Navigation

← Previous Changeset
Next Changeset →

Changeset 454

Timestamp:

07/16/06 23:10:36 (2 years ago)

Author:

sven

Message:

removed some addslashes. replaced some with adodb qstr().
removed some stripslashes. a lot more still want to go, depending on how much we care about showing users even more inappropriate backslashes than currently.
fixed a few more php notices.

Files:

devel/_files/rss2.php (modified) (1 diff)
devel/_weblog/rss091.php (modified) (3 diffs)
devel/_weblog/rss2.php (modified) (2 diffs)
devel/lib/displaylib.php (modified) (2 diffs)
devel/lib/elgglib.php (modified) (2 diffs)
devel/lib/setup.php (modified) (3 diffs)
devel/profile/edit.php (modified) (1 diff)
devel/profile/profile.class.php (modified) (14 diffs)
devel/profile/rss2.php (modified) (2 diffs)
devel/search/rss.php (modified) (1 diff)
devel/units/admin/admin_actions.php (modified) (1 diff)
devel/units/admin/admin_users_panel.php (modified) (1 diff)
devel/units/communities/communities_actions.php (modified) (1 diff)
devel/units/communities/communities_edit.php (modified) (2 diffs)
devel/units/communities/communities_members.php (modified) (2 diffs)
devel/units/communities/communities_membership_requests.php (modified) (1 diff)
devel/units/communities/communities_moderator_of.php (modified) (2 diffs)
devel/units/communities/communities_owned.php (modified) (1 diff)
devel/units/communities/community_memberships.php (modified) (1 diff)
devel/units/display/function_output_field_display.php (modified) (2 diffs)
devel/units/files/function_rss_publish.php (modified) (1 diff)
devel/units/files/function_search.php (modified) (5 diffs)
devel/units/files/function_search_ecl.php (modified) (2 diffs)
devel/units/files/function_search_rss.php (modified) (4 diffs)
devel/units/friends/friends_edit.php (modified) (2 diffs)
devel/units/friends/friends_of_edit.php (modified) (2 diffs)
devel/units/friends/generate_foaf.php (modified) (2 diffs)
devel/units/groups/get_groups_external.php (modified) (1 diff)
devel/units/invite/invite_join.php (modified) (1 diff)
devel/units/magpie/function_update.php (modified) (2 diffs)
devel/units/magpie/function_view.php (modified) (1 diff)
devel/units/profile/function_actions.php (modified) (1 diff)
devel/units/profile/function_rss_publish.php (modified) (2 diffs)
devel/units/profile/function_search.php (modified) (3 diffs)
devel/units/profile/function_search_ecl.php (modified) (3 diffs)
devel/units/profile/function_search_rss.php (modified) (3 diffs)
devel/units/profile/generate_vcard_adr_fields.php (modified) (1 diff)
devel/units/profile/profile_user_info.php (modified) (1 diff)
devel/units/rpc/lib/class_file.php (modified) (3 diffs)
devel/units/rpc/lib/class_post.php (modified) (2 diffs)
devel/units/rpc/lib/class_tag.php (modified) (1 diff)
devel/units/rpc/lib/class_user.php (modified) (4 diffs)
devel/units/rpc/lib/function_authenticate.php (modified) (3 diffs)
devel/units/rpc/lib/function_load_comment.php (modified) (1 diff)
devel/units/rpc/lib/function_load_file.php (modified) (1 diff)
devel/units/rpc/lib/function_load_folder.php (modified) (1 diff)
devel/units/rpc/lib/function_load_post.php (modified) (1 diff)
devel/units/rpc/lib/function_load_tag.php (modified) (1 diff)
devel/units/rpc/lib/function_load_user.php (modified) (1 diff)
devel/units/rpc/lib/function_load_weblog.php (modified) (1 diff)
devel/units/search/search_suggest_tags.php (modified) (2 diffs)
devel/units/search/search_suggest_users.php (modified) (2 diffs)
devel/units/templates/template_actions.php (modified) (1 diff)
devel/units/templates/template_draw.php (modified) (2 diffs)
devel/units/templates/template_draw2.php (modified) (2 diffs)
devel/units/users/flag_set.php (modified) (1 diff)
devel/units/users/flag_unset.php (modified) (1 diff)
devel/units/users/function_name_to_id.php (modified) (1 diff)
devel/units/users/userdetails_actions.php (modified) (1 diff)
devel/units/weblogs/archives_view.php (modified) (1 diff)
devel/units/weblogs/function_rss_publish.php (modified) (1 diff)
devel/units/weblogs/function_search.php (modified) (4 diffs)
devel/units/weblogs/function_search_ecl.php (modified) (4 diffs)
devel/units/weblogs/function_search_rss.php (modified) (2 diffs)
devel/units/weblogs/weblogs_all_users_view.php (modified) (1 diff)
devel/units/weblogs/weblogs_friends_view.php (modified) (1 diff)
devel/units/weblogs/weblogs_view.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

devel/_files/rss2.php

r453	r454
27	27	if ($info = get_record('users','ident',$page_owner)) {
28	28	$name = stripslashes($info->name);
29		$username = stripslashes($info->username);
30		$mainurl = $CFG->wwwroot . $username . "/files/";
	29	$mainurl = $CFG->wwwroot . $info->username . "/files/";
31	30	$rssurl = $mainurl . "rss/" . urlencode($tag);
32	31	$rssdescription = sprintf(gettext("Files for %s, hosted on %s."),$name,$sitename);

devel/_weblog/rss091.php

r296	r454
34	34	if ($info = get_record('users','ident',$page_owner)) {
35	35	$name = htmlspecialchars(stripslashes($info->name), ENT_COMPAT, 'utf-8');
36		$username = htmlspecialchars(~~stripslashes($info->username)~~, ENT_COMPAT, 'utf-8');
	36	$username = htmlspecialchars($info->username, ENT_COMPAT, 'utf-8');
37	37	$sitename = sitename;
38	38	$mainurl = htmlspecialchars(url . $username . "/weblog/", ENT_COMPAT, 'utf-8');
…	…
70	70	header('Expires: ' . gmdate("D, d M Y H:i:s", (time()+3600)) . " GMT");
71	71
72		$if_modified_since = ~~preg_replace('/;.*$/', '', $_SERVER['HTTP_IF_MODIFIED_SINCE'])~~;
73		$if_none_match = ~~preg_replace('/[^0-9a-f]/', '', $_SERVER['HTTP_IF_NONE_MATCH'])~~;
	72	$if_modified_since = (isset($_SERVER['HTTP_IF_MODIFIED_SINCE'])) ? preg_replace('/;.*$/', '', $_SERVER['HTTP_IF_MODIFIED_SINCE']) : false;
	73	$if_none_match = (isset($_SERVER['HTTP_IF_NONE_MATCH'])) ? preg_replace('/[^0-9a-f]/', '', $_SERVER['HTTP_IF_NONE_MATCH']) : false;
74	74
75	75	if (!$trackmaxtime) {
…	…
80	80	$etag = md5($output);
81	81
82		if ($if_modified_since == $lm) {
	82	if ($if_modified_since && $if_modified_since == $lm) {
83	83	header("{$_SERVER['SERVER_PROTOCOL']} 304 Not Modified");
84	84	exit;
85	85	}
86		if ($if_none_match == $etag) {
	86	if ($if_none_match && $if_none_match == $etag) {
87	87	header("{$_SERVER['SERVER_PROTOCOL']} 304 Not Modified");
88	88	exit;

devel/_weblog/rss2.php

r453	r454
57	57
58	58	if ($page_owner == -1 \|\| $info = get_record('users','ident',$page_owner)) {
59		~~$username = (stripslashes($info->username));~~
60	59	if ($page_owner == -1) {
61	60	$info = (object) "";
…	…
64	63	$xslurl = "";
65	64	} else {
66		$mainurl = ~~($CFG->wwwroot . $username . "/weblog/")~~;
	65	$mainurl = $CFG->wwwroot . $info->username . "/weblog/";
67	66	$rssurl = $mainurl . "rss/" . $tagurl;
68	67	$xslurl = $mainurl . "rss/" . $tagurl . "rssstyles.xsl";

devel/lib/displaylib.php

r420	r454
248	248	*/
249	249
	250	global $db;
250	251	global $page_owner;
251	252
…	…
311	312	$where = run("users:access_level_sql_where",$_SESSION['userid']);
312	313	$keywords = "";
313		if ($tags = get_records_select('tags',"($where) ~~and tagtype = '".addslashes($parameter[2])."' and~~ ref = ".$parameter[4],null,'tag ASC')) {
	314	if ($tags = get_records_select('tags',"($where) AND tagtype = " . $db->qstr($parameter[2]) . " AND ref = ".$parameter[4],null,'tag ASC')) {
314	315	$first = true;
315	316	foreach($tags as $tag) {

devel/lib/elgglib.php

r453	r454
2134	2134	if (!empty($CFG->cachetext) and $CFG->currenttextiscacheable) {
2135	2135	$newrecord->md5key = $md5key;
2136		$newrecord->formattedtext = ~~addslashes($text)~~;
	2136	$newrecord->formattedtext = $text;
2137	2137	$newrecord->timemodified = time();
2138	2138	@insert_record('cache_text', $newrecord);
…	…
3625	3625	/// This function provides backward compatibility
3626	3626	$_SESSION['userid'] = (int) $user->ident;
3627		$_SESSION['username'] = ~~stripslashes($user->username)~~;
	3627	$_SESSION['username'] = $user->username;
3628	3628	$_SESSION['name'] = stripslashes($user->name);
3629	3629	$_SESSION['email'] = stripslashes($user->email);

devel/lib/setup.php

r420	r454
164	164	// rather than addslashed.
165	165	if (ini_get_bool('magic_quotes_gpc') ) {
	166
	167	//do keys as well, cos array_map ignores them
	168	function stripslashes_arraykeys($array) {
	169	if (is_array($array)) {
	170	$array2 = array();
	171	foreach ($array as $key => $data) {
	172	if ($key != stripslashes($key)) {
	173	$array2[stripslashes($key)] = $data;
	174	} else {
	175	$array2[$key] = $data;
	176	}
	177	}
	178	return $array2;
	179	} else {
	180	return $array;
	181	}
	182	}
	183
166	184	function stripslashes_deep($value) {
167	185	$value = is_array($value) ?
…	…
170	188	return $value;
171	189	}
	190
	191	$_POST = stripslashes_arraykeys($_POST);
	192	$_GET = stripslashes_arraykeys($_GET);
	193	$_COOKIE = stripslashes_arraykeys($_COOKIE);
	194	$_REQUEST = stripslashes_arraykeys($_REQUEST);
	195
172	196	$_POST = array_map('stripslashes_deep', $_POST);
173	197	$_GET = array_map('stripslashes_deep', $_GET);
…	…
192	216	$_SERVER['PATH_TRANSLATED'] = stripslashes($_SERVER['PATH_TRANSLATED']);
193	217	}
	218
194	219	}
195	220

devel/profile/edit.php

r420	r454
62	62	delete_records('profile_data','owner',$page_owner);
63	63	foreach($profiledetails as $field => $value) {
64		$field = ~~addslashes~~($field);
	64	$field = trim($field);
65	65	$value = trim($value);
66	66

devel/profile/profile.class.php

r447	r454
69	69
70	70	$name_cache[$this->id]->created = time();
71		$name_cache[$this->id]->data = ~~stripslashes(get_field('users','name','ident',$this->id)~~);
	71	$name_cache[$this->id]->data = get_field('users','name','ident',$this->id);
72	72
73	73	}
…	…
299	299	}
300	300
301		$column1 = display_input_field(array("profiledetails[" . $fname . "]",$value->value,$ftype,$fname,$value->ident,$page_owner));
	301	$column1 = display_input_field(array("profiledetails[" . $fname . "]",$value->value,$ftype,$fname,@$value->ident,$page_owner));
302	302	$column2 = "<label>". gettext("Access Restriction:") ."<br />";
303	303	$column2 .= run("display:access_level_select",array("profileaccess[".$fname . "]",$value->access)) . "</label>";
…	…
353	353	function search ($tagtype, $tagvalue) {
354	354
355		global $data,~~$CFG~~;
	355	global $data, $CFG, $db;
356	356
357	357	$handle = 0;
…	…
366	366	if ($handle) {
367	367
368		$searchline = "tagtype = ~~'".addslashes($tagtype)."' and tag = '".addslashes($tagvalue)."'~~";
369		$searchline = "(" . run("users:access_level_sql_where",$_SESSION['userid']) . ") ~~and~~ " . $searchline;
	368	$searchline = "tagtype = " . $db->qstr($tagtype) . " AND tag = " . $db->qstr($tagvalue) . "";
	369	$searchline = "(" . run("users:access_level_sql_where",$_SESSION['userid']) . ") AND " . $searchline;
370	370	$searchline = str_replace("owner","t.owner",$searchline);
371	371	$tagvalue = stripslashes($tagvalue);
…	…
393	393	$width = 25;
394	394	}
395		$friends_username = ~~stripslashes($info->username)~~;
	395	$friends_username = $info->username;
396	396	$friends_name = htmlspecialchars(stripslashes($info->name), ENT_COMPAT, 'utf-8');
397	397	$friends_menu = run("users:infobox:menu",array($info->ident));
…	…
449	449	function search_ecl ($tagtype, $tagvalue) {
450	450
451		global $data,~~$CFG~~;
	451	global $data, $CFG, $db;
452	452
453	453	$handle = 0;
…	…
464	464	$sub_result = "";
465	465
466		$searchline = "tagtype = ~~'".addslashes($tagtype)."' and tag = '".addslashes($tagvalue)."'~~";
467		$searchline = "(" . run("users:access_level_sql_where",$_SESSION['userid']) . ") ~~and~~ " . $searchline;
	466	$searchline = "tagtype = " . $db->qstr($tagtype) . " AND tag = " . $db->qstr($tagvalue) . "";
	467	$searchline = "(" . run("users:access_level_sql_where",$_SESSION['userid']) . ") AND " . $searchline;
468	468	$searchline = str_replace("owner", "t.owner", $searchline);
469	469	$tagvalue = stripslashes($tagvalue);
…	…
472	472	WHERE '.$searchline)) {
473	473	foreach($result as $key => $info) {
474		$icon = url . ~~stripslashes($info->username).~~'/icons/'.$post->icon;
	474	$icon = url . $info->username . '/icons/'.$post->icon;
475	475	$sub_result .= "\t\t\t<item>\n";
476	476	$sub_result .= "\t\t\t\t<name><![CDATA[" . htmlspecialchars(stripslashes($info->name), ENT_COMPAT, 'utf-8') . "]]></name>\n";
477		$sub_result .= "\t\t\t\t<link>" . url . htmlspecialchars(~~stripslashes($info->username)~~, ENT_COMPAT, 'utf-8') . "</link>\n";
	477	$sub_result .= "\t\t\t\t<link>" . url . htmlspecialchars($info->username, ENT_COMPAT, 'utf-8') . "</link>\n";
478	478	$sub_result .= "\t\t\t\t<link>$icon</link>\n";
479	479	$sub_result .= "\t\t\t</item>\n";
…	…
493	493	function search_rss ($tagtype, $tagvalue) {
494	494
495		global $data,~~$CFG~~;
	495	global $data, $CFG, $db;
496	496
497	497	$handle = 0;
…	…
506	506	if ($handle) {
507	507
508		$searchline = "tagtype = ~~'".addslashes($tagtype)."' and tag = '".addslashes($tagvalue)."'~~";
509		$searchline = "(" . run("users:access_level_sql_where",$_SESSION['userid']) . ") ~~and~~ " . $searchline;
	508	$searchline = "tagtype = " . $db->qstr($tagtype) . " AND tag = " . $db->qstr($tagvalue) . "";
	509	$searchline = "(" . run("users:access_level_sql_where",$_SESSION['userid']) . ") AND " . $searchline;
510	510	$searchline = str_replace("owner", "t.owner", $searchline);
511	511	$tagvalue = stripslashes($tagvalue);
…	…
516	516	$run_result .= "\t<item>\n";
517	517	$run_result .= "\t\t<title><![CDATA['" . htmlspecialchars($tagtype, ENT_COMPAT, 'utf-8') . "' = " . htmlspecialchars($tagvalue, ENT_COMPAT, 'utf-8') . " :: " . htmlspecialchars(stripslashes($info->name), ENT_COMPAT, 'utf-8') . "]]></title>\n";
518		$run_result .= "\t\t<link>" . url . htmlspecialchars(~~stripslashes($info->username)~~, ENT_COMPAT, 'utf-8') . "</link>\n";
	518	$run_result .= "\t\t<link>" . url . htmlspecialchars($info->username, ENT_COMPAT, 'utf-8') . "</link>\n";
519	519	$run_result .= "\t</item>\n";
520	520	}
…	…
679	679	$result = get_records_select('profile_data',"name = '$profile_value' AND ($where) AND owner = ".$user_id,'','ident,value');
680	680	} else {
681		$result = get_records_select('tags',"tagtype = '$profile_value' and ($where) ~~and~~ owner = $user_id",'','ident,tag AS value');
	681	$result = get_records_select('tags',"tagtype = '$profile_value' and ($where) AND owner = $user_id",'','ident,tag AS value');
682	682	}
683	683	if (is_array($result)) {
…	…
765	765	$result = get_records_select('profile_data',"name = '$profile_value' AND ($where) AND owner = ".$user_id,'','ident,value');
766	766	} else {
767		$result = get_records_select('tags',"tagtype = '$profile_value' and ($where) ~~and~~ owner = $user_id",'','ident,tag AS value');
	767	$result = get_records_select('tags',"tagtype = '$profile_value' and ($where) AND owner = $user_id",'','ident,tag AS value');
768	768	}
769	769	if (is_array($result)) {
…	…
910	910	$icon = "<img alt=\"\" src=\"".url.$info->username.'icons/'.$info->icon.'/w/67" />';
911	911	$name = stripslashes($info->name);
912		$url = url . ~~stripslashes($info->username)~~ . "/";
	912	$url = url . $info->username . "/";
913	913
914	914	$body =templates_draw(array(

devel/profile/rss2.php

r447	r454
27	27	if ($info = get_record('users','ident',$page_owner)) {
28	28	$name = stripslashes($info->name);
29		$username = ~~stripslashes($info->username)~~;
	29	$username = $info->username;
30	30	$mainurl = url . $username . "/";
31	31	$rssurl = $mainurl . "rss/" . urlencode(trim($tag));
…	…
57	57	header('Expires: ' . gmdate("D, d M Y H:i:s", (time()+3600)) . " GMT");
58	58
59		$if_none_match = ~~preg_replace('/[^0-9a-f]/', '', $_SERVER['HTTP_IF_NONE_MATCH'])~~;
	59	$if_none_match = (isset($_SERVER['HTTP_IF_NONE_MATCH'])) ? preg_replace('/[^0-9a-f]/', '', $_SERVER['HTTP_IF_NONE_MATCH']) : false;
60	60
61	61	$etag = md5($output);
62	62	header('ETag: "' . $etag . '"');
63	63
64		if ($if_none_match == $etag) {
	64	if ($if_none_match && $if_none_match == $etag) {
65	65	header("{$_SERVER['SERVER_PROTOCOL']} 304 Not Modified");
66	66	exit;

devel/search/rss.php

r296	r454
18	18	// no time data on this RSS, at least not without rewriting some function outputs
19	19
20		$if_none_match = ~~preg_replace('/[^0-9a-f]/', '', $_SERVER['HTTP_IF_NONE_MATCH'])~~;
	20	$if_none_match = (isset($_SERVER['HTTP_IF_NONE_MATCH'])) ? preg_replace('/[^0-9a-f]/', '', $_SERVER['HTTP_IF_NONE_MATCH']) : false;
21	21
22	22	$etag = md5($output);
23	23
24		if ($if_none_match == $etag) {
	24	if ($if_none_match && $if_none_match == $etag) {
25	25	header("{$_SERVER['SERVER_PROTOCOL']} 304 Not Modified");
26	26	exit;

devel/units/admin/admin_actions.php

r269	r454
178	178	$rssresult = run("profile:rss:publish", array($newid, false));
179	179	$sitename = sitename;
180		$username = ~~stripslashes($new_username[$i])~~;
	180	$username = $new_username[$i];
181	181	email_to_user($u,null,sprintf(gettext("Your new %s account"),sitename),
182	182	sprintf(gettext("You have been added to %s!\n\nFor your records, your %s username and password are:\n\n\tUsername: %s\n\t"
183	183	."Password: %s\n\nYou can log in at any time by visiting %s and entering these details into the login form.\n\n"
184		."We hope you enjoy using the system.\n\nRegards,\n\nThe %s Team"),$sitename,$sitename,$username,~~stripslashes($password)~~,url,$sitename));
	184	."We hope you enjoy using the system.\n\nRegards,\n\nThe %s Team"),$sitename,$sitename,$username,$password,url,$sitename));
185	185	$messages[] = sprintf(gettext("User %s was created."),$username);
186	186	}

devel/units/admin/admin_users_panel.php

r269	r454
9	9	$run_result .= templates_draw(array(
10	10	'context' => 'adminTable',
11		'name' => "<p>" . ~~stripslashes($parameter->username)~~ . "</p>",
12		'column1' => "<a href=\"" . url . "_userdetails/?profile_id=" .$parameter->ident . "&context=admin\" >" . stripslashes($parameter->name) . "</a> [<a href=\"".url . ~~stripslashes($parameter->username)~~ ."/\">" . gettext("Profile") . "</a>]",
	11	'name' => "<p>" . $parameter->username . "</p>",
	12	'column1' => "<a href=\"" . url . "_userdetails/?profile_id=" .$parameter->ident . "&context=admin\" >" . stripslashes($parameter->name) . "</a> [<a href=\"".url . $parameter->username ."/\">" . gettext("Profile") . "</a>]",
13	13	'column2' => "<a href=\"mailto:" . $parameter->email. "\" >" . $parameter->email . "</a>"
14	14	)

devel/units/communities/communities_actions.php

r453	r454
22	22	$messages[] = gettext("Error! The community name cannot be blank.");
23	23	} else {
24		$username = strtolower(trim($comm_username));
25		if (record_exists('users','username',$username)) {
26		$messages[] = sprintf(gettext("The username %s is already taken by another user. You will need to pick a different one."), ~~stripslashes($username)~~);
	24	$comm_username = strtolower(trim($comm_username));
	25	if (record_exists('users','username',$comm_username)) {
	26	$messages[] = sprintf(gettext("The username %s is already taken by another user. You will need to pick a different one."), $comm_username);
27	27	} else {
28	28	$name = trim($comm_name);
29	29	$c = new StdClass;
30	30	$c->name = $name;
31		$c->username = $username;
	31	$c->username = $comm_username;
32	32	$c->user_type = 'community';
33	33	$c->owner = $USER->ident;

devel/units/communities/communities_edit.php

r447	r454
21	21	foreach($result as $key => $info) {
22	22	$w = 100;
23		if (sizeof($~~parameter[1]~~) > 4) {
	23	if (sizeof($result) > 4) {
24	24	$w = 50;
25	25	}
26		~~$friends_username = stripslashes($info->username);~~
27	26	// $friends_name = htmlspecialchars(stripslashes($info->name), ENT_COMPAT, 'utf-8');
28	27	$friends_name = htmlspecialchars(run("profile:display:name",$info->ident), ENT_COMPAT, 'utf-8');
…	…
32	31	<td>
33	32	<p>
34		<a href="{$CFG->wwwroot}{$~~friends_~~username}/">
35		<img src="{$CFG->wwwroot}{$~~friends_~~username}/icons/{$info->icon}/w/{$w}" alt="{$friends_name}" border="0" /></a><br />
	33	<a href="{$CFG->wwwroot}{$info->username}/">
	34	<img src="{$CFG->wwwroot}{$info->username}/icons/{$info->icon}/w/{$w}" alt="{$friends_name}" border="0" /></a><br />
36	35	<span class="userdetails">
37	36	{$friends_name}

devel/units/communities/communities_members.php

r447	r454
24	24	$w = 50;
25	25	}
26		~~$friends_username = stripslashes($info->username);~~
27	26	// $friends_name = htmlspecialchars(stripslashes($info->name), ENT_COMPAT, 'utf-8');
28	27	$friends_name = htmlspecialchars(run("profile:display:name", $info->ident), ENT_COMPAT, 'utf-8');
…	…
32	31	<td>
33	32	<p>
34		<a href="{$CFG->wwwroot}{$~~friends_~~username}/">
35		<img src="{$CFG->wwwroot}{$~~friends_~~username}/icons/{$info->icon}/w/{$w}" alt="{$friends_name}" border="0" /></a><br />
	33	<a href="{$CFG->wwwroot}{$info->username}/">
	34	<img src="{$CFG->wwwroot}{$info->username}/icons/{$info->icon}/w/{$w}" alt="{$friends_name}" border="0" /></a><br />
36	35	<span class="userdetails">
37	36	{$friends_name}

devel/units/communities/communities_membership_requests.php

r339 r454

1 1 <?php
2 2 global $CFG;
3 $body = '';
3 4 // Lists membership requests for a community
4 5

devel/units/communities/communities_moderator_of.php

r453	r454
23	23	// $w = 100;
24	24	//}
25		~~$friends_username = stripslashes($info->username);~~
26	25	// $friends_name = htmlspecialchars(stripslashes($info->name), ENT_COMPAT, 'utf-8');
27	26	$friends_name = htmlspecialchars(run("profile:display:name", $info->ident), ENT_COMPAT, 'utf-8');
…	…
31	30	<td>
32	31	<p>
33		<a href="{$CFG->wwwroot}{$~~friends_~~username}/">
34		<img src="{$CFG->wwwroot}{$~~friends_~~username}/icons/{$info->icon}/w/{$w}" alt="{$friends_name}" border="0" /></a><br />
	32	<a href="{$CFG->wwwroot}{$info->username}/">
	33	<img src="{$CFG->wwwroot}{$info->username}/icons/{$info->icon}/w/{$w}" alt="{$friends_name}" border="0" /></a><br />
35	34	<span class="userdetails">
36	35	{$friends_name}

devel/units/communities/communities_owned.php

r287	r454
9	9	foreach($result as $row) {
10	10	$row->name = run("profile:display:name",$row->ident);
11		$body .= "<li><a href=\"" . url . ~~stripslashes($row->username)~~ . "/\">" . stripslashes($row->name) . "</a></li>";
	11	$body .= "<li><a href=\"" . url . $row->username . "/\">" . stripslashes($row->name) . "</a></li>";
12	12	}
13	13	$body .= "</ul>";

devel/units/communities/community_memberships.php

r359	r454
12	12	foreach($result as $row) {
13	13	$row->name = run("profile:display:name",$row->ident);
14		$body .= "<li><a href=\"" . url . ~~stripslashes($row->username)~~ . "/\">" . stripslashes($row->name) . "</a></li>";
	14	$body .= "<li><a href=\"" . url . $row->username . "/\">" . stripslashes($row->name) . "</a></li>";
15	15	}
16	16	$body .= "</ul>";

devel/units/display/function_output_field_display.php

r359	r454
18	18	*/
19	19
	20	global $db;
20	21	global $page_owner;
21	22
…	…
78	79	$where = run("users:access_level_sql_where",$_SESSION['userid']);
79	80	$keywords = "";
80		if ($tags = get_records_select('tags'.'('.$where.") AND tagtype = ~~'".addslashes($parameter[2])."' and~~ ref = ".$parameter[4],null,'tag ASC')) {
	81	if ($tags = get_records_select('tags'.'('.$where.") AND tagtype = " . $db->qstr($parameter[2]) . " AND ref = ".$parameter[4],null,'tag ASC')) {
81	82	foreach($tags as $key => $tag) {
82	83	if ($key > 0) {

devel/units/files/function_rss_publish.php

r453	r454
37	37	$info = get_record('users','ident',$userid);
38	38	$name = stripslashes($info->name);
39		$username = ~~stripslashes($info->username)~~;
	39	$username = $info->username;
40	40	$mainurl = $CFG->wwwroot . $username . "/files/";
41	41	$rssurl = $mainurl . "rss/";

devel/units/files/function_search.php

r447	r454
1	1	<?php
2	2	global $CFG,$USER;
	3	global $db;
3	4	global $search_exclusions;
4	5
5	6	if (isset($parameter) && $parameter[0] == "file") {
	7
	8	$dbtag = $db->qstr($parameter[1]);
6	9
7	10	$search_exclusions[] = "folder";
…	…
9	12	$accessline = "(" . run("users:access_level_sql_where",$USER->ident) . ")";
10	13	$accessline = str_replace("owner","t.owner",$accessline);
11		$searchline_files = "$accessline ~~and tagtype = 'file' and owner = $owner and tag = '".addslashes($parameter[1])."'~~";
12		$searchline_folders = "$accessline ~~and tagtype = 'folder' and owner = $owner and tag = '".addslashes($parameter[1])."'~~";
	14	$searchline_files = "$accessline AND tagtype = 'file' AND owner = $owner AND tag = " . $dbtag . "";
	15	$searchline_folders = "$accessline AND tagtype = 'folder' AND owner = $owner AND tag = " . $dbtag . "";
13	16	$searchline = "";
14	17	$searchlist = array();
…	…
39	42	$run_result .= templates_draw(array(
40	43	'context' => 'folder',
41		'username' => ~~stripslashes($folder->username)~~,
42		'url' => url~~.stripslashes($folder->username)."/files/".~~$folder->ident,
	44	'username' => $folder->username,
	45	'url' => url . $folder->username . "/files/" . $folder->ident,
43	46	'ident' => $folder->ident,
44	47	'name' => stripslashes($folder->name),
…	…
70	73	// $name = stripslashes($f->userfullname);
71	74	$name = run("profile:display:name",$f->userid);
72		$username = ~~stripslashes($f->username)~~;
	75	$username = $f->username;
73	76	}
74	77
…	…
94	97	}
95	98	}
96		$searchline = " tagtype IN ('file','folder') ~~and tag = '".addslashes($parameter[1])."'~~";
	99	$searchline = " tagtype IN ('file','folder') AND tag = " . $dbtag . "";
97	100	$searchline = "(" . run("users:access_level_sql_where",$_SESSION['userid']) . ") and " . $searchline;
98	101	$searchline = str_replace("owner","t.owner",$searchline);

devel/units/files/function_search_ecl.php

r447	r454
10	10	$sitename = sitename;
11	11
12		// Not sure if we still need addslashes after the magic_quotes workaround in lib/setup.php
13		// so wrapping it in stripslashes first just to make sure.
14		$parameter[1] = addslashes(stripslashes($parameter[1]));
	12	$parameter[1] = trim($parameter[1]);
	13
15	14	if ($file_refs = get_records_sql('SELECT DISTINCT t.owner,1 FROM '.$CFG->prefix.'tags t
16	15	LEFT JOIN '.$CFG->prefix."files f ON f.ident = t.refs
…	…
27	26	if ($info = get_record('users','ident',$page_owner)) {
28	27	$name = htmlspecialchars(stripslashes($info->name), ENT_COMPAT, 'utf-8');
29		$username = htmlspecialchars(~~stripslashes($info->username)~~, ENT_COMPAT, 'utf-8');
30		$mainurl = ~~htmlspecialchars(url . $username . "/files/", ENT_COMPAT, 'utf-8')~~;
	28	$username = htmlspecialchars($info->username, ENT_COMPAT, 'utf-8');
	29	$mainurl = url . $username . "/files/";
31	30	$run_result .= <<< END
32	31	<channel xml:base='$mainurl'>

devel/units/files/function_search_rss.php

r420	r454
1	1	<?php
2	2	global $CFG;
	3	global $db;
3	4	global $search_exclusions;
4	5
…	…
7	8	$search_exclusions[] = "folder";
8	9	$search_exclusions[] = "file";
	10	$dbtag = $db->qstr($parameter[1]);
9	11
10	12	$owner = optional_param('owner',0,PARAM_INT);
11	13	$accessline = "(" . run("users:access_level_sql_where",$_SESSION['userid']) . ")";
12		$searchline_files = "$accessline and tagtype = 'file' and tag = ~~'".addslashes($parameter[1])."'~~";
13		$searchline_folders = "$accessline and tagtype = 'folder' and tag = ~~'".addslashes($parameter[1])."'~~";
	14	$searchline_files = "$accessline and tagtype = 'file' and tag = " . $dbtag . "";
	15	$searchline_folders = "$accessline and tagtype = 'folder' and tag = " . $dbtag . "";
14	16	$searchline_files = str_replace("access", "f.access", $searchline_files);
15	17	$searchline_files = str_replace("owner", "f.owner", $searchline_files);
…	…
31	33	$run_result .= "\t<item>\n";
32	34	$run_result .= "\t\t<title><![CDATA[". gettext("File folder") ." :: " . (stripslashes($folder->fullname)) . " :: " . (stripslashes($folder->name)) . "]]></title>\n";
33		$run_result .= "\t\t<link>" . url . ~~htmlspecialchars(stripslashes($folder->username), ENT_COMPAT, 'utf-8')~~ . "/files/" . $folder->ident . "</link>\n";
	35	$run_result .= "\t\t<link>" . url . $folder->username . "/files/" . $folder->ident . "</link>\n";
34	36	$run_result .= "\t</item>\n";
35	37	}
…	…
41	43	$run_result .= "\t<item>\n";
42	44	$run_result .= "\t\t<title><![CDATA[". gettext("File") ." :: " . (stripslashes($file->fullname)) . " :: " . (stripslashes($file->title)) . "]]></title>\n";
43		$run_result .= "\t\t<link>" . url . ~~(stripslashes($file->username))~~ . "/files/" . $file->folder . "/" . $file->ident . "/" . urlencode(stripslashes($file->originalname)) . "</link>\n";
44		$run_result .= "\t\t<enclosure url=\"" . url . ~~htmlspecialchars(stripslashes($file->username)~~, ENT_COMPAT, 'utf-8') . "/files/" . $file->folder . "/" . $file->ident . "/" .urlencode(htmlspecialchars(stripslashes($file->originalname), ENT_COMPAT, 'utf-8')) . "\" length=\"". $file->size ."\" mimetype=\"$mimetype\" />\n";
	45	$run_result .= "\t\t<link>" . url . $file->username . "/files/" . $file->folder . "/" . $file->ident . "/" . urlencode(stripslashes($file->originalname)) . "</link>\n";
	46	$run_result .= "\t\t<enclosure url=\"" . url . $file->username, ENT_COMPAT, 'utf-8') . "/files/" . $file->folder . "/" . $file->ident . "/" .urlencode(htmlspecialchars(stripslashes($file->originalname), ENT_COMPAT, 'utf-8')) . "\" length=\"". $file->size ."\" mimetype=\"$mimetype\" />\n";
45	47	$run_result .= "\t</item>\n";
46	48	}

devel/units/friends/friends_edit.php

r453	r454
23	23	$w = 50;
24	24	}
25		~~$friends_username = stripslashes($info->username);~~
26	25	// $friends_name = htmlspecialchars(stripslashes($info->name), ENT_COMPAT, 'utf-8');
27	26	$friends_name = htmlspecialchars(run("profile:display:name", $info->ident), ENT_COMPAT, 'utf-8');
…	…
31	30	<td>
32	31	<p>
33		<a href="{$CFG->wwwroot}{$~~friends_~~username}/">
34		<img src="{$CFG->wwwroot}{$~~friends_~~username}/icons/{$info->icon}/w/{$w}" alt="{$friends_name}" border="0" /></a><br />
	32	<a href="{$CFG->wwwroot}{$info->username}/">
	33	<img src="{$CFG->wwwroot}{$info->username}/icons/{$info->icon}/w/{$w}" alt="{$friends_name}" border="0" /></a><br />
35	34	<span class="userdetails">
36	35	{$friends_name}

devel/units/friends/friends_of_edit.php

r447	r454
21	21	foreach($result as $key => $info) {
22	22	$w = 100;
23		if (sizeof($~~parameter[1]~~) > 4) {
	23	if (sizeof($result) > 4) {
24	24	$w = 50;
25	25	}
26		~~$friends_username = stripslashes($info->username);~~
27	26	// $friends_name = htmlspecialchars(stripslashes($info->name), ENT_COMPAT, 'utf-8');
28	27	$friends_name = htmlspecialchars(run("profile:display:name", $info->ident), ENT_COMPAT, 'utf-8');
…	…
32	31	<td>
33	32	<p>
34		<a href="{$CFG->wwwroot}{$~~friends_~~username}/">
35		<img src="{$CFG->wwwroot}{$~~friends_~~username}/icons/{$info->icon}/w/{$w}" alt="{$friends_name}" border="0" /></a><br />
	33	<a href="{$CFG->wwwroot}{$info->username}/">
	34	<img src="{$CFG->wwwroot}{$info->username}/icons/{$info->icon}/w/{$w}" alt="{$friends_name}" border="0" /></a><br /> <

r339	r454
1	1	<?php
2	2	global $CFG;
	3	$body = '';
3	4	// Lists membership requests for a community
4	5