php index db3036bb4..88cb84467 100644 --- a/mod/likes/actions/likes/delete.php +++ b/mod/likes/actions/likes/delete.php @@ -4,17 +4,12 @@ * */ -$likes = elgg_get_annotations(array( - 'guid' => (int) get_input('guid'), - 'annotation_owner_guid' => elgg_get_logged_in_user_guid(), - 'annotation_name' => 'likes', -)); -if ($likes) { - if ($likes[0]->canEdit()) { - $likes[0]->delete(); - system_message(elgg_echo("likes:deleted")); - forward(REFERER); - } +$id = (int) get_input('id'); +$like = elgg_get_annotation_from_id($id); +if ($like && $like->canEdit()) { + $like->delete(); + system_message(elgg_echo("likes:deleted")); + forward(REFERER); } register_error(elgg_echo("likes:notdeleted")); diff --git a/mod/likes/languages/en.php b/mod/likes/languages/en.php index 4a98d7cfe..b9460aa10 100644 --- a/mod/likes/languages/en.php +++ b/mod/likes/languages/en.php @@ -17,6 +17,7 @@ $english = array( 'likes:userlikedthis' => '%s like', 'likes:userslikedthis' => '%s likes', 'likes:river:annotate' => 'likes', + 'likes:delete:confirm' => 'Are you sure you want to unlike this?', 'river:likes' => 'likes %s %s', diff --git a/mod/likes/views/default/annotation/likes.php b/mod/likes/views/default/annotation/likes.php index d41522fc4..abd4df823 100644 --- a/mod/likes/views/default/annotation/likes.php +++ b/mod/likes/views/default/annotation/likes.php @@ -29,9 +29,9 @@ $friendlytime = elgg_view_friendly_time($like->time_created); if ($like->canEdit()) { $delete_button = elgg_view("output/confirmlink",array( - 'href' => "action/likes/delete?annotation_id={$like->id}", + 'href' => "action/likes/delete?id={$like->id}", 'text' => "", - 'confirm' => elgg_echo('deleteconfirm'), + 'confirm' => elgg_echo('likes:delete:confirm'), 'encode_text' => false, )); } diff --git a/mod/likes/views/default/likes/button.php b/mod/likes/views/default/likes/button.php index bc7c8fd8a..956bbcb19 100644 --- a/mod/likes/views/default/likes/button.php +++ b/mod/likes/views/default/likes/button.php @@ -24,7 +24,13 @@ if (elgg_is_logged_in() && $vars['entity']->canAnnotate(0, 'likes')) { ); $likes_button = elgg_view('output/url', $params); } else { - $url = elgg_get_site_url() . "action/likes/delete?guid={$guid}"; + $like = elgg_get_annotations(array( + 'guid' => $guid, + 'annotation_owner_guid' => elgg_get_logged_in_user_guid(), + 'annotation_name' => 'likes', + )); + $like = $like[0]; + $url = elgg_get_site_url() . "action/likes/delete?id={$like->id}"; $params = array( 'href' => $url, 'text' => elgg_view_icon('thumbs-up-alt'), -- cgit v1.2.3 From acb6ceb71afa00a66280f4d33e952df39729eca6 Mon Sep 17 00:00:00 2001 From: cash Date: Tue, 19 Jun 2012 20:12:49 -0400 Subject: Fixes #4608 optimizes messages_count_unread() - from Jeroen --- mod/messages/start.php | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/mod/messages/start.php b/mod/messages/start.php index 1a2709324..2e61d6e21 100644 --- a/mod/messages/start.php +++ b/mod/messages/start.php @@ -356,16 +356,10 @@ function messages_count_unread() { "msg_msg.name_id='{$map['msg']}' AND msg_msg.value_id='{$map[1]}'", ), 'owner_guid' => $user_guid, - 'limit' => 0 + 'count' => true, ); - $num_messages = elgg_get_entities_from_metadata($options); - - if (is_array($num_messages)) { - return sizeof($num_messages); - } - - return 0; + return elgg_get_entities_from_metadata($options); } /** -- cgit v1.2.3 From 690f226100a2f690bd77d05a82668c9cfee7b863 Mon Sep 17 00:00:00 2001 From: cash Date: Tue, 19 Jun 2012 20:23:49 -0400 Subject: Fixes #4382 catches lost connection to database - from Paweł MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- engine/lib/database.php | 4 ++++ languages/en.php | 1 + 2 files changed, 5 insertions(+) diff --git a/engine/lib/database.php b/engine/lib/database.php index cc2b99f6a..7d90b30b8 100644 --- a/engine/lib/database.php +++ b/engine/lib/database.php @@ -253,6 +253,10 @@ function execute_query($query, $dblink) { throw new DatabaseException(elgg_echo('DatabaseException:InvalidQuery')); } + if (!is_resource($dblink)) { + throw new DatabaseException(elgg_echo('DatabaseException:InvalidDBLink')); + } + $dbcalls++; $result = mysql_query($query, $dblink); diff --git a/languages/en.php b/languages/en.php index e9c333041..93096df38 100644 --- a/languages/en.php +++ b/languages/en.php @@ -56,6 +56,7 @@ $english = array( 'DatabaseException:DBSetupIssues' => "There were a number of issues: ", 'DatabaseException:ScriptNotFound' => "Elgg couldn't find the requested database script at %s.", 'DatabaseException:InvalidQuery' => "Invalid query", + 'DatabaseException:InvalidDBLink' => "Connection to database was lost.", 'IOException:FailedToLoadGUID' => "Failed to load new %s from GUID:%d", 'InvalidParameterException:NonElggObject' => "Passing a non-ElggObject to an ElggObject constructor!", -- cgit v1.2.3 From d343f71960285f4acd94fa9547719eea9cfdc760 Mon Sep 17 00:00:00 2001 From: Jerome Bakker Date: Wed, 20 Jun 2012 10:11:22 +0200 Subject: changed: loading of jQuery treeview library to prevent potential unnecessary loading --- mod/pages/start.php | 4 ---- mod/pages/views/default/pages/sidebar/navigation.php | 6 +++++- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/mod/pages/start.php b/mod/pages/start.php index 834e98870..c385131bd 100644 --- a/mod/pages/start.php +++ b/mod/pages/start.php @@ -106,10 +106,6 @@ function pages_page_handler($page) { elgg_load_library('elgg:pages'); - // add the jquery treeview files for navigation - elgg_load_js('jquery-treeview'); - elgg_load_css('jquery-treeview'); - if (!isset($page[0])) { $page[0] = 'all'; } diff --git a/mod/pages/views/default/pages/sidebar/navigation.php b/mod/pages/views/default/pages/sidebar/navigation.php index fe017b1a7..65eb500c8 100644 --- a/mod/pages/views/default/pages/sidebar/navigation.php +++ b/mod/pages/views/default/pages/sidebar/navigation.php @@ -5,6 +5,11 @@ * @uses $vars['page'] Page object if manually setting selected item */ +// add the jquery treeview files for navigation +elgg_load_js('jquery-treeview'); +elgg_load_css('jquery-treeview'); + + $selected_page = elgg_extract('page', $vars, false); if ($selected_page) { $url = $selected_page->getURL(); @@ -51,4 +56,3 @@ if ($selected_page) { }); - -- cgit v1.2.3 From c4262b93dd12de7d8b04533b261c39e4ce8ccf8c Mon Sep 17 00:00:00 2001 From: cash Date: Thu, 21 Jun 2012 20:00:52 -0400 Subject: Fixes #4165 livesearch now returns people based on last names --- engine/lib/input.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/engine/lib/input.php b/engine/lib/input.php index dda8211b6..6d1646e1a 100644 --- a/engine/lib/input.php +++ b/engine/lib/input.php @@ -283,7 +283,7 @@ function input_livesearch_page_handler($page) { WHERE e.guid = ue.guid AND e.enabled = 'yes' AND ue.banned = 'no' - AND (ue.name LIKE '$q%' OR ue.username LIKE '$q%') + AND (ue.name LIKE '$q%' OR ue.name LIKE '% $q%' OR ue.username LIKE '$q%') LIMIT $limit "; @@ -333,7 +333,7 @@ function input_livesearch_page_handler($page) { WHERE e.guid = ge.guid AND e.enabled = 'yes' $owner_where - AND (ge.name LIKE '$q%' OR ge.description LIKE '%$q%') + AND (ge.name LIKE '$q%' OR ge.name LIKE '% $q%' OR ge.description LIKE '% $q%') LIMIT $limit "; if ($entities = get_data($query)) { @@ -379,7 +379,7 @@ function input_livesearch_page_handler($page) { AND e.guid = ue.guid AND e.enabled = 'yes' AND ue.banned = 'no' - AND (ue.name LIKE '$q%' OR ue.username LIKE '$q%') + AND (ue.name LIKE '$q%' OR ue.name LIKE '% $q%' OR ue.username LIKE '$q%') LIMIT $limit "; -- cgit v1.2.3 From fcda1dd617d4abee068f0bfd632d5d15c024940e Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Fri, 22 Jun 2012 07:00:10 -0400 Subject: Fixes #4537, #4617 made input/friendspicker i18n compliant --- views/default/core/friends/collection.php | 2 +- views/default/input/friendspicker.php | 33 +++++++------------------------ 2 files changed, 8 insertions(+), 27 deletions(-) diff --git a/views/default/core/friends/collection.php b/views/default/core/friends/collection.php index b7913da5f..1a330af01 100644 --- a/views/default/core/friends/collection.php +++ b/views/default/core/friends/collection.php @@ -43,7 +43,7 @@ if ($friends) { echo elgg_view('input/friendspicker', array( 'entities' => $friends, - 'value' => $members, + 'value' => $vars['collection']->members, 'content' => $content, 'replacement' => '', 'friendspicker' => $vars['friendspicker'], diff --git a/views/default/input/friendspicker.php b/views/default/input/friendspicker.php index b41449fbf..0834910c1 100644 --- a/views/default/input/friendspicker.php +++ b/views/default/input/friendspicker.php @@ -74,13 +74,9 @@ if (isset($vars['formtarget'])) { // Sort users by letter if (is_array($vars['entities']) && sizeof($vars['entities'])) { foreach($vars['entities'] as $user) { - if (is_callable('mb_substr')) { - $letter = strtoupper(mb_substr($user->name,0,1)); - } else { - $letter = strtoupper(substr($user->name,0,1)); - } + $letter = elgg_strtoupper(elgg_substr($user->name, 0, 1)); - if (!substr_count($chararray,$letter)) { + if (!elgg_substr_count($chararray, $letter)) { $letter = "*"; } if (!isset($users[$letter])) { @@ -162,11 +158,7 @@ if (!isset($vars['replacement'])) { // Initialise letters $chararray .= "*"; - if (is_callable('mb_substr')) { - $letter = mb_substr($chararray,0,1); - } else { - $letter = substr($chararray,0,1); - } + $letter = elgg_substr($chararray, 0, 1); $letpos = 0; while (1 == 1) { ?> @@ -190,9 +182,7 @@ if (!isset($vars['replacement'])) { $label = elgg_view_entity_icon($friend, 'tiny', array('use_hover' => false)); $options[$label] = $friend->getGUID(); - if ($vars['highlight'] == 'all' - && !in_array($letter,$activeletters)) { - + if ($vars['highlight'] == 'all' && !in_array($letter,$activeletters)) { $activeletters[] = $letter; } @@ -243,23 +233,14 @@ if (!isset($vars['replacement'])) { @@ -319,7 +300,7 @@ $(document).ready(function () { if (sizeof($activeletters) > 0) //$chararray = elgg_echo('friendspicker:chararray'); foreach($activeletters as $letter) { - $tab = strpos($chararray, $letter) + 1; + $tab = elgg_strpos($chararray, $letter) + 1; ?> $("div#friends-picker-navigation li.tab a").addClass("tabHasContent"); Date: Sat, 23 Jun 2012 09:07:47 -0400 Subject: Fixes #4619 downgraded type violations to warnings --- engine/lib/elgglib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php index 62cb2d5bb..65666954c 100644 --- a/engine/lib/elgglib.php +++ b/engine/lib/elgglib.php @@ -1060,7 +1060,6 @@ function _elgg_php_error_handler($errno, $errmsg, $filename, $linenum, $vars) { switch ($errno) { case E_USER_ERROR: - case E_RECOVERABLE_ERROR: // (e.g. type hint violation) error_log("PHP ERROR: $error"); register_error("ERROR: $error"); @@ -1070,6 +1069,7 @@ function _elgg_php_error_handler($errno, $errmsg, $filename, $linenum, $vars) { case E_WARNING : case E_USER_WARNING : + case E_RECOVERABLE_ERROR: // (e.g. type hint violation) error_log("PHP WARNING: $error"); break; -- cgit v1.2.3 From 8fd511bcd35646c64658f63cfd35f4b0fb3541a8 Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sat, 23 Jun 2012 09:16:22 -0400 Subject: Fixes #4168 returning default value from elgg_extract if non-array passed - not removing type hint since we downgraded it from an error to a warning --- engine/lib/elgglib.php | 6 +++++- engine/lib/views.php | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php index 65666954c..9aad2a5bd 100644 --- a/engine/lib/elgglib.php +++ b/engine/lib/elgglib.php @@ -1578,7 +1578,11 @@ function elgg_http_url_is_identical($url1, $url2, $ignore_params = array('offset * @return void * @since 1.8.0 */ -function elgg_extract($key, array $array, $default = NULL, $strict = true) { +function elgg_extract($key, array $array, $default = null, $strict = true) { + if (!is_array($array)) { + return $default; + } + if ($strict) { return (isset($array[$key])) ? $array[$key] : $default; } else { diff --git a/engine/lib/views.php b/engine/lib/views.php index c98ad4e78..25acbf2b2 100644 --- a/engine/lib/views.php +++ b/engine/lib/views.php @@ -1224,12 +1224,12 @@ function elgg_view_image_block($image, $body, $vars = array()) { * @param string $type The type of module (main, info, popup, aside, etc.) * @param string $title A title to put in the header * @param string $body Content of the module - * @param string $vars Additional parameters for the module + * @param array $vars Additional parameters for the module * * @return string * @since 1.8.0 */ -function elgg_view_module($type, $title, $body, $vars = array()) { +function elgg_view_module($type, $title, $body, array $vars = array()) { $vars['class'] = elgg_extract('class', $vars, '') . " elgg-module-$type"; $vars['title'] = $title; -- cgit v1.2.3 From 8ec596b8a5ffad878d830342b5f0212ad892fbeb Mon Sep 17 00:00:00 2001 From: Sem Date: Mon, 7 May 2012 05:02:51 +0200 Subject: Fixes #4504. Entity duplicates in json views. --- views/json/export/entity.php | 4 +++- views/json/group/default.php | 2 +- views/json/object/default.php | 2 +- views/json/site/default.php | 2 +- views/json/user/default.php | 2 +- 5 files changed, 7 insertions(+), 5 deletions(-) diff --git a/views/json/export/entity.php b/views/json/export/entity.php index 52cd9d244..cd5d74d41 100644 --- a/views/json/export/entity.php +++ b/views/json/export/entity.php @@ -19,4 +19,6 @@ foreach ($exportable_values as $v) { $export->url = $entity->getURL(); global $jsonexport; -$jsonexport[$entity->getType()][$entity->getSubtype()][] = $export; \ No newline at end of file +$jsonexport[$entity->getType()][$entity->getSubtype()][] = $export; + +echo true; diff --git a/views/json/group/default.php b/views/json/group/default.php index 0b168fdb2..dd190d402 100644 --- a/views/json/group/default.php +++ b/views/json/group/default.php @@ -6,4 +6,4 @@ * @subpackage Core */ -elgg_view('export/entity', $vars); \ No newline at end of file +echo elgg_view('export/entity', $vars); diff --git a/views/json/object/default.php b/views/json/object/default.php index d2e807621..8b88b3010 100644 --- a/views/json/object/default.php +++ b/views/json/object/default.php @@ -6,4 +6,4 @@ * @subpackage Core */ -elgg_view('export/entity', $vars); \ No newline at end of file +echo elgg_view('export/entity', $vars); diff --git a/views/json/site/default.php b/views/json/site/default.php index 7efd46939..ee4eda489 100644 --- a/views/json/site/default.php +++ b/views/json/site/default.php @@ -6,4 +6,4 @@ * @subpackage Core */ -elgg_view('export/entity', $vars); \ No newline at end of file +echo elgg_view('export/entity', $vars); diff --git a/views/json/user/default.php b/views/json/user/default.php index e23472252..4d44692c9 100644 --- a/views/json/user/default.php +++ b/views/json/user/default.php @@ -6,4 +6,4 @@ * @subpackage Core */ -elgg_view('export/entity', $vars); \ No newline at end of file +echo elgg_view('export/entity', $vars); -- cgit v1.2.3 From 1d9613b682ad331d2de3b1a838a26dd36c821490 Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sat, 23 Jun 2012 09:38:56 -0400 Subject: Refs #4504 made it easier to detect any problems caused by hack for json duplicate issue --- views/json/export/entity.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/views/json/export/entity.php b/views/json/export/entity.php index cd5d74d41..36af5eaef 100644 --- a/views/json/export/entity.php +++ b/views/json/export/entity.php @@ -21,4 +21,5 @@ $export->url = $entity->getURL(); global $jsonexport; $jsonexport[$entity->getType()][$entity->getSubtype()][] = $export; -echo true; +// @todo hack to fix #4504 +echo "Fix for bug #4504"; -- cgit v1.2.3 From 5e16ef8e61e7674ac8caa6ee770e106983d261da Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sat, 23 Jun 2012 10:16:15 -0400 Subject: Fixes #4428 functions deprecated for current version logged at WARNING. They become visual for everyone when the site's trace level is set to WARNING or lower --- engine/lib/elgglib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php index 9aad2a5bd..0c42c1c08 100644 --- a/engine/lib/elgglib.php +++ b/engine/lib/elgglib.php @@ -1265,7 +1265,7 @@ function elgg_deprecated_notice($msg, $dep_version, $backtrace_level = 1) { $msg .= implode("
-> ", $stack); - elgg_dump($msg, elgg_is_admin_logged_in(), 'WARNING'); + elgg_log($msg, 'WARNING'); return true; } -- cgit v1.2.3 From 32b9e8488957c109db3fee86a0f941d3685cb52b Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sat, 23 Jun 2012 10:35:29 -0400 Subject: Fixes #4610 better handling of content requiring a logged in user --- languages/en.php | 2 +- mod/blog/lib/blog.php | 5 +++-- mod/bookmarks/pages/bookmarks/view.php | 1 + mod/file/pages/file/view.php | 1 + mod/groups/lib/discussion.php | 5 +++-- mod/pages/pages/pages/view.php | 3 ++- mod/thewire/pages/thewire/view.php | 1 + 7 files changed, 12 insertions(+), 6 deletions(-) diff --git a/languages/en.php b/languages/en.php index 03e6dfa84..64c95b866 100644 --- a/languages/en.php +++ b/languages/en.php @@ -235,7 +235,7 @@ $english = array( 'pageownerunavailable' => 'Warning: The page owner %d is not accessible!', 'viewfailure' => 'There was an internal failure in the view %s', 'changebookmark' => 'Please change your bookmark for this page', - 'noaccess' => 'The content you were trying to view has been removed or you do not have permission to view it.', + 'noaccess' => 'You need to login to view this content or the content has been removed or you do not have permission to view it.', 'error:missing_data' => 'There was some data missing in your request', 'error:default' => 'Oops...something went wrong.', diff --git a/mod/blog/lib/blog.php b/mod/blog/lib/blog.php index 43de7a646..9a02a8cc3 100644 --- a/mod/blog/lib/blog.php +++ b/mod/blog/lib/blog.php @@ -22,8 +22,9 @@ function blog_get_page_content_read($guid = NULL) { $return['filter'] = ''; if (!elgg_instanceof($blog, 'object', 'blog')) { - $return['content'] = elgg_echo('noaccess'); - return $return; + register_error(elgg_echo('noaccess')); + $_SESSION['last_forward_from'] = current_page_url(); + forward(''); } $return['title'] = $blog->title; diff --git a/mod/bookmarks/pages/bookmarks/view.php b/mod/bookmarks/pages/bookmarks/view.php index c819b8b41..70a6a5bfe 100644 --- a/mod/bookmarks/pages/bookmarks/view.php +++ b/mod/bookmarks/pages/bookmarks/view.php @@ -8,6 +8,7 @@ $bookmark = get_entity(get_input('guid')); if (!$bookmark) { register_error(elgg_echo('noaccess')); + $_SESSION['last_forward_from'] = current_page_url(); forward(''); } diff --git a/mod/file/pages/file/view.php b/mod/file/pages/file/view.php index ec51b30e6..6c9566a89 100644 --- a/mod/file/pages/file/view.php +++ b/mod/file/pages/file/view.php @@ -8,6 +8,7 @@ $file = get_entity(get_input('guid')); if (!$file) { register_error(elgg_echo('noaccess')); + $_SESSION['last_forward_from'] = current_page_url(); forward(''); } diff --git a/mod/groups/lib/discussion.php b/mod/groups/lib/discussion.php index 55642644d..02ab27fdc 100644 --- a/mod/groups/lib/discussion.php +++ b/mod/groups/lib/discussion.php @@ -149,8 +149,9 @@ function discussion_handle_view_page($guid) { $topic = get_entity($guid); if (!$topic) { - register_error(elgg_echo('discussion:topic:notfound')); - forward(); + register_error(elgg_echo('noaccess')); + $_SESSION['last_forward_from'] = current_page_url(); + forward(''); } $group = $topic->getContainerEntity(); diff --git a/mod/pages/pages/pages/view.php b/mod/pages/pages/pages/view.php index 6b9d03f49..e1c3fdbfd 100644 --- a/mod/pages/pages/pages/view.php +++ b/mod/pages/pages/pages/view.php @@ -9,7 +9,8 @@ $page_guid = get_input('guid'); $page = get_entity($page_guid); if (!$page) { register_error(elgg_echo('noaccess')); - forward(); + $_SESSION['last_forward_from'] = current_page_url(); + forward(''); } elgg_set_page_owner_guid($page->getContainerGUID()); diff --git a/mod/thewire/pages/thewire/view.php b/mod/thewire/pages/thewire/view.php index 1818e725a..1709e5e9a 100644 --- a/mod/thewire/pages/thewire/view.php +++ b/mod/thewire/pages/thewire/view.php @@ -6,6 +6,7 @@ $post = get_entity(get_input('guid')); if (!$post) { register_error(elgg_echo('noaccess')); + $_SESSION['last_forward_from'] = current_page_url(); forward(''); } $owner = $post->getOwnerEntity(); -- cgit v1.2.3 From 1909a0de9540fbb20971639147726bde9690caa4 Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sat, 23 Jun 2012 10:38:07 -0400 Subject: added missing break in the wire's page handler --- mod/thewire/start.php | 1 + 1 file changed, 1 insertion(+) diff --git a/mod/thewire/start.php b/mod/thewire/start.php index 8e3b5224a..65f135889 100644 --- a/mod/thewire/start.php +++ b/mod/thewire/start.php @@ -110,6 +110,7 @@ function thewire_page_handler($page) { set_input('guid', $page[1]); } include "$base_dir/view.php"; + break; case "thread": if (isset($page[1])) { -- cgit v1.2.3 From 025f2fe8ac4c7122dafdd1d071f20d26ba04361a Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sat, 23 Jun 2012 10:40:40 -0400 Subject: added slug to url of discussion forum topic --- mod/groups/start.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mod/groups/start.php b/mod/groups/start.php index aeab0649a..e39c37000 100644 --- a/mod/groups/start.php +++ b/mod/groups/start.php @@ -792,7 +792,7 @@ function discussion_page_handler($page) { * @return string */ function discussion_override_topic_url($entity) { - return 'discussion/view/' . $entity->guid; + return 'discussion/view/' . $entity->guid . '/' . elgg_get_friendly_title($entity->title); } /** -- cgit v1.2.3 From 40206209898f0b0962599e52331727cc99502435 Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sat, 23 Jun 2012 11:51:39 -0400 Subject: Fixes #4547 adds userpicker and friendpicker support to admin area --- views/default/css/admin.php | 217 ++++++++++++++++++++++++++++++++-- views/default/css/elements/forms.php | 2 +- views/default/input/friendspicker.php | 4 + 3 files changed, 213 insertions(+), 10 deletions(-) diff --git a/views/default/css/admin.php b/views/default/css/admin.php index 65797172f..5dc15fe3e 100644 --- a/views/default/css/admin.php +++ b/views/default/css/admin.php @@ -127,14 +127,23 @@ p { } /* Clearfix! */ +.clearfix:after, .elgg-grid:after, -.clearfix:after { +.elgg-layout:after, +.elgg-inner:after, +.elgg-page-header:after, +.elgg-page-footer:after, +.elgg-head:after, +.elgg-foot:after, +.elgg-col:after, +.elgg-image-block:after { content: "."; display: block; height: 0; clear: both; visibility: hidden; } + .elgg-body { width: auto; word-wrap: break-word; @@ -287,14 +296,6 @@ p { .elgg-main h2 { color: #333333; } - -.elgg-layout:after { - content: "."; - display: block; - height: 0; - clear: both; - visibility: hidden; -} /* *************************************** FOOTER @@ -590,6 +591,204 @@ a.elgg-button { background: #ddd; } +/* *************************************** + AUTOCOMPLETE +*************************************** */ + +.ui-autocomplete { + position: absolute; + cursor: default; +} +.elgg-autocomplete-item .elgg-body { + max-width: 600px; +} +.ui-autocomplete { + background-color: white; + border: 1px solid #ccc; + overflow: hidden; + + -webkit-border-radius: 5px; + -moz-border-radius: 5px; + border-radius: 5px; +} +.ui-autocomplete .ui-menu-item { + padding: 0px 4px; + + -webkit-border-radius: 5px; + -moz-border-radius: 5px; + border-radius: 5px; +} +.ui-autocomplete .ui-menu-item:hover { + background-color: #eee; +} +.ui-autocomplete a:hover { + text-decoration: none; + color: #4690D6; +} + +/* *************************************** + USER PICKER +*************************************** */ +.elgg-user-picker-list li:first-child { + border-top: 1px dotted #ccc; + margin-top: 5px; +} +.elgg-user-picker-list > li { + border-bottom: 1px dotted #ccc; +} + +/* *************************************** + FRIENDS PICKER +*************************************** */ +.friends-picker-main-wrapper { + margin-bottom: 15px; +} +.friends-picker-container h3 { + font-size:4em !important; + text-align: left; + margin:10px 0 20px !important; + color:#999 !important; + background: none !important; + padding:0 !important; +} +.friends-picker .friends-picker-container .panel ul { + text-align: left; + margin: 0; + padding:0; +} +.friends-picker-wrapper { + margin: 0; + padding:0; + position: relative; + width: 730px; +} +.friends-picker { + position: relative; + overflow: hidden; + margin: 0; + padding:0; + width: 730px; + height: auto; + background-color: #dedede; + + -webkit-border-radius: 8px; + -moz-border-radius: 8px; + border-radius: 8px; +} +.friendspicker-savebuttons { + background: white; + + -webkit-border-radius: 8px; + -moz-border-radius: 8px; + border-radius: 8px; + + margin:0 10px 10px; +} +.friends-picker .friends-picker-container { /* long container used to house end-to-end panels. Width is calculated in JS */ + position: relative; + left: 0; + top: 0; + width: 100%; + list-style-type: none; +} +.friends-picker .friends-picker-container .panel { + float:left; + height: 100%; + position: relative; + width: 730px; + margin: 0; + padding:0; +} +.friends-picker .friends-picker-container .panel .wrapper { + margin: 0; + padding:4px 10px 10px 10px; + min-height: 230px; +} +.friends-picker-navigation { + margin: 0 0 10px; + padding:0 0 10px; + border-bottom:1px solid #ccc; +} +.friends-picker-navigation ul { + list-style: none; + padding-left: 0; +} +.friends-picker-navigation ul li { + float: left; + margin:0; + background:white; +} +.friends-picker-navigation a { + font-weight: bold; + text-align: center; + background: white; + color: #999; + text-decoration: none; + display: block; + padding: 0; + width:20px; + + -webkit-border-radius: 4px; + -moz-border-radius: 4px; + border-radius: 4px; +} +.tabHasContent { + background: white; + color:#333 !important; +} +.friends-picker-navigation li a:hover { + background: #333; + color:white !important; +} +.friends-picker-navigation li a.current { + background: #4690D6; + color:white !important; +} +.friends-picker-navigation-l, .friends-picker-navigation-r { + position: absolute; + top: 46px; + text-indent: -9000em; +} +.friends-picker-navigation-l a, .friends-picker-navigation-r a { + display: block; + height: 40px; + width: 40px; +} +.friends-picker-navigation-l { + right: 48px; + z-index:1; +} +.friends-picker-navigation-r { + right: 0; + z-index:1; +} +.friends-picker-navigation-l { + background: url("_graphics/friendspicker.png") no-repeat left top; +} +.friends-picker-navigation-r { + background: url("_graphics/friendspicker.png") no-repeat -60px top; +} +.friends-picker-navigation-l:hover { + background: url("_graphics/friendspicker.png") no-repeat left -44px; +} +.friends-picker-navigation-r:hover { + background: url("_graphics/friendspicker.png") no-repeat -60px -44px; +} +.friendspicker-savebuttons .elgg-button-submit, +.friendspicker-savebuttons .elgg-button-cancel { + margin:5px 20px 5px 5px; +} +.friendspicker-members-table { + background: #dedede; + + -webkit-border-radius: 8px; + -moz-border-radius: 8px; + border-radius: 8px; + + margin:10px 0 0; + padding:10px 10px 0; +} + /* *************************************** PAGINATION *************************************** */ diff --git a/views/default/css/elements/forms.php b/views/default/css/elements/forms.php index 81db81747..6f20ad23c 100644 --- a/views/default/css/elements/forms.php +++ b/views/default/css/elements/forms.php @@ -104,7 +104,7 @@ input[type="radio"] { margin: 0; padding:0; position: relative; - width: 100%; + width: 730px; } .friends-picker { position: relative; diff --git a/views/default/input/friendspicker.php b/views/default/input/friendspicker.php index 0834910c1..40708c890 100644 --- a/views/default/input/friendspicker.php +++ b/views/default/input/friendspicker.php @@ -9,6 +9,10 @@ * @subpackage Core * * @uses $vars['entities'] The array of ElggUser objects + * @uses $vars['name'] + * @uses $vars['value'] + * @uses $vars['highlight'] + * @uses $vars['callback'] */ elgg_load_js('elgg.friendspicker'); -- cgit v1.2.3 From 034a9490d5e8fd2f0b664c3c5e06873c915fdc3b Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Sat, 23 Jun 2012 20:11:30 -0400 Subject: Fixes #2893: More visible invalid plugin errors --- languages/en.php | 11 ++++++----- views/default/object/plugin/invalid.php | 7 +++---- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/languages/en.php b/languages/en.php index e9c333041..294762f28 100644 --- a/languages/en.php +++ b/languages/en.php @@ -75,10 +75,10 @@ $english = array( 'ElggPlugin:MissingID' => 'Missing plugin ID (guid %s)', 'ElggPlugin:NoPluginPackagePackage' => 'Missing ElggPluginPackage for plugin ID %s (guid %s)', - 'ElggPluginPackage:InvalidPlugin:MissingFile' => 'Missing file %s in package', - 'ElggPluginPackage:InvalidPlugin:InvalidDependency' => 'Invalid dependency type "%s"', - 'ElggPluginPackage:InvalidPlugin:InvalidProvides' => 'Invalid provides type "%s"', - 'ElggPluginPackage:InvalidPlugin:CircularDep' => 'Invalid %s dependency "%s" in plugin %s. Plugins cannot conflict with or require something they provide!', + 'ElggPluginPackage:InvalidPlugin:MissingFile' => 'The required file "%s" is missing.', + 'ElggPluginPackage:InvalidPlugin:InvalidDependency' => 'Its manifest contains an invalid dependency type "%s".', + 'ElggPluginPackage:InvalidPlugin:InvalidProvides' => 'Its manifest contains an invalid provides type "%s".', + 'ElggPluginPackage:InvalidPlugin:CircularDep' => 'There is an invalid %s dependency "%s" in plugin %s. Plugins cannot conflict with or require something they provide!', 'ElggPlugin:Exception:CannotIncludeFile' => 'Cannot include %s for plugin %s (guid: %s) at %s.', 'ElggPlugin:Exception:CannotRegisterViews' => 'Cannot open views dir for plugin %s (guid: %s) at %s.', @@ -697,7 +697,8 @@ $english = array( 'admin:plugins:warning:elgg_version_unknown' => 'This plugin uses a legacy manifest file and does not specify a compatible Elgg version. It probably will not work!', 'admin:plugins:warning:unmet_dependencies' => 'This plugin has unmet dependencies and cannot be activated. Check dependencies under more info.', - 'admin:plugins:warning:invalid' => '%s is not a valid Elgg plugin. Check the Elgg documentation for troubleshooting tips.', + 'admin:plugins:warning:invalid' => 'This plugin is invalid: %s', + 'admin:plugins:warning:invalid:check_docs' => 'Check the Elgg documentation for troubleshooting tips.', 'admin:plugins:cannot_activate' => 'cannot activate', 'admin:plugins:set_priority:yes' => "Reordered %s.", diff --git a/views/default/object/plugin/invalid.php b/views/default/object/plugin/invalid.php index f24e1836c..828bceaba 100644 --- a/views/default/object/plugin/invalid.php +++ b/views/default/object/plugin/invalid.php @@ -14,8 +14,7 @@ $plugin = $vars['entity']; $id = $plugin->getID(); $path = htmlspecialchars($plugin->getPath()); -$message = elgg_echo('admin:plugins:warning:invalid', array($id)); -$error = $plugin->getError(); +$message = elgg_echo('admin:plugins:warning:invalid', array($plugin->getError())); $css_id = preg_replace('/[^a-z0-9-]/i', '-', $plugin->getID()); ?> @@ -23,7 +22,8 @@ $css_id = preg_replace('/[^a-z0-9-]/i', '-', $plugin->getID());

-

+

+

getID());
\ No newline at end of file -- cgit v1.2.3 From 4a3c49240140449ef4c91c4b999a91b11380db3c Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Sun, 24 Jun 2012 00:09:17 -0400 Subject: Fixes #4138: Admin can edit any users' notifications --- mod/notifications/actions/groupsave.php | 29 ++++++++++++++++------ mod/notifications/actions/save.php | 11 +++++++- mod/notifications/groups.php | 21 +++++++++------- mod/notifications/index.php | 21 +++++++++------- mod/notifications/start.php | 22 +++++++++++++--- .../forms/notificationsettings/groupsave.php | 8 +++++- .../default/forms/notificationsettings/save.php | 16 +++++++++--- .../notifications/subscriptions/collections.php | 14 ++++++++--- .../default/notifications/subscriptions/form.php | 9 +++++-- .../notifications/subscriptions/forminternals.php | 20 +++++++++++---- .../notifications/subscriptions/personal.php | 8 +++++- 11 files changed, 134 insertions(+), 45 deletions(-) diff --git a/mod/notifications/actions/groupsave.php b/mod/notifications/actions/groupsave.php index c304cb856..7838f7e63 100644 --- a/mod/notifications/actions/groupsave.php +++ b/mod/notifications/actions/groupsave.php @@ -6,27 +6,42 @@ * @package ElggNotifications */ -// Load important global vars -global $NOTIFICATION_HANDLERS; +$current_user = elgg_get_logged_in_user_entity(); + +$guid = (int) get_input('guid', 0); +if (!$guid || !($user = get_entity($guid))) { + forward(); +} +if (($user->guid != $current_user->guid) && !$current_user->isAdmin()) { + forward(); +} // Get group memberships and condense them down to an array of guids $groups = array(); -if ($groupmemberships = elgg_get_entities_from_relationship(array('relationship' => 'member', 'relationship_guid' => elgg_get_logged_in_user_guid(), 'types' => 'group', 'limit' => 9999))) { +$options = array( + 'relationship' => 'member', + 'relationship_guid' => $user->guid, + 'types' => 'group', + 'limit' => 9999, +); +if ($groupmemberships = elgg_get_entities_from_relationship($options)) { foreach($groupmemberships as $groupmembership) { $groups[] = $groupmembership->guid; } -} +} +// Load important global vars +global $NOTIFICATION_HANDLERS; foreach($NOTIFICATION_HANDLERS as $method => $foo) { $subscriptions[$method] = get_input($method.'subscriptions'); $personal[$method] = get_input($method.'personal'); $collections[$method] = get_input($method.'collections'); if (!empty($groups)) { foreach($groups as $group) { - if (in_array($group,$subscriptions[$method])) { - add_entity_relationship(elgg_get_logged_in_user_guid(), 'notify'.$method, $group); + if (in_array($group, $subscriptions[$method])) { + add_entity_relationship($user->guid, 'notify'.$method, $group); } else { - remove_entity_relationship(elgg_get_logged_in_user_guid(), 'notify'.$method, $group); + remove_entity_relationship($user->guid, 'notify'.$method, $group); } } } diff --git a/mod/notifications/actions/save.php b/mod/notifications/actions/save.php index 163b656aa..3fe0001a3 100644 --- a/mod/notifications/actions/save.php +++ b/mod/notifications/actions/save.php @@ -6,9 +6,18 @@ * @package ElggNotifications */ -$user = elgg_get_logged_in_user_entity(); +$current_user = elgg_get_logged_in_user_entity(); + +$guid = (int) get_input('guid', 0); +if (!$guid || !($user = get_entity($guid))) { + forward(); +} +if (($user->guid != $current_user->guid) && !$current_user->isAdmin()) { + forward(); +} global $NOTIFICATION_HANDLERS; +$subscriptions = array(); foreach($NOTIFICATION_HANDLERS as $method => $foo) { $subscriptions[$method] = get_input($method.'subscriptions'); $personal[$method] = get_input($method.'personal'); diff --git a/mod/notifications/groups.php b/mod/notifications/groups.php index 45fb94e83..3e81e474a 100644 --- a/mod/notifications/groups.php +++ b/mod/notifications/groups.php @@ -3,16 +3,16 @@ * Elgg notifications plugin group index * * @package ElggNotifications + * + * @uses $user ElggUser */ -// Load Elgg framework -require_once(dirname(dirname(dirname(__FILE__))) . '/engine/start.php'); - -// Ensure only logged-in users can see this page -gatekeeper(); +if (!isset($user) || !($user instanceof ElggUser)) { + $url = 'notifications/group/' . elgg_get_logged_in_user_entity()->username; + forward($url); +} -elgg_set_page_owner_guid(elgg_get_logged_in_user_guid()); -$user = elgg_get_page_owner_entity(); +elgg_set_page_owner_guid($user); // Set the context to settings elgg_set_context('settings'); @@ -27,12 +27,15 @@ $people = array(); $groupmemberships = elgg_get_entities_from_relationship(array( 'relationship' => 'member', - 'relationship_guid' => elgg_get_logged_in_user_guid(), + 'relationship_guid' => $user->guid, 'types' => 'group', 'limit' => 9999, )); -$body = elgg_view_form('notificationsettings/groupsave', array(), array('groups' => $groupmemberships)); +$body = elgg_view_form('notificationsettings/groupsave', array(), array( + 'groups' => $groupmemberships, + 'user' => $user, +)); $params = array( 'content' => $body, diff --git a/mod/notifications/index.php b/mod/notifications/index.php index 882389fde..f4143f57b 100644 --- a/mod/notifications/index.php +++ b/mod/notifications/index.php @@ -3,16 +3,16 @@ * Elgg notifications plugin index * * @package ElggNotifications + * + * @uses $user ElggUser */ -// Load Elgg framework -require_once(dirname(dirname(dirname(__FILE__))) . '/engine/start.php'); - -// Ensure only logged-in users can see this page -gatekeeper(); +if (!isset($user) || !($user instanceof ElggUser)) { + $url = 'notifications/personal/' . elgg_get_logged_in_user_entity()->username; + forward($url); +} -elgg_set_page_owner_guid(elgg_get_logged_in_user_guid()); -$user = elgg_get_page_owner_entity(); +elgg_set_page_owner_guid($user); // Set the context to settings elgg_set_context('settings'); @@ -26,7 +26,7 @@ elgg_push_breadcrumb($title); $people = array(); if ($people_ents = elgg_get_entities_from_relationship(array( 'relationship' => 'notify', - 'relationship_guid' => elgg_get_logged_in_user_guid(), + 'relationship_guid' => $user->guid, 'types' => 'user', 'limit' => 99999, ))) { @@ -36,7 +36,10 @@ if ($people_ents = elgg_get_entities_from_relationship(array( } } -$body = elgg_view('notifications/subscriptions/form', array('people' => $people)); +$body = elgg_view('notifications/subscriptions/form', array( + 'people' => $people, + 'user' => $user, +)); $params = array( 'content' => $body, diff --git a/mod/notifications/start.php b/mod/notifications/start.php index 761f17e40..d5d418f0f 100644 --- a/mod/notifications/start.php +++ b/mod/notifications/start.php @@ -40,13 +40,25 @@ function notifications_plugin_init() { */ function notifications_page_handler($page) { + gatekeeper(); + $current_user = elgg_get_logged_in_user_entity(); + // default to personal notifications if (!isset($page[0])) { $page[0] = 'personal'; } + if (!isset($page[1])) { + forward("notifications/{$page[0]}/{$current_user->username}"); + } + + $user = get_user_by_username($page[1]); + if (($user->guid != $current_user->guid) && !$current_user->isAdmin()) { + forward(); + } $base = elgg_get_plugins_path() . 'notifications'; + // note: $user passed in switch ($page[0]) { case 'group': require "$base/groups.php"; @@ -66,12 +78,16 @@ function notifications_page_handler($page) { */ function notifications_plugin_pagesetup() { if (elgg_get_context() == "settings" && elgg_get_logged_in_user_guid()) { - $user = elgg_get_logged_in_user_entity(); + + $user = elgg_get_page_owner_entity(); + if (!$user) { + $user = elgg_get_logged_in_user_entity(); + } $params = array( 'name' => '2_a_user_notify', 'text' => elgg_echo('notifications:subscriptions:changesettings'), - 'href' => "notifications/personal", + 'href' => "notifications/personal/{$user->username}", ); elgg_register_menu_item('page', $params); @@ -79,7 +95,7 @@ function notifications_plugin_pagesetup() { $params = array( 'name' => '2_group_notify', 'text' => elgg_echo('notifications:subscriptions:changesettings:groups'), - 'href' => "notifications/group", + 'href' => "notifications/group/{$user->username}", ); elgg_register_menu_item('page', $params); } diff --git a/mod/notifications/views/default/forms/notificationsettings/groupsave.php b/mod/notifications/views/default/forms/notificationsettings/groupsave.php index 61b94ff8b..168639ab2 100644 --- a/mod/notifications/views/default/forms/notificationsettings/groupsave.php +++ b/mod/notifications/views/default/forms/notificationsettings/groupsave.php @@ -3,13 +3,18 @@ * Elgg notifications groups subscription form * * @package ElggNotifications + * + * @uses $vars['user'] ElggUser */ +/* @var ElggUser $user */ +$user = $vars['user']; + global $NOTIFICATION_HANDLERS; foreach ($NOTIFICATION_HANDLERS as $method => $foo) { $subsbig[$method] = elgg_get_entities_from_relationship(array( 'relationship' => 'notify' . $method, - 'relationship_guid' => elgg_get_logged_in_user_guid(), + 'relationship_guid' => $user->guid, 'types' => 'group', 'limit' => 99999, )); @@ -97,6 +102,7 @@ END; '; + echo elgg_view('input/hidden', array('name' => 'guid', 'value' => $user->guid)); echo elgg_view('input/submit', array('value' => elgg_echo('save'))); echo '
'; diff --git a/mod/notifications/views/default/forms/notificationsettings/save.php b/mod/notifications/views/default/forms/notificationsettings/save.php index ff32d8558..9470256ca 100644 --- a/mod/notifications/views/default/forms/notificationsettings/save.php +++ b/mod/notifications/views/default/forms/notificationsettings/save.php @@ -1,13 +1,21 @@
- elgg_echo('save'))); ?> + 'guid', 'value' => $user->guid)); +echo elgg_view('input/submit', array('value' => elgg_echo('save'))); +?>
diff --git a/mod/notifications/views/default/notifications/subscriptions/collections.php b/mod/notifications/views/default/notifications/subscriptions/collections.php index 28d9fb5b8..b8787570d 100644 --- a/mod/notifications/views/default/notifications/subscriptions/collections.php +++ b/mod/notifications/views/default/notifications/subscriptions/collections.php @@ -1,4 +1,12 @@ - + ', (!isset($_POST['text'][$_hlimit]) ? ' Input binary » ' : ''), ' Finalized internal settings »  ', '
Output » htmLawed processing time ', number_format(((substr($et,0,9)) + (substr($et,-10)) - (substr($st,0,9)) - (substr($st,-10))),4), ' s', (($mem = memory_get_peak_usage()) !== false ? ', peak memory usage '. round(($mem-$pre_mem)/1048576, 2). ' MB' : ''), '
'; + echo '
Input code » ', strlen($_POST['text']), ' chars, ~', ($tag = round((substr_count($_POST['text'], '>') + substr_count($_POST['text'], '<'))/2)), ' tag', ($tag > 1 ? 's' : ''), ' ', (!isset($_POST['text'][$_hlimit]) ? ' Input binary » ' : ''), ' Finalized internal settings »  ', '
Output » htmLawed processing time ', number_format(((substr($et,0,9)) + (substr($et,-10)) - (substr($st,0,9)) - (substr($st,-10))),4), ' s', (($mem = memory_get_peak_usage()) !== false ? ', peak memory usage '. round(($mem-$pre_mem)/1048576, 2). ' MB' : ''), '
'; if($_w3c_validate && $validation) { ?> diff --git a/mod/htmlawed/vendors/htmLawed/htmLawed_README.htm b/mod/htmlawed/vendors/htmLawed/htmLawed_README.htm index 7138ee9c0..6dd78fb2e 100644 --- a/mod/htmlawed/vendors/htmLawed/htmLawed_README.htm +++ b/mod/htmlawed/vendors/htmLawed/htmLawed_README.htm @@ -7,40 +7,74 @@ htmLawed documentation | htmLawed PHP software is a free, open-source, customizable HTML input purifier and filter @@ -110,10 +144,10 @@ span.totop a, span.totop a:visited {color: #6699cc;}

-
htmLawed_README.txt, 22 December 2009
-htmLawed 1.1.9, 22 December 2009
+
htmLawed_README.txt, 8 June 2012
+htmLawed 1.1.11, 5 June 2012
Copyright Santosh Patnaik
-GPL v3 license
+Dual licensed with LGPL 3 and GPL 2 or later
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed 

@@ -222,7 +256,7 @@ A PHP Labware internal utility - 1.4  License & copyright (to top)

-  htmLawed is free and open-source software licensed under GPL license version 3, and copyrighted by Santosh Patnaik, MD, PhD.
+  htmLawed is free and open-source software dual licensed under LGPL license version 3 and GPL license version 2 or later, and copyrighted by Santosh Patnaik, MD, PhD.

@@ -254,9 +288,11 @@ A PHP Labware internal utility - 2  Usage

(to top)

-  htmLawed should work with PHP 4.3 and higher. Either include() the htmLawed.php file or copy-paste the entire code.
+  htmLawed should work with PHP 4.4 and higher. Either include() the htmLawed.php file or copy-paste the entire code.

  To easily test htmLawed using a form-based interface, use the provided demo (htmLawed.php and htmLawedTest.php should be in the same directory on the web-server).
+
Note: For code for usage of the htmLawed class (for htmLawed in OOP), please refer to the htmLawed website; the filtering itself can be configured, etc., as described here.

2.1  Simple @@ -371,6 +407,12 @@ A PHP Labware internal utility - string - dictated by values in string
  on* (like onfocus) attributes not allowed - "

direct_nest_list
+  Allow direct nesting of a list within another without requiring it to be a list item; see section 3.3.4
+
0 - no  *
1 - yes
+
  elements
  Allowed HTML elements; see section 3.3

@@ -441,11 +483,11 @@ A PHP Labware internal utility - 1 - will auto-adjust other relevant $config parameters (indicated by " in this list)

  schemes
-  Array of attribute-specific, comma-separated, lower-cased list of schemes (protocols) allowed in attributes accepting URLs; * covers all unspecified attributes; see section 3.4.3
+  Array of attribute-specific, comma-separated, lower-cased list of schemes (protocols) allowed in attributes accepting URLs (or ! to deny any URL); * covers all unspecified attributes; see section 3.4.3

  href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; *:file, http, https  *
  *: ftp, gopher, http, https, mailto, news, nntp, telnet  ^
href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https  "
href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: !; *:file, http, https  "

  show_setting
  Name of a PHP variable to assign the finalized $config and $spec values; see section 3.8
@@ -541,7 +583,7 @@ A PHP Labware internal utility - input=title(), value(maxval=8/default=6)
  Output: <input title="WIDTH" value="6" /><input title="length" value="5" />

Rule: input=title(nomatch=$w.d$i), value(match=$em$/default=6em)
Rule: input=title(nomatch=%w.d%i), value(match=%em%/default=6em)
  Output: <input value="10em" /><input title="length" value="6em" />

  Rule: input=title(oneof=height|depth/default=depth), value(noneof=5|6)
@@ -565,9 +607,9 @@ A PHP Labware internal utility - 2.5  Some security risks to keep in mind

(to top)

-  When setting the parameters/arguments (like those to allow certain HTML elements) for use with htmLawed, one should bear in mind that the setting may let through potentially dangerous HTML code. (This may not be a problem if the authors are trusted.)
+  When setting the parameters/arguments (like those to allow certain HTML elements) for use with htmLawed, one should bear in mind that the setting may let through potentially dangerous HTML code which is meant to steal user-data, deface a website, render a page non-functional, etc.

-  For example, following increase security risks:
+  Unless end-users, either people or software, supplying the content are completely trusted, security issues arising from the degree of HTML usage permission has to be kept in mind. For example, following increase security risks:

  *  Allowing script, applet, embed, iframe or object elements, or certain of their attributes like allowscriptaccess

@@ -575,7 +617,13 @@ A PHP Labware internal utility - $config appropriately. E.g., $config["elements"] = "* -script" (section 3.3), $config["safe"] = 1 (section 3.6), etc.
+  *  Allowing the style attribute
+
+  To remove unsecure HTML, code-developers using htmLawed must set $config appropriately. E.g., $config["elements"] = "* -script" to deny the script element (section 3.3), $config["safe"] = 1 to auto-configure ceratin htmLawed parameters for maximizing security (section 3.6), etc.
+
+  Permitting the *style* attribute brings in risks of click-jacking, phishing, web-page overlays, etc., even when the safe parameter is enabled (see section 3.6). Except for URLs and a few other things like CSS dynamic expressions, htmLawed currently does not check every CSS style property. It does provide ways for the code-developer implementing htmLawed to do such checks through htmLawed's $spec argument, and through the hook_tag parameter (see section 3.4.8 for more). Disallowing style completely and relying on CSS classes and stylesheet files is recommended.
+
+  htmLawed does not check or correct the character encoding of the input it receives. In conjunction with permitting circumstances such as when the character encoding is left undefined through HTTP headers or HTML meta tags, this can permit an exploit (like Google's UTF-7/XSS vulnerability of the past).

@@ -722,6 +770,8 @@ A PHP Labware internal utility - section 3.1).

+  *  htmLawed does not check or correct the character encoding of the input it receives. In conjunction with permitting circumstances such as when the character encoding is left undefined through HTTP headers or HTML meta tags, this can permit an exploit (like Google's UTF-7/XSS vulnerability of the past).
+
  *  Like any script using PHP's PCRE regex functions, PHP setup-specific low PCRE limit values can cause htmLawed to at least partially fail with very long input texts.

@@ -1162,6 +1212,8 @@ A PHP Labware internal utility - table can have 0 or 1 caption, tbody, tfoot, and thead, but they must be in this order: caption, thead, tfoot, tbody.

  htmLawed currently does not check for conformance to these rules. Note that any non-compliance in this regard will not introduce security vulnerabilities, crash browser applications, or affect the rendering of web-pages.
+
+  With $config["direct_list_nest"] set to 1, htmLawed will allow direct nesting of an ol or ul list within another ol or ul without requiring the child list to be within an li of the parent list. While this is not standard-compliant, directly nested lists are rendered properly by almost all browsers. The parameter $config["direct_list_nest"] has no effect if tag-balancing (section 3.3.3) is turned off.

@@ -1271,6 +1323,8 @@ A PHP Labware internal utility - style: * useful as URLs in style attributes can be specified in a variety of ways, and the patterns that htmLawed uses to identify URLs may mistakenly identify non-URL text.

! can be put in the list of schemes to disallow all protocols as well as local URLs. Thus, with href: http, style: !, '<a href="http://cnn.com" style="background-image: url('local.jpg');">CNN</a>' will become '<a href="http://cnn.com" style="background-image: url('denied:local.jpg');">CNN</a>'.
+
  Note: If URL-accepting attributes other than those listed above are being allowed, then the scheme will not be checked unless the attribute name contains the string src (e.g., dynsrc) or starts with o (e.g., onbeforecopy).

  With $config["safe"] = 1, all URLs are disallowed in the style attribute values.
@@ -1488,7 +1542,7 @@ A PHP Labware internal utility - 3.4.8  Inline style properties

(to top)

-  htmLawed can check URL schemes and dynamic expressions (to guard against Javascript, etc., script-based insecurities) in inline CSS style property values in the style attributes. (CSS properties like background-image that accept URLs in their values are noted in section 5.3.) Dynamic CSS expressions that allow scripting in the IE browser, and can be a vulnerability, can be removed from property values by setting $config["css_expression"] to 1 (default setting).
+  htmLawed can check URL schemes and dynamic expressions (to guard against Javascript, etc., script-based insecurities) in inline CSS style property values in the style attributes. (CSS properties like background-image that accept URLs in their values are noted in section 5.3.) Dynamic CSS expressions that allow scripting in the IE browser, and can be a vulnerability, can be removed from property values by setting $config["css_expression"] to 1 (default setting). Note that when $config["css_expression"] is set to 1, htmLawed will remove /* from the style values.

  Note: Because of the various ways of representing characters in attribute values (URL-escapement, entitification, etc.), htmLawed might alter the values of the style attribute values, and may even falsely identify dynamic CSS expressions and URL schemes in them. If this is an important issue, checking of URLs and dynamic expressions can be turned off ($config["schemes"] = "...style:*...", see section 3.4.3, and $config["css_expression"] = 0). Alternately, admins can use their own custom function for finer handling of style values through the hook_tag parameter (see section 3.4.9).

@@ -1503,14 +1557,30 @@ A PHP Labware internal utility - $config parameter hook_tag is set to the name of a function, htmLawed (function hl_tag()) will pass on the element name, and the finalized attribute name-value pairs as array elements to the function. The function is expected to return the full opening tag string like <element_name attribute_1_name="attribute_1_value"...> (for empty elements like img and input, the element-closing slash / should also be included).
+  When $config parameter hook_tag is set to the name of a function, htmLawed (function hl_tag()) will pass on the element name, and, in the case of an opening tag, the finalized attribute name-value pairs as array elements to the function. The function, after completing a task such as filtering or tag transformation, will typically return an empty string, the full opening tag string like <element_name attribute_1_name="attribute_1_value"...> (for empty elements like img and input, the element-closing slash / should also be included), etc.
+
+  Any hook_tag function, since htmLawed version 1.1.11, also receives names of elements in closing tags, such as a in the closing </a> tag of the element <a href="http://cnn.com">CNN</a>. Unlike for opening tags, no other value (i.e., the attribute name-value array) is passed to the function since a closing tag contains only element names. Typically, the function will return an empty string or a full closing tag (like </a>).

  This is a powerful functionality that can be exploited for various objectives: consolidate-and-convert inline style attributes to class, convert embed elements to object, permit only one caption element in a table element, disallow embedding of certain types of media, inject HTML, use CSSTidy to sanitize style attribute values, etc.

  As an example, the custom hook code below can be used to force a series of specifically ordered id attributes on all elements, and a specific param element inside all object elements:

-    function my_tag_function($element, $attribute_array){ +    function my_tag_function($element, $attribute_array=0){ +
+
+ +      // If second argument is not received, it means a closing tag is being handled +
+ +      if(is_numeric($attribute_array)){ +
+ +        return "</$element>"; +
+ +      } +

      static $id = 0; @@ -1570,6 +1640,11 @@ A PHP Labware internal utility -       }
+
+ +      static $empty_elements = array('area'=>1, 'br'=>1, 'col'=>1, 'embed'=>1, 'hr'=>1, 'img'=>1, 'input'=>1, 'isindex'=>1, 'param'=>1); +
+
      return "<{$element}{$string}". (isset($in_array($element, $empty_elements) ? ' /' : ''). '>'. $new_element;
@@ -1598,7 +1673,7 @@ A PHP Labware internal utility - $config["safe"] to auto-adjust multiple $config parameters (such as elements which declares the allowed element-set), which otherwise would have to be manually set. The relevant parameters are indicated by " in section 2.2). Thus, one can pass the $config argument with a simpler value.

-  With the value of 1, htmLawed considers CDATA sections and HTML comments as plain text, and prohibits the applet, embed, iframe, object and script elements, and the on* attributes like onclick. ( There are $config parameters like css_expression that are not affected by the value set for safe but whose default values still contribute towards a more safe output.) Further, URLs with schemes (see section 3.4.3) are neutralized so that, e.g., style="moz-binding:url(http://danger)" becomes style="moz-binding:url(denied:http://danger)" while style="moz-binding:url(ok)" remains intact.
+  With the value of 1, htmLawed considers CDATA sections and HTML comments as plain text, and prohibits the applet, embed, iframe, object and script elements, and the on* attributes like onclick. ( There are $config parameters like css_expression that are not affected by the value set for safe but whose default values still contribute towards a more safe output.) Further, URLs with schemes (see section 3.4.3) are neutralized so that, e.g., style="moz-binding:url(http://danger)" becomes style="moz-binding:url(denied:http://danger)".

  Admins, however, may still want to completely deny the style attribute, e.g., with code like

@@ -1606,6 +1681,8 @@ A PHP Labware internal utility -     $processed = htmLawed($text, array('safe'=>1, 'deny_attribute'=>'style'));

+  Permitting the style attribute brings in risks of click-jacking, etc. CSS property values can render a page non-functional or be used to deface it. Except for URLs, dynamic expressions, and some other things, htmLawed does not completely check style values. It does provide ways for the code-developer implementing htmLawed to do such checks through the $spec argument, and through the hook_tag parameter (see section 3.4.8 for more). Disallowing style completely and relying on CSS classes and stylesheet files is recommended.
+
  If a value for a parameter auto-set through safe is still manually provided, then that value can over-ride the auto-set value. E.g., with $config["safe"] = 1 and $config["elements"] = "*+script", script, but not applet, is allowed.

  A page illustrating the efficacy of htmLawed's anti-XSS abilities with safe set to 1 against XSS vectors listed by RSnake may be available here.
@@ -1688,6 +1765,20 @@ A PHP Labware internal utility - $config["hook_tag"], if specified, now receives names of elements in closing tags.
+
+  1.1.10 - 22 October 2011. Fix for a bug in the tidy functionality that caused the entire input to be replaced with a single space; new parameter, $config["direct_list_nest"] to allow direct descendance of a list in a list. (5 April 2012. Dual licensing from LGPLv3 to LGPLv3 and GPLv2+.)
+
+  1.1.9.5 - 6 July 2011. Minor correction of a rule for nesting of li within dir
+
+  1.1.9.4 - 3 July 2010. Parameter schemes now accepts ! so any URL, even a local one, can be denied. An issue in which a second URL value in style properties was not checked was fixed.
+
+  1.1.9.3 - 17 May 2010. Checks for correct nesting of param
+
+  1.1.9.2 - 26 April 2010. Minor fix regarding rendering of denied URL schemes
+
+  1.1.9.1 - 26 February 2010. htmLawed now uses the LGPL version 3 license; support for flashvars attribute for embed
+
  1.1.9 - 22 December 2009. Soft-hyphens are now removed only from URL-accepting attribute values

  1.1.8.1 - 16 July 2009. Minor code-change to fix a PHP error notice
@@ -1738,6 +1829,10 @@ A PHP Labware internal utility - htmLawed.php (assuming it was not modified for customized features). As htmLawed output is almost always used in static documents, upgrading should not affect old, finalized content.

Important  The following upgrades may affect the functionality of a specific htmLawed as indicated by their corresponding notes:
+
+  (1) From version 1.1-1.1.10 to 1.1.11, if a hook_tag function is in use: In version 1.1.11, elements in closing tags (and not just the opening tags) are also passed to the function. There are no attribute names/values to pass, so a hook_tag function receives only the element name. The hook_tag function therefore may have to be edited. See section 3.4.9.
+
  Old versions of htmLawed may be available online. E.g., for version 1.0, check http://www.bioinformatics.org/phplabware/downloads/htmLawed1.zip, for 1.1.1, htmLawed111.zip, and for 1.1.10, htmLawed1110.zip.
@@ -1789,7 +1884,7 @@ A PHP Labware internal utility - 4.10  Acknowledgements (to top)

-  Bryan Blakey, Ulf Harnhammer, Gareth Heyes, Lukasz Pilorz, Shelley Powers, Edward Yang, and many anonymous users.
+  Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Ulf Harnhammer, Gareth Heyes, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Edward Yang, and many anonymous users.

  Thank you!
@@ -1856,6 +1951,7 @@ A PHP Labware internal utility -

-


HTM version of htmLawed_README.txt generated on 22 Dec, 2009 using rTxt2htm from PHP Labware +


HTM version of htmLawed_README.txt generated on 06 Jun, 2012 using rTxt2htm from PHP Labware
diff --git a/mod/htmlawed/vendors/htmLawed/htmLawed_README.txt b/mod/htmlawed/vendors/htmLawed/htmLawed_README.txt old mode 100644 new mode 100755 index 48a67009b..e4027e465 --- a/mod/htmlawed/vendors/htmLawed/htmLawed_README.txt +++ b/mod/htmlawed/vendors/htmLawed/htmLawed_README.txt @@ -1,8 +1,8 @@ /* -htmLawed_README.txt, 22 December 2009 -htmLawed 1.1.9, 22 December 2009 +htmLawed_README.txt, 8 June 2012 +htmLawed 1.1.11, 5 June 2012 Copyright Santosh Patnaik -GPL v3 license +Dual licensed with LGPL 3 and GPL 2 or later A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed */ @@ -171,7 +171,7 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern -- 1.4 License & copyright ----------------------------------------o - htmLawed is free and open-source software licensed under GPL license version 3:- http://www.gnu.org/licenses/gpl-3.0.txt, and copyrighted by Santosh Patnaik, MD, PhD. + htmLawed is free and open-source software dual licensed under LGPL license version 3:- http://www.gnu.org/licenses/lgpl-3.0.txt and GPL license version 2:- http://www.gnu.org/licenses/gpl-2.0.txt or later, and copyrighted by Santosh Patnaik, MD, PhD. -- 1.5 Terms used here --------------------------------------------o @@ -200,9 +200,11 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern == 2 Usage ========================================================oo - htmLawed should work with PHP 4.3 and higher. Either 'include()' the 'htmLawed.php' file or copy-paste the entire code. + htmLawed should work with PHP 4.4 and higher. Either 'include()' the 'htmLawed.php' file or copy-paste the entire code. To easily *test* htmLawed using a form-based interface, use the provided demo:- htmLawedTest.php ('htmLawed.php' and 'htmLawedTest.php' should be in the same directory on the web-server). + + *Note*: For code for usage of the htmLawed class (for htmLawed in OOP), please refer to the htmLawed:- http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed website; the filtering itself can be configured, etc., as described here. -- 2.1 Simple ------------------------------------------------------ @@ -305,6 +307,12 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern '0' - none * 'string' - dictated by values in 'string' 'on*' (like 'onfocus') attributes not allowed - " + + *direct_nest_list* + Allow direct nesting of a list within another without requiring it to be a list item; see section:- #3.3.4 + + '0' - no * + '1' - yes *elements* Allowed HTML elements; see section:- #3.3 @@ -376,11 +384,11 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern '1' - will auto-adjust other relevant '$config' parameters (indicated by '"' in this list) *schemes* - Array of attribute-specific, comma-separated, lower-cased list of schemes (protocols) allowed in attributes accepting URLs; '*' covers all unspecified attributes; see section:- #3.4.3 + Array of attribute-specific, comma-separated, lower-cased list of schemes (protocols) allowed in attributes accepting URLs (or '!' to `deny` any URL); '*' covers all unspecified attributes; see section:- #3.4.3 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; *:file, http, https' * '*: ftp, gopher, http, https, mailto, news, nntp, telnet' ^ - 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https' " + 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: !; *:file, http, https' " *show_setting* Name of a PHP variable to assign the `finalized` '$config' and '$spec' values; see section:- #3.8 @@ -469,7 +477,7 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern `Rule`: 'input=title(), value(maxval=8/default=6)' `Output`: '' - `Rule`: 'input=title(nomatch=$w.d$i), value(match=$em$/default=6em)' + `Rule`: 'input=title(nomatch=%w.d%i), value(match=%em%/default=6em)' `Output`: '' `Rule`: 'input=title(oneof=height|depth/default=depth), value(noneof=5|6)' @@ -491,17 +499,23 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern -- 2.5 Some security risks to keep in mind ------------------------o - When setting the parameters/arguments (like those to allow certain HTML elements) for use with htmLawed, one should bear in mind that the setting may let through potentially `dangerous` HTML code. (This may not be a problem if the authors are trusted.) + When setting the parameters/arguments (like those to allow certain HTML elements) for use with htmLawed, one should bear in mind that the setting may let through potentially `dangerous` HTML code which is meant to steal user-data, deface a website, render a page non-functional, etc. - For example, following increase security risks: + Unless end-users, either people or software, supplying the content are completely trusted, security issues arising from the degree of HTML usage permission has to be kept in mind. For example, following increase security risks: * Allowing 'script', 'applet', 'embed', 'iframe' or 'object' elements, or certain of their attributes like 'allowscriptaccess' * Allowing HTML comments (some Internet Explorer versions are vulnerable with, e.g., '' * Allowing dynamic CSS expressions (a feature of the IE browser) + + * Allowing the 'style' attribute - `Unsafe` HTML can be removed by setting '$config' appropriately. E.g., '$config["elements"] = "* -script"' (section:- #3.3), '$config["safe"] = 1' (section:- #3.6), etc. + To remove `unsecure` HTML, code-developers using htmLawed must set '$config' appropriately. E.g., '$config["elements"] = "* -script"' to deny the 'script' element (section:- #3.3), '$config["safe"] = 1' to auto-configure ceratin htmLawed parameters for maximizing security (section:- #3.6), etc. + + Permitting the '*style*' attribute brings in risks of `click-jacking`, `phishing`, web-page overlays, etc., `even` when the 'safe' parameter is enabled (see section:- #3.6). Except for URLs and a few other things like CSS dynamic expressions, htmLawed currently does not check every CSS style property. It does provide ways for the code-developer implementing htmLawed to do such checks through htmLawed's '$spec' argument, and through the 'hook_tag' parameter (see section:- #3.4.8 for more). Disallowing 'style' completely and relying on CSS classes and stylesheet files is recommended. + + htmLawed does not check or correct the character *encoding* of the input it receives. In conjunction with permitting circumstances such as when the character encoding is left undefined through HTTP headers or HTML 'meta' tags, this can permit an exploit (like Google's UTF-7/XSS vulnerability of the past). -- 2.6 Use without modifying old 'kses()' code --------------------o @@ -614,6 +628,8 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern * htmLawed does not correct certain possible attribute-based security vulnerabilities (e.g., 'x'). These arise when browsers mis-identify markup in `escaped` text, defeating the very purpose of escaping text (a bad browser will read the given example as 'x'). * Because of poor Unicode support in PHP, htmLawed does not remove the `high value` HTML-invalid characters with multi-byte code-points. Such characters however are extremely unlikely to be in the input. (see section:- #3.1). + + * htmLawed does not check or correct the character encoding of the input it receives. In conjunction with permitting circumstances such as when the character encoding is left undefined through HTTP headers or HTML 'meta' tags, this can permit an exploit (like Google's UTF-7/XSS vulnerability of the past). * Like any script using PHP's PCRE regex functions, PHP setup-specific low PCRE limit values can cause htmLawed to at least partially fail with very long input texts. @@ -925,6 +941,8 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern In some cases, the specs stipulate the number and/or the ordering of the child elements. A 'table' can have 0 or 1 'caption', 'tbody', 'tfoot', and 'thead', but they must be in this order: 'caption', 'thead', 'tfoot', 'tbody'. htmLawed currently does not check for conformance to these rules. Note that any non-compliance in this regard will not introduce security vulnerabilities, crash browser applications, or affect the rendering of web-pages. + + With '$config["direct_list_nest"]' set to '1', htmLawed will allow direct nesting of an 'ol' or 'ul' list within another 'ol' or 'ul' without requiring the child list to be within an 'li' of the parent list. While this is not standard-compliant, directly nested lists are rendered properly by almost all browsers. The parameter '$config["direct_list_nest"]' has no effect if tag-balancing (section:- #3.3.3) is turned off. -- 3.3.5 Beautify or compact HTML ---------------------------------o @@ -1020,6 +1038,8 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern Thus, `to allow Javascript`, one can set '$config["schemes"]' as 'href: mailto, http, https; *: http, https, javascript', or 'href: mailto, http, https, javascript; *: http, https, javascript', or '*: *', and so on. As a side-note, one may find 'style: *' useful as URLs in 'style' attributes can be specified in a variety of ways, and the patterns that htmLawed uses to identify URLs may mistakenly identify non-URL text. + + '!' can be put in the list of schemes to disallow all protocols as well as `local` URLs. Thus, with 'href: http, style: !', 'CNN' will become 'CNN'. *Note*: If URL-accepting attributes other than those listed above are being allowed, then the scheme will not be checked unless the attribute name contains the string 'src' (e.g., 'dynsrc') or starts with 'o' (e.g., 'onbeforecopy'). @@ -1149,7 +1169,7 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern -- 3.4.8 Inline style properties ----------------------------------o - htmLawed can check URL schemes and dynamic expressions (to guard against Javascript, etc., script-based insecurities) in inline CSS style property values in the 'style' attributes. (CSS properties like 'background-image' that accept URLs in their values are noted in section:- #5.3.) Dynamic CSS expressions that allow scripting in the IE browser, and can be a vulnerability, can be removed from property values by setting '$config["css_expression"]' to '1' (default setting). + htmLawed can check URL schemes and dynamic expressions (to guard against Javascript, etc., script-based insecurities) in inline CSS style property values in the 'style' attributes. (CSS properties like 'background-image' that accept URLs in their values are noted in section:- #5.3.) Dynamic CSS expressions that allow scripting in the IE browser, and can be a vulnerability, can be removed from property values by setting '$config["css_expression"]' to '1' (default setting). Note that when '$config["css_expression"]' is set to '1', htmLawed will remove '/*' from the 'style' values. *Note*: Because of the various ways of representing characters in attribute values (URL-escapement, entitification, etc.), htmLawed might alter the values of the 'style' attribute values, and may even falsely identify dynamic CSS expressions and URL schemes in them. If this is an important issue, checking of URLs and dynamic expressions can be turned off ('$config["schemes"] = "...style:*..."', see section:- #3.4.3, and '$config["css_expression"] = 0'). Alternately, admins can use their own custom function for finer handling of 'style' values through the 'hook_tag' parameter (see section:- #3.4.9). @@ -1163,13 +1183,21 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern It is possible to utilize a custom hook function to alter the tag content htmLawed has finalized (i.e., after it has checked/corrected for required attributes, transformed attributes, lower-cased attribute names, etc.). - When '$config' parameter 'hook_tag' is set to the name of a function, htmLawed (function 'hl_tag()') will pass on the element name, and the `finalized` attribute name-value pairs as array elements to the function. The function is expected to return the full opening tag string like '' (for empty elements like 'img' and 'input', the element-closing slash '/' should also be included). + When '$config' parameter 'hook_tag' is set to the name of a function, htmLawed (function 'hl_tag()') will pass on the element name, and, in the case of an opening tag, the `finalized` attribute name-value pairs as array elements to the function. The function, after completing a task such as filtering or tag transformation, will typically return an empty string, the full opening tag string like '' (for empty elements like 'img' and 'input', the element-closing slash '/' should also be included), etc. + + Any 'hook_tag' function, since htmLawed version 1.1.11, also receives names of elements in closing tags, such as 'a' in the closing '' tag of the element 'CNN'. Unlike for opening tags, no other value (i.e., the attribute name-value array) is passed to the function since a closing tag contains only element names. Typically, the function will return an empty string or a full closing tag (like ''). This is a *powerful functionality* that can be exploited for various objectives: consolidate-and-convert inline 'style' attributes to 'class', convert 'embed' elements to 'object', permit only one 'caption' element in a 'table' element, disallow embedding of certain types of media, *inject HTML*, use CSSTidy:- http://csstidy.sourceforge.net to sanitize 'style' attribute values, etc. As an example, the custom hook code below can be used to force a series of specifically ordered 'id' attributes on all elements, and a specific 'param' element inside all 'object' elements: - function my_tag_function($element, $attribute_array){ + function my_tag_function($element, $attribute_array=0){ + + // If second argument is not received, it means a closing tag is being handled + if(is_numeric($attribute_array)){ + return ""; + } + static $id = 0; // Remove any duplicate element if($element == 'param' && isset($attribute_array['allowscriptaccess'])){ @@ -1192,6 +1220,9 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern foreach($attribute_array as $k=>$v){ $string .= " {$k}=\"{$v}\""; } + + static $empty_elements = array('area'=>1, 'br'=>1, 'col'=>1, 'embed'=>1, 'hr'=>1, 'img'=>1, 'input'=>1, 'isindex'=>1, 'param'=>1); + return "<{$element}{$string}". (isset($in_array($element, $empty_elements) ? ' /' : ''). '>'. $new_element; } @@ -1213,12 +1244,14 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern htmLawed allows an admin to use '$config["safe"]' to auto-adjust multiple '$config' parameters (such as 'elements' which declares the allowed element-set), which otherwise would have to be manually set. The relevant parameters are indicated by '"' in section:- #2.2). Thus, one can pass the '$config' argument with a simpler value. - With the value of '1', htmLawed considers 'CDATA' sections and HTML comments as plain text, and prohibits the 'applet', 'embed', 'iframe', 'object' and 'script' elements, and the 'on*' attributes like 'onclick'. ( There are '$config' parameters like 'css_expression' that are not affected by the value set for 'safe' but whose default values still contribute towards a more `safe` output.) Further, URLs with schemes (see section:- #3.4.3) are neutralized so that, e.g., 'style="moz-binding:url(http://danger)"' becomes 'style="moz-binding:url(denied:http://danger)"' while 'style="moz-binding:url(ok)"' remains intact. + With the value of '1', htmLawed considers 'CDATA' sections and HTML comments as plain text, and prohibits the 'applet', 'embed', 'iframe', 'object' and 'script' elements, and the 'on*' attributes like 'onclick'. ( There are '$config' parameters like 'css_expression' that are not affected by the value set for 'safe' but whose default values still contribute towards a more `safe` output.) Further, URLs with schemes (see section:- #3.4.3) are neutralized so that, e.g., 'style="moz-binding:url(http://danger)"' becomes 'style="moz-binding:url(denied:http://danger)"'. Admins, however, may still want to completely deny the 'style' attribute, e.g., with code like $processed = htmLawed($text, array('safe'=>1, 'deny_attribute'=>'style')); + Permitting the 'style' attribute brings in risks of `click-jacking`, etc. CSS property values can render a page non-functional or be used to deface it. Except for URLs, dynamic expressions, and some other things, htmLawed does not completely check 'style' values. It does provide ways for the code-developer implementing htmLawed to do such checks through the '$spec' argument, and through the 'hook_tag' parameter (see section:- #3.4.8 for more). Disallowing style completely and relying on CSS classes and stylesheet files is recommended. + If a value for a parameter auto-set through 'safe' is still manually provided, then that value can over-ride the auto-set value. E.g., with '$config["safe"] = 1' and '$config["elements"] = "*+script"', 'script', but not 'applet', is allowed. A page illustrating the efficacy of htmLawed's anti-XSS abilities with 'safe' set to '1' against XSS vectors listed by RSnake:- http://ha.ckers.org/xss.html may be available here:- http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/rsnake/RSnakeXSSTest.htm. @@ -1288,6 +1321,20 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern `Version number - Release date. Notes` + 1.1.11 - 5 June 2012. Fix for possible problem with handling of multi-byte characters in attribute values in an mbstring.func_overload enviroment. '$config["hook_tag"]', if specified, now receives names of elements in closing tags. + + 1.1.10 - 22 October 2011. Fix for a bug in the 'tidy' functionality that caused the entire input to be replaced with a single space; new parameter, '$config["direct_list_nest"]' to allow direct descendance of a list in a list. (5 April 2012. Dual licensing from LGPLv3 to LGPLv3 and GPLv2+.) + + 1.1.9.5 - 6 July 2011. Minor correction of a rule for nesting of 'li' within 'dir' + + 1.1.9.4 - 3 July 2010. Parameter 'schemes' now accepts '!' so any URL, even a local one, can be `denied`. An issue in which a second URL value in 'style' properties was not checked was fixed. + + 1.1.9.3 - 17 May 2010. Checks for correct nesting of 'param' + + 1.1.9.2 - 26 April 2010. Minor fix regarding rendering of denied URL schemes + + 1.1.9.1 - 26 February 2010. htmLawed now uses the LGPL version 3 license; support for 'flashvars' attribute for 'embed' + 1.1.9 - 22 December 2009. Soft-hyphens are now removed only from URL-accepting attribute values 1.1.8.1 - 16 July 2009. Minor code-change to fix a PHP error notice @@ -1336,6 +1383,10 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern Upgrading is as simple as replacing the previous version of 'htmLawed.php' (assuming it was not modified for customized features). As htmLawed output is almost always used in static documents, upgrading should not affect old, finalized content. + *Important* The following upgrades may affect the functionality of a specific htmLawed as indicated by their corresponding notes: + + (1) From version 1.1-1.1.10 to 1.1.11, if a 'hook_tag' function is in use: In version 1.1.11, elements in closing tags (and not just the opening tags) are also passed to the function. There are no attribute names/values to pass, so a 'hook_tag' function receives only the element name. The 'hook_tag' function therefore may have to be edited. See section:- #3.4.9. + Old versions of htmLawed may be available online. E.g., for version 1.0, check http://www.bioinformatics.org/phplabware/downloads/htmLawed1.zip, for 1.1.1, htmLawed111.zip, and for 1.1.10, htmLawed1110.zip. @@ -1382,7 +1433,7 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern -- 4.10 Acknowledgements ------------------------------------------o - Bryan Blakey, Ulf Harnhammer, Gareth Heyes, Lukasz Pilorz, Shelley Powers, Edward Yang, and many anonymous users. + Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Ulf Harnhammer, Gareth Heyes, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Edward Yang, and many anonymous users. Thank you! @@ -1446,6 +1497,7 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern disabled - button, input, optgroup, option, select, textarea enctype - form face - font + flashvars* - embed for - label frame - table frameborder - iframe diff --git a/mod/htmlawed/vendors/htmLawed/htmLawed_TESTCASE.txt b/mod/htmlawed/vendors/htmLawed/htmLawed_TESTCASE.txt old mode 100644 new mode 100755 index ea24b1839..793a5a6a7 --- a/mod/htmlawed/vendors/htmLawed/htmLawed_TESTCASE.txt +++ b/mod/htmlawed/vendors/htmLawed/htmLawed_TESTCASE.txt @@ -1,8 +1,8 @@ /* -htmLawed_TESTCASE.txt, 22 December 2009 -htmLawed 1.1.9, 22 December 2009 +htmLawed_TESTCASE.txt, 22 October 2011 +htmLawed 1.1.11, 5 June 2012 Copyright Santosh Patnaik -GPL v3 license +Dual licensed with LGPL 3 and GPL 2 or later A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed */ @@ -94,6 +94,15 @@ The PHP software script used for this web-page webpage i +value + + + + + + + +
Complex-4: nested and other tables
Cell
Cell
Cell
Cell Cell Cell
Cell
Cell Cell Cell

@@ -181,10 +190,13 @@ text none t e x t
HTML comments (also CDATA)
-Special characters inside: , , , c
-Normal: , , comment:,
text not allowed

-Malformed: , < ![CDATA check ]]>, < ![CDATA check ] ]>
-Invalid: >comment in tag content, +Script inside:
+Special characters inside: , , , c
+Normal: , , comment:,
text not allowed

+Malformed: , < ![CDATA check ]]>, < ![CDATA check ] ]>
+Invalid: >comment in tag content,
Ins-Del
@@ -224,6 +236,11 @@ Invalid: >comment in tag content,
  • l3
  • l4
    1. lo3
    2. lo4
      1. lo5

    • +Nested, directly:
      +
    • l1
      • +
        l2
      +
    • l3
      • +

    Nested, close-tags omitted:
    • l1
    • l2
      1. lo1
      2. lo2
      @@ -242,6 +259,13 @@ Invalid: >comment in tag content,
    +
    Microdata
    + +
    +I am X but people call me Y. +Find me at +
    +
    Non-English text-1
    Inscrieţi-vă acum la a Zecea Conferinţă Internaţională
    @@ -320,7 +344,8 @@ na Alemanha. Relative and absolute: , , , , , ,
    (try base URL value of 'http://a.com/b/')
    CSS URLs:
    ,
    ,
    ,
    ,

    -Anti-spam: (try regex for 'http://a.com', etc.) , , , , , ,
    +Double URLs: b
    +Anti-spam: (try regex for 'http://a.com', etc.) , , , , , , ,
    XSS
    -- cgit v1.2.3 From 089a086695f0f0b3ee70709bff72be37c0618407 Mon Sep 17 00:00:00 2001 From: Sem Date: Sun, 1 Jul 2012 17:55:35 +0200 Subject: Fixes #4652. Redirecting to inbox when trying to open a deleted message. --- mod/messages/pages/messages/read.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mod/messages/pages/messages/read.php b/mod/messages/pages/messages/read.php index d41551be4..19e3ecdd7 100644 --- a/mod/messages/pages/messages/read.php +++ b/mod/messages/pages/messages/read.php @@ -9,7 +9,7 @@ gatekeeper(); $message = get_entity(get_input('guid')); if (!$message) { - forward(); + forward('messages/inbox'); } // mark the message as read -- cgit v1.2.3 From c1621c3c385f366f553198fcc1d501b55405baed Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sun, 1 Jul 2012 17:52:39 -0400 Subject: Refs #4642 need to filter annotations by name --- mod/groups/start.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mod/groups/start.php b/mod/groups/start.php index d85bb6492..193b72a4e 100644 --- a/mod/groups/start.php +++ b/mod/groups/start.php @@ -943,6 +943,10 @@ function discussion_create_reply_notification($hook, $type, $message, $params) { function discussion_reply_notifications($event, $type, $annotation) { global $CONFIG, $NOTIFICATION_HANDLERS; + if ($annotation->name !== 'group_topic_post') { + return; + } + // Have we registered notifications for this type of entity? $object_type = 'object'; $object_subtype = 'groupforumtopic'; -- cgit v1.2.3 From c593ca648683688fe89ab6f7ebc39e1c8471af18 Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sun, 1 Jul 2012 21:43:26 -0400 Subject: Refs #3955 use input/dropdown for group membership since it is not technically an access and cause issues with removing public access --- mod/groups/views/default/forms/groups/edit.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mod/groups/views/default/forms/groups/edit.php b/mod/groups/views/default/forms/groups/edit.php index 26436ef01..8055b6430 100644 --- a/mod/groups/views/default/forms/groups/edit.php +++ b/mod/groups/views/default/forms/groups/edit.php @@ -55,7 +55,7 @@ if ($group_profile_fields > 0) {