From fc5968eb4a2af5ba7cd1f04a05a75c1992ff96e7 Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Sun, 26 Aug 2012 09:32:53 -0600 Subject: forward 1.7 group profile urls to correct destination in 1.8 --- mod/groups/start.php | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'mod') diff --git a/mod/groups/start.php b/mod/groups/start.php index 193b72a4e..37aa839a9 100644 --- a/mod/groups/start.php +++ b/mod/groups/start.php @@ -195,6 +195,15 @@ function groups_setup_sidebar_menus() { */ function groups_page_handler($page) { + // forward old profile urls + if (is_numeric($page[0])) { + $group = get_entity($page[0]); + if (elgg_instanceof($group, 'group', '', 'ElggGroup')) { + system_message(elgg_echo('changebookmark')); + forward($group->getURL()); + } + } + elgg_load_library('elgg:groups'); elgg_push_breadcrumb(elgg_echo('groups'), "groups/all"); -- cgit v1.2.3 From 3eeea7d1b2d531aa9c4dc0c4f09f58ed287a4971 Mon Sep 17 00:00:00 2001 From: Jeroen Dalsem Date: Wed, 3 Oct 2012 11:16:24 +0200 Subject: show search query in input field --- mod/search/views/default/search/search_box.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'mod') diff --git a/mod/search/views/default/search/search_box.php b/mod/search/views/default/search/search_box.php index ff12ae4f0..91bedde05 100644 --- a/mod/search/views/default/search/search_box.php +++ b/mod/search/views/default/search/search_box.php @@ -37,7 +37,7 @@ $display_query = htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false);
- +
-- cgit v1.2.3 From 9e377f9e006c20c98aa757f1c30228293651a404 Mon Sep 17 00:00:00 2001 From: Jeroen Dalsem Date: Wed, 3 Oct 2012 14:03:01 +0200 Subject: fixed incomplete forward url --- mod/messages/pages/messages/read.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'mod') diff --git a/mod/messages/pages/messages/read.php b/mod/messages/pages/messages/read.php index 19e3ecdd7..1a56399d3 100644 --- a/mod/messages/pages/messages/read.php +++ b/mod/messages/pages/messages/read.php @@ -8,8 +8,8 @@ gatekeeper(); $message = get_entity(get_input('guid')); -if (!$message) { - forward('messages/inbox'); +if (!$message || !elgg_instanceof($message, "object", "messages")) { + forward('messages/inbox/' . elgg_get_logged_in_user_entity()->username); } // mark the message as read -- cgit v1.2.3 From b29dcc4b232bdf5f587fce31c2c271c1814c4392 Mon Sep 17 00:00:00 2001 From: Jeroen Dalsem Date: Wed, 3 Oct 2012 14:07:54 +0200 Subject: check for correct page_owner to prevent unwanted access to the page --- mod/messages/pages/messages/inbox.php | 9 +++++++-- mod/messages/pages/messages/sent.php | 9 +++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) (limited to 'mod') diff --git a/mod/messages/pages/messages/inbox.php b/mod/messages/pages/messages/inbox.php index fdfc20c43..de5b8b231 100644 --- a/mod/messages/pages/messages/inbox.php +++ b/mod/messages/pages/messages/inbox.php @@ -8,8 +8,13 @@ gatekeeper(); $page_owner = elgg_get_page_owner_entity(); -if (!$page_owner) { - register_error(elgg_echo()); + +if (!$page_owner || !$page_owner->canEdit()) { + $guid = 0; + if($page_owner){ + $guid = $page_owner->getGUID(); + } + register_error(elgg_echo("pageownerunavailable", array($guid))); forward(); } diff --git a/mod/messages/pages/messages/sent.php b/mod/messages/pages/messages/sent.php index af06ab273..3d08cd5ee 100644 --- a/mod/messages/pages/messages/sent.php +++ b/mod/messages/pages/messages/sent.php @@ -8,8 +8,13 @@ gatekeeper(); $page_owner = elgg_get_page_owner_entity(); -if (!$page_owner) { - register_error(elgg_echo()); + +if (!$page_owner || !$page_owner->canEdit()) { + $guid = 0; + if($page_owner){ + $guid = $page_owner->getGUID(); + } + register_error(elgg_echo("pageownerunavailable", array($guid))); forward(); } -- cgit v1.2.3 From a050a89b56f47145a32a7f913c674cdf1f5b7bfc Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Thu, 4 Oct 2012 12:38:39 -0600 Subject: only present a reply button when the message can be replied to --- mod/messages/pages/messages/read.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'mod') diff --git a/mod/messages/pages/messages/read.php b/mod/messages/pages/messages/read.php index 19e3ecdd7..fd3b466a1 100644 --- a/mod/messages/pages/messages/read.php +++ b/mod/messages/pages/messages/read.php @@ -38,8 +38,9 @@ if ($inbox) { ); $body_params = array('message' => $message); $content .= elgg_view_form('messages/reply', $form_params, $body_params); - - if (elgg_get_logged_in_user_guid() == elgg_get_page_owner_guid()) { + $from_user = get_user($message->fromID); + + if (elgg_get_logged_in_user_guid() == elgg_get_page_owner_guid() && $from_user) { elgg_register_menu_item('title', array( 'name' => 'reply', 'href' => '#messages-reply-form', -- cgit v1.2.3 From 45d86fbfb153da14350c093ab5a208c2b8819998 Mon Sep 17 00:00:00 2001 From: Jeroen Dalsem Date: Wed, 10 Oct 2012 08:58:17 +0200 Subject: use display_query instead of value for search input value --- mod/search/views/default/search/search_box.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'mod') diff --git a/mod/search/views/default/search/search_box.php b/mod/search/views/default/search/search_box.php index 91bedde05..7474a280c 100644 --- a/mod/search/views/default/search/search_box.php +++ b/mod/search/views/default/search/search_box.php @@ -32,12 +32,11 @@ if (function_exists('mb_convert_encoding')) { } $display_query = htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false); - ?>
- +
-- cgit v1.2.3 From 5efa9426d40326b8d31c152dd2a433076b490308 Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Sun, 9 Sep 2012 01:52:09 -0400 Subject: Fixes #4593: All titles are HTML-escaped plain text --- mod/blog/actions/blog/auto_save_revision.php | 2 +- mod/blog/actions/blog/save.php | 6 +++++- mod/bookmarks/actions/bookmarks/save.php | 2 +- mod/file/actions/file/upload.php | 4 ++-- mod/groups/actions/discussion/save.php | 2 +- mod/groups/actions/groups/edit.php | 3 +-- mod/pages/actions/pages/edit.php | 5 +++-- 7 files changed, 14 insertions(+), 10 deletions(-) (limited to 'mod') diff --git a/mod/blog/actions/blog/auto_save_revision.php b/mod/blog/actions/blog/auto_save_revision.php index 66b65c5fd..e33edfaab 100644 --- a/mod/blog/actions/blog/auto_save_revision.php +++ b/mod/blog/actions/blog/auto_save_revision.php @@ -7,7 +7,7 @@ $guid = get_input('guid'); $user = elgg_get_logged_in_user_entity(); -$title = get_input('title'); +$title = htmlspecialchars(get_input('title', '', false), ENT_QUOTES, 'UTF-8'); $description = get_input('description'); $excerpt = get_input('excerpt'); diff --git a/mod/blog/actions/blog/save.php b/mod/blog/actions/blog/save.php index 048bc00be..070c96398 100644 --- a/mod/blog/actions/blog/save.php +++ b/mod/blog/actions/blog/save.php @@ -57,7 +57,11 @@ $required = array('title', 'description'); // load from POST and do sanity and access checking foreach ($values as $name => $default) { - $value = get_input($name, $default); + if ($name === 'title') { + $value = htmlspecialchars(get_input('title', $default, false), ENT_QUOTES, 'UTF-8'); + } else { + $value = get_input($name, $default); + } if (in_array($name, $required) && empty($value)) { $error = elgg_echo("blog:error:missing:$name"); diff --git a/mod/bookmarks/actions/bookmarks/save.php b/mod/bookmarks/actions/bookmarks/save.php index 3ca6bef32..46090b115 100644 --- a/mod/bookmarks/actions/bookmarks/save.php +++ b/mod/bookmarks/actions/bookmarks/save.php @@ -5,7 +5,7 @@ * @package Bookmarks */ -$title = strip_tags(get_input('title')); +$title = htmlspecialchars(get_input('title', '', false), ENT_QUOTES, 'UTF-8'); $description = get_input('description'); $address = get_input('address'); $access_id = get_input('access_id'); diff --git a/mod/file/actions/file/upload.php b/mod/file/actions/file/upload.php index d72d04eb7..d6dce2528 100644 --- a/mod/file/actions/file/upload.php +++ b/mod/file/actions/file/upload.php @@ -6,7 +6,7 @@ */ // Get variables -$title = get_input("title"); +$title = htmlspecialchars(get_input('title', '', false), ENT_QUOTES, 'UTF-8'); $desc = get_input("description"); $access_id = (int) get_input("access_id"); $container_guid = (int) get_input('container_guid', 0); @@ -44,7 +44,7 @@ if ($new_file) { // if no title on new upload, grab filename if (empty($title)) { - $title = $_FILES['upload']['name']; + $title = htmlspecialchars($_FILES['upload']['name'], ENT_QUOTES, 'UTF-8'); } } else { diff --git a/mod/groups/actions/discussion/save.php b/mod/groups/actions/discussion/save.php index de4afadfb..b3e9da654 100644 --- a/mod/groups/actions/discussion/save.php +++ b/mod/groups/actions/discussion/save.php @@ -4,7 +4,7 @@ */ // Get variables -$title = get_input("title"); +$title = htmlspecialchars(get_input('title', '', false), ENT_QUOTES, 'UTF-8'); $desc = get_input("description"); $status = get_input("status"); $access_id = (int) get_input("access_id"); diff --git a/mod/groups/actions/groups/edit.php b/mod/groups/actions/groups/edit.php index df2464a65..a4169461a 100644 --- a/mod/groups/actions/groups/edit.php +++ b/mod/groups/actions/groups/edit.php @@ -33,8 +33,7 @@ foreach ($CONFIG->group as $shortname => $valuetype) { } } -$input['name'] = get_input('name'); -$input['name'] = html_entity_decode($input['name'], ENT_COMPAT, 'UTF-8'); +$input['name'] = htmlspecialchars(get_input('name', '', false), ENT_QUOTES, 'UTF-8'); $user = elgg_get_logged_in_user_entity(); diff --git a/mod/pages/actions/pages/edit.php b/mod/pages/actions/pages/edit.php index a32e4a4ba..fe5754d76 100644 --- a/mod/pages/actions/pages/edit.php +++ b/mod/pages/actions/pages/edit.php @@ -8,9 +8,10 @@ $variables = elgg_get_config('pages'); $input = array(); foreach ($variables as $name => $type) { - $input[$name] = get_input($name); if ($name == 'title') { - $input[$name] = strip_tags($input[$name]); + $input[$name] = htmlspecialchars(get_input($name, '', false), ENT_QUOTES, 'UTF-8'); + } else { + $input[$name] = get_input($name); } if ($type == 'tags') { $input[$name] = string_to_tag_array($input[$name]); -- cgit v1.2.3