Fixed XSS security holes in JS/PHP.

Fixed some loading/query bugs with sending back and forth from trainer to trainer and skipping sentences.
Fixed some bugs for Splitter Review.
Deleted some no longer used JS files.
Fixed Statistics Page queries.

Source/NeoXplora.com/controller/browse/linker.php

@@ -92,7 +92,7 @@ public function loadPage() {
 
         $data[] = (object) array(
           "Id" => $sentence_data['SentenceId'], 
-          "Sentence" => $sentence_data['Sentence'],
+          "Sentence" => htmlspecialchars($sentence_data['Sentence'], ENT_QUOTES),
           "Rep" => $sentence_data['Rep'],
           "Highlights" => $highlights,
           "Children" => $children

Source/NeoXplora.com/controller/panel/pages.php

@@ -158,15 +158,12 @@ public function edit() {
 
       $this->template->page = "edit_pages_panel";
 
-      if(isset($_POST['submit'])) {
-        if($_POST['pageTitle'] == $pageTitle && $_POST['pageBody'] == $pageBody) {
-          $this->core->entity("page")->update($pageId, array("categoryid" => intval($_POST['categoryId'])));
-          $this->template->redirect = "panel.php?type=pages&page=" . $page;
-        } else if($_POST['pageTitle'] != "" && $_POST['pageBody'] != "" && intval($_POST['categoryId']) > -1) {
-          //edit request to delphi
-          $this->Delphi()->PageEdit($pageId, $_POST['pageTitle'], $_POST['pageBody'], $_POST['categoryId']);
-          $this->template->redirect = "panel.php?type=pages&page=" . $page;
-        }
+      if(isset($_POST['submit_editcat'])) {
+        $this->core->entity("page")->update($pageId, array("categoryid" => intval($_POST['categoryId'])));
+        $this->template->redirect = "panel.php?type=pages&page=" . $page;
+      } else if(isset($_POST['submit_regenerate']) && $_POST['pageTitle'] != "" && $_POST['pageBody'] != "" && intval($_POST['categoryId']) > -1) {
+        $this->Delphi()->PageEdit($pageId, $_POST['pageTitle'], $_POST['pageBody'], $_POST['categoryId']);
+        $this->template->redirect = "panel.php?type=pages&page=" . $page;
       }
     }
 

Source/NeoXplora.com/controller/review/splitter.php

@@ -162,6 +162,7 @@ private function loadSentences($protoId, $intendation) {
           "order" => $sentence_data['order'],
           "indentation" => $intendation,
           "rowclass" => "row1",
+          "status" => $sentence_data['status'],
           "name" => $sentence_data['name']
         );
       }
@@ -317,7 +318,8 @@ public function revert() {
       array(
         "protoid" => $newProtoId,
         "order" => $newOrder,
-        "name" => $newName
+        "name" => $newName,
+        "status" => "ssTrainedSplit"
       )
     );
 
@@ -431,7 +433,8 @@ public function approveMultiple() {
         "mainprotoid" => $protoIDs
       ),
       array(
-        "status" => 'ssReviewedSplit'
+        "status" => 'ssReviewedSplit',
+        "isfixed" => 1
       )
     );
 
@@ -467,7 +470,7 @@ public function dismissMultiple() {
     $wherein = '';
     $wherein .= " s.`pr2ID` IN (";
     for($i = 0; $i < count($protoIDs); $i++) {
-      $wherein .= "'" . $protoIDs . "'";
+      $wherein .= "'" . $protoIDs[$i] . "'";
       if($i != count($protoIDs) - 1) $wherein .= ', ';
     }
     $wherein .= ") ";

Source/NeoXplora.com/controller/train/interpreter.php

@@ -42,6 +42,11 @@ public function index() {
   public function load() {
     $ignoreIDs = array();
     if(isset($_SESSION['ignoredInterpreterPageIDs']) && is_array($_SESSION['ignoredInterpreterPageIDs'])) {
+      $count_data = $this->core->model("train")->countSentenceNotRandom("ssReviewedSplit", $_SESSION['ignoredInterpreterPageIDs'], $_SESSION['interpreterCategoryId'])->fetch_array();
+      if($count_data['total'] == count($_SESSION['ignoredInterpreterPageIDs'])) {
+        $_SESSION['ignoredInterpreterPageIDs'] = array();
+      }
+
       $ignoreIDs = array_values($_SESSION['ignoredInterpreterPageIDs']);
     }
 
@@ -108,7 +113,7 @@ public function load() {
 
     $response = array(
       'data' => $data,
-      'pageTitle' => $pageTitle,
+      'pageTitle' => htmlspecialchars($pageTitle, ENT_QUOTES),
       'exception' => $exception
     );
 
@@ -140,7 +145,7 @@ public function skip() {
       $_SESSION['ignoredInterpreterPageIDs'] = array_values(array_slice($_SESSION['ignoredInterpreterPageIDs'], 1));
     }
 
-    $count_data = $this->core->model("train")->countSentenceNotRandom("ssReviewedSplit", $_SESSION['interpreterCategoryId'])->fetch_array();
+    $count_data = $this->core->model("train")->countSentenceNotRandom("ssReviewedSplit", $_SESSION['ignoredInterpreterPageIDs'], $_SESSION['interpreterCategoryId'])->fetch_array();
 
     if($count_data['total'] == count($_SESSION['ignoredInterpreterPageIDs'])) {
       $_SESSION['ignoredInterpreterPageIDs'] = array();

Source/NeoXplora.com/controller/train/linker.php

@@ -140,7 +140,7 @@ public function loadPage() {
 
           $data[] = (object) array(
             "Id" => $sentence_data['SentenceId'], 
-            "Sentence" => $sentence_data['Sentence'],
+            "Sentence" => htmlspecialchars($sentence_data['Sentence'], ENT_QUOTES),
             "Rep" => $sentence_data['Rep'],
             "Highlights" => $highlights,
             "Children" => $children
@@ -154,7 +154,7 @@ public function loadPage() {
         while($sentence_data = $query->fetch_array()) {
           $data[] = (object) array(
             "Id" => $sentence_data[Entity\TSentence::$tok_id], 
-            "Sentence" => $sentence_data[Entity\TSentence::$tok_name],
+            "Sentence" => htmlspecialchars($sentence_data[Entity\TSentence::$tok_name], ENT_QUOTES),
             "Rep" => $sentence_data[Entity\TSentence::$tok_rep],
             "Highlights" => array(),
             "Children" => array()
@@ -167,7 +167,7 @@ public function loadPage() {
 
     $response = array(
       'data' => $data,
-      'pageTitle' => $pageTitle
+      'pageTitle' => htmlspecialchars($pageTitle, ENT_QUOTES)
     );
 
     echo json_encode($response);

Source/NeoXplora.com/controller/train/splitter.php

@@ -65,6 +65,11 @@ public function load() {
     $ignoreIDs = array();
 
     if(isset($_SESSION['ignoredSplitPageIDs']) && is_array($_SESSION['ignoredSplitPageIDs'])) {
+      $count_data = $this->core->model("splitter", "train")->countMainProtos($_SESSION['splitCategoryId'])->fetch_array();
+
+      if($count_data['total'] == count($_SESSION['ignoredSplitPageIDs'])) {
+        $_SESSION['ignoredSplitPageIDs'] = array();
+      }
       $ignoreIDs = array_values($_SESSION['ignoredSplitPageIDs']);
     }
 
@@ -128,7 +133,7 @@ public function load() {
 
     $response = array(
       'data' => $data,
-      'pageTitle' => $pageTitle
+      'pageTitle' => htmlspecialchars($pageTitle, ENT_QUOTES)
     );
 
     echo json_encode($response);

Source/NeoXplora.com/js/module/interpreter/browse/index.js

@@ -89,10 +89,12 @@ var MInterpreterBrowseIndex_Implementation = {
     },
 
     edit: function() {
+    	var id = parseInt($(this).parent().data("id"), 10);
     	if($(this).find("input").length == 0) {
-        var rep = $(this).html().trim();
-        var newRep = $(this).html("<input type='text' class='newRep' value='" + rep + "' style='width: 830px;' /> <input type='button' value='Save' style='padding: 4px;' class='saveRep' />");
-        $('.newRep').focus();
+        var rep = $(this).text().trim();
+        var newRep = $(this).html("<input type='text' id='newRep" + id + "' class='newRep' value='' style='width: 830px;' /> <input type='button' value='Save' style='padding: 4px;' class='saveRep' />");
+        $('#newRep' + id).val(rep);
+        $('#newRep' + id).focus();
     	}
     },
 

Source/NeoXplora.com/js/module/interpreter/browse/requests.js

@@ -79,16 +79,16 @@ var MInterpreterBrowseRequests_Implementation = {
           container.find('.rep-error').remove();
           container.append("<br/><div class='rep-error' style='color: red'><br/>" + json['ErrorString'] + " at \"" + near + "\"</div>");
         } else {
-          container.html(newValue);
+          container.text(newValue);
         }
       };
     },
 
     resplitCallback: function(container) {
       return function(json) {
-      	container.nextUntil(".aproto").remove();
-      	container.remove();
-      }
+        container.nextUntil(".aproto").remove();
+        container.remove();
+      };
     }
 
 

Source/NeoXplora.com/js/module/interpreter/train/requests.js

@@ -16,6 +16,7 @@ var MInterpreterTrainRequests_Implementation = {
      */
 
     load: function() {
+    	$(".trainer").addClass("loading");
       $.ajax({
         type: "POST",
         url: NeoX.Modules.InterpreterTrainIndex.getConfig().moduleScript,
@@ -29,6 +30,7 @@ var MInterpreterTrainRequests_Implementation = {
     },
 
     save: function(sentenceID, newValue, approved) {
+    	$(".trainer").addClass("loading");
     	$.ajax({
         type: "POST",
         url: NeoX.Modules.InterpreterTrainIndex.getConfig().moduleScript,
@@ -59,6 +61,7 @@ var MInterpreterTrainRequests_Implementation = {
     },
 
     skip: function(sentenceID) {
+    	$(".trainer").addClass("loading");
       $.ajax({
         type: "POST",
         url: NeoX.Modules.InterpreterTrainIndex.getConfig().moduleScript,
@@ -73,6 +76,7 @@ var MInterpreterTrainRequests_Implementation = {
     },
 
     use: function(sentenceID, newValue, approved) {
+    	$(".trainer").addClass("loading");
     	$.ajax({
         type: "POST",
         url: NeoX.Modules.InterpreterTrainIndex.getConfig().moduleScript,
@@ -103,6 +107,7 @@ var MInterpreterTrainRequests_Implementation = {
     },
 
     resplit: function(sentenceID) {
+    	$(".trainer").addClass("loading");
       $.ajax({
         type: "POST",
         url: NeoX.Modules.InterpreterTrainIndex.getConfig().moduleScript,
@@ -121,6 +126,7 @@ var MInterpreterTrainRequests_Implementation = {
      */
 
     loadCallback: function(json) {
+    	$(".trainer").removeClass("loading");
     	if(json['exception']) {
         $(".boxContent").prepend('<h3 style="color:red; text-align: center; padding: 5px;">Error: ' + json['exception'] + '</h3>');
       } else {

Source/NeoXplora.com/js/module/splitter/review/index.js

@@ -44,6 +44,7 @@ var MSplitterReviewIndex_Implementation = {
       	NeoX.Modules.SplitterReviewIndex.hookEvent('click', NeoX.Modules.SplitterReviewIndex.getConfig().Buttons.approve, NeoX.Modules.SplitterReviewIndex.approve);
       	NeoX.Modules.SplitterReviewIndex.hookEvent('click', NeoX.Modules.SplitterReviewIndex.getConfig().Buttons.dismiss, NeoX.Modules.SplitterReviewIndex.dismiss);
       	NeoX.Modules.SplitterReviewIndex.hookEvent('click', NeoX.Modules.SplitterReviewIndex.getConfig().Buttons.approveAll, NeoX.Modules.SplitterReviewIndex.approveAll);
+      	NeoX.Modules.SplitterReviewIndex.hookEvent('click', NeoX.Modules.SplitterReviewIndex.getConfig().Buttons.dismissAll, NeoX.Modules.SplitterReviewIndex.dismissAll);
       	NeoX.Modules.SplitterReviewIndex.hookEvent('keypress', ".editProto", NeoX.Modules.SplitterReviewIndex.editProtoReq);
         NeoX.Modules.SplitterReviewIndex.hookEvent('click', ".aproto .content-indent.childProto b", NeoX.Modules.SplitterReviewIndex.editProto);
       	NeoX.Modules.SplitterReviewIndex.hookEvent('click', ".createProtoButton", NeoX.Modules.SplitterReviewIndex.createProto);
@@ -63,9 +64,11 @@ var MSplitterReviewIndex_Implementation = {
 
     editProto: function() {
     	if(!$(this).hasClass('inEdit')) {
-      	var theval = $(this).html();
+      	var theval = $(this).text();
+      	var protoId = parseInt($(this).parent().parent().parent().data("id"), 10);
       	$(this).addClass('inEdit');
-      	$(this).html("<input class='editProto' style='width: 95%; padding: 5px;' value='" + theval + "' />");
+      	$(this).html("<input class='editProto' id ='editProto" + protoId + "' style='width: 95%; padding: 5px;' value='abc' />");
+      	$('#editProto' + protoId).val(theval);
     	}
     },