Skip to content

Commit ff7ef8a

Browse files
committed
OSClass 2.3.5
2 parents 5933d48 + 33a4b1a commit ff7ef8a

File tree

87 files changed

+2691
-2103
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

87 files changed

+2691
-2103
lines changed

Diff for: CHANGELOG.txt

+20
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,23 @@
1+
OSClass 2.3.5 2012-01-16
2+
------------------------
3+
- Escape quotes in attr values of input tags using a new helper: osc_esc_html
4+
- PHP Warning if the user doesn't have a description in his profile
5+
- PHP Warning in Search model
6+
- Modified behavior in add/edit form of custom fields
7+
- Style of radio buttons in custom fields
8+
- JS error in add/edit page in oc-admin
9+
- XSS vulnerabilities in search page
10+
- SQL injections in search page and AJAX request in oc-admin (need to be logged as an admin)
11+
12+
OSClass 2.3.4 2012-01-03
13+
------------------------
14+
- Deleting all admins bug fixed
15+
- Multiple installs bug fixed
16+
- Feeds url using permalinks
17+
- SQL error using picture only items bug fixed
18+
- Some hooks were added on admin
19+
- SQL optimized a little more
20+
121
OSClass 2.3.3 2011-12-17
222
------------------------
323
- Removed upgrade and upgrade-plugins files

Diff for: oc-admin/ajax/ajax.php

+86-77
Original file line numberDiff line numberDiff line change
@@ -100,13 +100,15 @@ function doModel()
100100

101101
foreach ($aIds as $id => $parent) {
102102
if ($parent == 'root') {
103-
if (!$catManager->updateOrder($id, $orderParent)) {
103+
$res = $catManager->updateOrder($id, $orderParent);
104+
if (is_bool($res) && !$res) {
104105
$error = 1;
105106
}
106107
// set parent category
107108
$conditions = array('pk_i_id' => $id);
108109
$array['fk_i_parent_id'] = NULL;
109-
if (!$catManager->update($array, $conditions) > 0) {
110+
$res = $catManager->update($array, $conditions);
111+
if (is_bool($res) && !$res) {
110112
$error = 1;
111113
}
112114
$orderParent++;
@@ -115,31 +117,31 @@ function doModel()
115117
$catParent = $parent;
116118
$orderSub = 0;
117119
}
118-
if (!$catManager->updateOrder($id, $orderSub)) {
120+
121+
$res = $catManager->updateOrder($id, $orderSub);
122+
if (is_bool($res) && !$res ) {
119123
$error = 1;
120124
}
121125

122126
// set parent category
123127
$conditions = array('pk_i_id' => $id);
124128
$array['fk_i_parent_id'] = $catParent;
125-
if (!$catManager->update($array, $conditions) > 0) {
129+
130+
$res = $catManager->update($array, $conditions);
131+
if (is_bool($res) && !$res) {
126132
$error = 1;
127133
}
128134
$orderSub++;
129135
}
130136
}
131137

132-
$result = "{";
133-
$error = 0;
134-
135-
if ($error) {
136-
$result .= '"error" : "' . __("Some error ocurred") . '"';
138+
if($error) {
139+
$result = array( 'error' => __("Some error ocurred") ) ;
137140
} else {
138-
$result .= '"ok" : "' . __("Order saved") . '"';
141+
$result = array( 'ok' => __("Order saved") ) ;
139142
}
140-
$result .= "}";
141-
142-
echo $result;
143+
echo json_encode($result) ;
144+
143145
break;
144146
case 'category_edit_iframe':
145147
$this->_exportVariableToView( 'category', Category::newInstance()->findByPrimaryKey( Params::getParam("id") ) ) ;
@@ -158,66 +160,73 @@ function doModel()
158160
break;
159161
case 'field_categories_post':
160162
$error = 0;
161-
if (!$error) {
162-
try {
163-
$field = Field::newInstance()->findByName(Params::getParam("s_name"));
164-
if (!isset($field['pk_i_id']) || (isset($field['pk_i_id']) && $field['pk_i_id'] == Params::getParam("id"))) {
165-
Field::newInstance()->cleanCategoriesFromField(Params::getParam("id"));
166-
$slug = Params::getParam("field_slug") != '' ? Params::getParam("field_slug") : Params::getParam("id");
167-
$slug = preg_replace('|([-]+)|', '-', preg_replace('|[^a-z0-9_-]|', '-', strtolower($slug)));
168-
Field::newInstance()->update(array('s_name' => Params::getParam("s_name"), 'e_type' => Params::getParam("field_type"), 's_slug' => $slug, 'b_required' => Params::getParam("field_required") == "1" ? 1 : 0, 's_options' => Params::getParam('s_options')), array('pk_i_id' => Params::getParam("id")));
169-
Field::newInstance()->insertCategories(Params::getParam("id"), Params::getParam("categories"));
170-
} else {
163+
$field = Field::newInstance()->findByName(Params::getParam("s_name"));
164+
165+
if (!isset($field['pk_i_id']) || (isset($field['pk_i_id']) && $field['pk_i_id'] == Params::getParam("id"))) {
166+
// remove categories from a field
167+
Field::newInstance()->cleanCategoriesFromField(Params::getParam("id"));
168+
// no error... continue updating fields
169+
if($error == 0) {
170+
$slug = Params::getParam("field_slug") != '' ? Params::getParam("field_slug") : Params::getParam("id");
171+
$slug = preg_replace('|([-]+)|', '-', preg_replace('|[^a-z0-9_-]|', '-', strtolower($slug)));
172+
$res = Field::newInstance()->update(array('s_name' => Params::getParam("s_name"), 'e_type' => Params::getParam("field_type"), 's_slug' => $slug, 'b_required' => Params::getParam("field_required") == "1" ? 1 : 0, 's_options' => Params::getParam('s_options')), array('pk_i_id' => Params::getParam("id")));
173+
if(is_bool($res) && !$res) {
171174
$error = 1;
172-
$message = __("Sorry, you already have one field with that name");
173175
}
174-
} catch (Exception $e) {
175-
$error = 1;
176+
}
177+
// no error... continue inserting categories-field
178+
if($error == 0) {
179+
$aCategories = Params::getParam("categories");
180+
if( is_array($aCategories) && count($aCategories) > 0) {
181+
$res = Field::newInstance()->insertCategories(Params::getParam("id"), $aCategories);
182+
if(!$res) {
183+
$error = 1;
184+
}
185+
}
186+
}
187+
// error while updating?
188+
if($error == 1) {
176189
$message = __("Error while updating.");
177190
}
191+
} else {
192+
$error = 1;
193+
$message = __("Sorry, you already have one field with that name");
178194
}
179195

180-
$result = "{";
181-
if ($error) {
182-
$result .= '"error" : "';
183-
$result .= $message;
184-
$result .= '"';
196+
if($error) {
197+
$result = array( 'error' => $message) ;
185198
} else {
186-
$result .= '"ok" : "' . __("Saved") . '", "text" : "' . Params::getParam("s_name") . '"';
199+
$result = array( 'ok' => __("Saved") , 'text' => Params::getParam("s_name")) ;
187200
}
188-
$result .= "}";
189-
190-
echo $result;
201+
202+
echo json_encode($result) ;
203+
191204
break;
192205
case 'delete_field':
193206
$id = Params::getParam("id");
194207
$error = 0;
195208

196-
try {
197-
$fieldManager = Field::newInstance();
198-
$fieldManager->deleteByPrimaryKey($id);
199-
209+
$fieldManager = Field::newInstance();
210+
$res = $fieldManager->deleteByPrimaryKey($id);
211+
212+
if($res > 0) {
200213
$message = __('The custom field have been deleted');
201-
} catch (Exception $e) {
214+
} else {
202215
$error = 1;
203216
$message = __('Error while deleting');
204217
}
205218

206-
$result = "{";
207-
if ($error) {
208-
$result .= '"error" : "';
209-
$result .= $message;
210-
$result .= '"';
219+
if($error) {
220+
$result = array( 'error' => $message) ;
211221
} else {
212-
$result .= '"ok" : "Saved." ';
222+
$result = array( 'ok' => __("Saved") ) ;
213223
}
214-
$result .= "}";
224+
echo json_encode($result) ;
215225

216-
echo $result;
217226
break;
218227
case 'enable_category':
219-
$id = Params::getParam("id") ;
220-
$enabled = (Params::getParam("enabled") != '') ? Params::getParam("enabled") : 0 ;
228+
$id = strip_tags( Params::getParam('id') ) ;
229+
$enabled = (Params::getParam('enabled') != '') ? Params::getParam('enabled') : 0 ;
221230
$error = 0 ;
222231
$result = array() ;
223232
$aUpdated = array() ;
@@ -277,36 +286,32 @@ function doModel()
277286
}
278287
$result['affectedIds'] = array( array('id' => $id) ) ;
279288
echo json_encode($result) ;
289+
280290
break ;
281291
case 'delete_category':
282292
$id = Params::getParam("id");
283293
$error = 0;
284-
285-
try {
286-
$categoryManager = Category::newInstance();
287-
$categoryManager->deleteByPrimaryKey($id);
288-
294+
295+
$categoryManager = Category::newInstance();
296+
$res = $categoryManager->deleteByPrimaryKey($id);
297+
298+
if($res > 0) {
289299
$message = __('The categories have been deleted');
290-
} catch (Exception $e) {
300+
} else {
291301
$error = 1;
292302
$message = __('Error while deleting');
293303
}
294304

295-
$result = "{";
296-
if ($error) {
297-
$result .= '"error" : "';
298-
$result .= $message;
299-
$result .= '"';
305+
if($error) {
306+
$result = array( 'error' => $message) ;
300307
} else {
301-
$result .= '"ok" : "Saved." ';
308+
$result = array( 'ok' => __("Saved") ) ;
302309
}
303-
$result .= "}";
304-
305-
echo $result;
310+
echo json_encode($result) ;
311+
306312
break;
307313
case 'edit_category_post':
308314
$id = Params::getParam("id");
309-
310315
$fields['i_expiration_days'] = (Params::getParam("i_expiration_days") != '') ? Params::getParam("i_expiration_days") : 0;
311316

312317
$error = 0;
@@ -331,10 +336,10 @@ function doModel()
331336

332337
$l = osc_language();
333338
if ($error==0 || ($error==1 && $has_one_title==1)) {
334-
try {
335-
$categoryManager = Category::newInstance();
336-
$categoryManager->updateByPrimaryKey(array('fields' => $fields, 'aFieldsDescription' => $aFieldsDescription), $id);
337-
} catch (Exception $e) {
339+
$categoryManager = Category::newInstance();
340+
$res = $categoryManager->updateByPrimaryKey(array('fields' => $fields, 'aFieldsDescription' => $aFieldsDescription), $id);
341+
342+
if( is_bool($res) ) {
338343
$error = 2;
339344
}
340345
}
@@ -352,6 +357,7 @@ function doModel()
352357
$msg = __('Error while updating');
353358
}
354359
echo json_encode(array('error' => $error, 'msg' => $msg, 'text' => $aFieldsDescription[$l]['s_name']));
360+
355361
break;
356362
case 'custom': // Execute via AJAX custom file
357363
$ajaxfile = Params::getParam("ajaxfile");
@@ -403,6 +409,7 @@ function doModel()
403409
$new_order = $actual_order+1;
404410
}
405411
}
412+
406413
if($new_order != $actual_order) {
407414
$auxpage = $mPages->findByOrder($new_order);
408415

@@ -414,10 +421,8 @@ function doModel()
414421
$conditions = array('pk_i_id' => $id);
415422
$mPages->update($array, $conditions);
416423

417-
} else {
418-
419424
}
420-
425+
// TO BE IMPROVED
421426
// json for datatables
422427
$prefLocale = osc_current_admin_locale();
423428
$aPages = $mPages->listAll(0);
@@ -434,7 +439,7 @@ function doModel()
434439
$p_body = str_replace("'", "\'", trim(strip_tags($body['s_title']), "\x22\x27"));
435440

436441
$json .= "[\"<input type='checkbox' name='id[]' value='". $page['pk_i_id'] ."' />\",";
437-
$json .= "\"".$page['s_internal_name']."<div id='datatables_quick_edit'>";
442+
$json .= "\"".osc_esc_html($page['s_internal_name'])."<div id='datatables_quick_edit'>";
438443
$json .= "<a href='". osc_static_page_url() ."'>". __('View page') ."</a> | ";
439444
$json .= "<a href='". osc_admin_base_url(true) ."?page=pages&action=edit&id=". $page['pk_i_id'] ."'>";
440445
$json .= __('Edit') ."</a>";
@@ -454,6 +459,7 @@ function doModel()
454459
$json .= "]";
455460
echo $json;
456461
}
462+
457463
break;
458464

459465
/******************************
@@ -475,11 +481,14 @@ function doModel()
475481
/***********************
476482
**** DOWNLOAD FILE ****
477483
***********************/
478-
if (Params::getParam('file') != '') {
484+
$data = osc_file_get_contents("http://osclass.org/latest_version.php");
485+
$data = json_decode(substr($data, 1, strlen($data)-3), true);
486+
$source_file = $data['url'];
487+
if ($source_file != '') {
479488

480-
$tmp = explode("/", Params::getParam('file'));
489+
$tmp = explode("/", $source_file);
481490
$filename = end($tmp);
482-
$result = osc_downloadFile(Params::getParam('file'), $filename);
491+
$result = osc_downloadFile($source_file, $filename);
483492

484493
if ($result) { // Everything is OK, continue
485494
/**********************

Diff for: oc-admin/ajax/items_processing.php

+7-7
Original file line numberDiff line numberDiff line change
@@ -250,7 +250,7 @@ private function toDatatablesFormat() {
250250
if($title != $aRow['s_title']) {
251251
$title .= "...";
252252
}
253-
$this->sOutput .= '"'.addslashes(preg_replace('|\s+|',' ',$title)).' <br/>';
253+
$this->sOutput .= '"'.addslashes(osc_esc_html(preg_replace('|\s+|',' ',$title))).' <br/>';
254254
$this->sOutput .= '<div id=\'datatable_wrapper\'><div id=\'datatables_quick_edit\' ';
255255
if($count % 2) {
256256
$this->sOutput .= ' class=\'even\' ';
@@ -293,12 +293,12 @@ private function toDatatablesFormat() {
293293
$this->sOutput .= '</div></div>",';
294294
}
295295

296-
$this->sOutput .= '"'.addslashes($aRow['s_user_name']).'",';
297-
$this->sOutput .= '"'.addslashes($aRow['s_category_name']).'",';
298-
$this->sOutput .= '"'.$aRow['s_country'].'",';
299-
$this->sOutput .= '"'.$aRow['s_region'].'",';
300-
$this->sOutput .= '"'.$aRow['s_city'].'",';
301-
$this->sOutput .= '"'.addslashes($aRow['dt_pub_date']).'"';
296+
$this->sOutput .= '"'.addslashes(osc_esc_html($aRow['s_user_name'])).'",';
297+
$this->sOutput .= '"'.addslashes(osc_esc_html($aRow['s_category_name'])).'",';
298+
$this->sOutput .= '"'.addslashes(osc_esc_html($aRow['s_country'])).'",';
299+
$this->sOutput .= '"'.addslashes(osc_esc_html($aRow['s_region'])).'",';
300+
$this->sOutput .= '"'.addslashes(osc_esc_html($aRow['s_city'])).'",';
301+
$this->sOutput .= '"'.addslashes(osc_esc_html($aRow['dt_pub_date'])).'"';
302302
if($this->extraCols > 0) $this->sOutput .= ',';
303303

304304
if(isset($aRow['i_num_spam'])) {

Diff for: oc-admin/appearance.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -96,7 +96,7 @@ function doModel() {
9696
$res = Widget::newInstance()->update(
9797
array(
9898
's_description' => Params::getParam('description')
99-
,'s_content' => Params::getParam('content')
99+
,'s_content' => Params::getParam('content', false, false)
100100
),
101101
array('pk_i_id' => Params::getParam('id') )
102102
);
@@ -114,7 +114,7 @@ function doModel() {
114114
's_location' => Params::getParam('location')
115115
,'e_kind' => 'html'
116116
,'s_description' => Params::getParam('description')
117-
,'s_content' => Params::getParam('content')
117+
,'s_content' => Params::getParam('content', false, false)
118118
)
119119
);
120120
osc_add_flash_ok_message( _m('Widget added correctly'), 'admin');

0 commit comments

Comments
 (0)