Permalink
Showing with 2,691 additions and 2,103 deletions.
  1. +20 −0 CHANGELOG.txt
  2. +86 −77 oc-admin/ajax/ajax.php
  3. +7 −7 oc-admin/ajax/items_processing.php
  4. +2 −2 oc-admin/appearance.php
  5. +4 −4 oc-admin/themes/modern/admins/edit.php
  6. +2 −2 oc-admin/themes/modern/admins/index.php
  7. +22 −0 oc-admin/themes/modern/css/item_list_layout.css
  8. +1 −1 oc-admin/themes/modern/emails/frm.php
  9. +2 −2 oc-admin/themes/modern/emails/index.php
  10. +17 −20 oc-admin/themes/modern/fields/iframe.php
  11. +16 −18 oc-admin/themes/modern/fields/index.php
  12. +1 −1 oc-admin/themes/modern/languages/add.php
  13. +4 −4 oc-admin/themes/modern/languages/index.php
  14. +1 −1 oc-admin/themes/modern/pages/frm.php
  15. +1 −1 oc-admin/themes/modern/pages/index.php
  16. +21 −21 oc-admin/themes/modern/settings/add_currency.php
  17. +1 −1 oc-admin/themes/modern/settings/comments.php
  18. +5 −4 oc-admin/themes/modern/settings/currencies.php
  19. +27 −27 oc-admin/themes/modern/settings/edit_currency.php
  20. +11 −11 oc-admin/themes/modern/settings/index.php
  21. +14 −14 oc-admin/themes/modern/settings/locations.php
  22. +6 −6 oc-admin/themes/modern/settings/mailserver.php
  23. +8 −8 oc-admin/themes/modern/settings/media.php
  24. +1 −1 oc-admin/themes/modern/tools/upgrade.php
  25. +2 −2 oc-admin/themes/modern/users/index.php
  26. +5 −0 oc-content/themes/modern/style.css
  27. +4 −4 oc-includes/osclass/classes/database/DAO.php
  28. +27 −9 oc-includes/osclass/classes/database/DBConnectionClass.php
  29. +48 −16 oc-includes/osclass/core/Params.php
  30. +2 −2 oc-includes/osclass/frm/Category.form.class.php
  31. +4 −4 oc-includes/osclass/frm/Field.form.class.php
  32. +5 −5 oc-includes/osclass/frm/Form.form.class.php
  33. +12 −8 oc-includes/osclass/gui/item.php
  34. BIN oc-includes/osclass/gui/js/fancybox/blank.gif
  35. BIN oc-includes/osclass/gui/js/fancybox/fancy_close.png
  36. BIN oc-includes/osclass/gui/js/fancybox/fancy_loading.png
  37. BIN oc-includes/osclass/gui/js/fancybox/fancy_nav_left.png
  38. BIN oc-includes/osclass/gui/js/fancybox/fancy_nav_right.png
  39. BIN oc-includes/osclass/gui/js/fancybox/fancy_shadow_e.png
  40. BIN oc-includes/osclass/gui/js/fancybox/fancy_shadow_n.png
  41. BIN oc-includes/osclass/gui/js/fancybox/fancy_shadow_ne.png
  42. BIN oc-includes/osclass/gui/js/fancybox/fancy_shadow_nw.png
  43. BIN oc-includes/osclass/gui/js/fancybox/fancy_shadow_s.png
  44. BIN oc-includes/osclass/gui/js/fancybox/fancy_shadow_se.png
  45. BIN oc-includes/osclass/gui/js/fancybox/fancy_shadow_sw.png
  46. BIN oc-includes/osclass/gui/js/fancybox/fancy_shadow_w.png
  47. BIN oc-includes/osclass/gui/js/fancybox/fancy_title_left.png
  48. BIN oc-includes/osclass/gui/js/fancybox/fancy_title_main.png
  49. BIN oc-includes/osclass/gui/js/fancybox/fancy_title_over.png
  50. BIN oc-includes/osclass/gui/js/fancybox/fancy_title_right.png
  51. BIN oc-includes/osclass/gui/js/fancybox/fancybox-x.png
  52. BIN oc-includes/osclass/gui/js/fancybox/fancybox-y.png
  53. BIN oc-includes/osclass/gui/js/fancybox/fancybox.png
  54. BIN oc-includes/osclass/gui/js/fancybox/fancybox_loading.gif
  55. BIN oc-includes/osclass/gui/js/fancybox/fancybox_sprite.png
  56. BIN oc-includes/osclass/gui/js/fancybox/helpers/fancybox_buttons.png
  57. +85 −0 oc-includes/osclass/gui/js/fancybox/helpers/jquery.fancybox-buttons.css
  58. +115 −0 oc-includes/osclass/gui/js/fancybox/helpers/jquery.fancybox-buttons.js
  59. +54 −0 oc-includes/osclass/gui/js/fancybox/helpers/jquery.fancybox-thumbs.css
  60. +151 −0 oc-includes/osclass/gui/js/fancybox/helpers/jquery.fancybox-thumbs.js
  61. +0 −72 oc-includes/osclass/gui/js/fancybox/jquery.easing-1.3.pack.js
  62. +0 −359 oc-includes/osclass/gui/js/fancybox/jquery.fancybox-1.3.4.css
  63. +0 −1,156 oc-includes/osclass/gui/js/fancybox/jquery.fancybox-1.3.4.js
  64. +0 −46 oc-includes/osclass/gui/js/fancybox/jquery.fancybox-1.3.4.pack.js
  65. +224 −0 oc-includes/osclass/gui/js/fancybox/jquery.fancybox.css
  66. +1,310 −0 oc-includes/osclass/gui/js/fancybox/jquery.fancybox.js
  67. +32 −0 oc-includes/osclass/gui/js/fancybox/jquery.fancybox.pack.js
  68. +0 −14 oc-includes/osclass/gui/js/fancybox/jquery.mousewheel-3.0.4.pack.js
  69. +16 −0 oc-includes/osclass/gui/style.css
  70. +4 −0 oc-includes/osclass/gui/user-profile.php
  71. +5 −10 oc-includes/osclass/gui/user-public-profile.php
  72. +2 −2 oc-includes/osclass/helpers/hPage.php
  73. +34 −0 oc-includes/osclass/helpers/hSanitize.php
  74. +21 −17 oc-includes/osclass/helpers/hSearch.php
  75. +2 −2 oc-includes/osclass/helpers/hUsers.php
  76. +1 −1 oc-includes/osclass/helpers/hUtils.php
  77. +1 −1 oc-includes/osclass/installer/basic_data.sql
  78. +193 −110 oc-includes/osclass/model/Category.php
  79. +3 −0 oc-includes/osclass/model/CategoryStats.php
  80. +6 −3 oc-includes/osclass/model/Country.php
  81. +3 −2 oc-includes/osclass/model/Dump.php
  82. +11 −8 oc-includes/osclass/model/Field.php
  83. +4 −0 oc-includes/osclass/model/ItemStats.php
  84. +20 −11 oc-includes/osclass/model/Search.php
  85. +3 −4 oc-includes/osclass/upgrade-funcs.php
  86. +1 −1 oc-load.php
  87. +1 −1 readme.php
View
@@ -1,3 +1,23 @@
+OSClass 2.3.5 2012-01-16
+------------------------
+- Escape quotes in attr values of input tags using a new helper: osc_esc_html
+- PHP Warning if the user doesn't have a description in his profile
+- PHP Warning in Search model
+- Modified behavior in add/edit form of custom fields
+- Style of radio buttons in custom fields
+- JS error in add/edit page in oc-admin
+- XSS vulnerabilities in search page
+- SQL injections in search page and AJAX request in oc-admin (need to be logged as an admin)
+
+OSClass 2.3.4 2012-01-03
+------------------------
+- Deleting all admins bug fixed
+- Multiple installs bug fixed
+- Feeds url using permalinks
+- SQL error using picture only items bug fixed
+- Some hooks were added on admin
+- SQL optimized a little more
+
OSClass 2.3.3 2011-12-17
------------------------
- Removed upgrade and upgrade-plugins files
View
@@ -100,13 +100,15 @@ function doModel()
foreach ($aIds as $id => $parent) {
if ($parent == 'root') {
- if (!$catManager->updateOrder($id, $orderParent)) {
+ $res = $catManager->updateOrder($id, $orderParent);
+ if (is_bool($res) && !$res) {
$error = 1;
}
// set parent category
$conditions = array('pk_i_id' => $id);
$array['fk_i_parent_id'] = NULL;
- if (!$catManager->update($array, $conditions) > 0) {
+ $res = $catManager->update($array, $conditions);
+ if (is_bool($res) && !$res) {
$error = 1;
}
$orderParent++;
@@ -115,31 +117,31 @@ function doModel()
$catParent = $parent;
$orderSub = 0;
}
- if (!$catManager->updateOrder($id, $orderSub)) {
+
+ $res = $catManager->updateOrder($id, $orderSub);
+ if (is_bool($res) && !$res ) {
$error = 1;
}
// set parent category
$conditions = array('pk_i_id' => $id);
$array['fk_i_parent_id'] = $catParent;
- if (!$catManager->update($array, $conditions) > 0) {
+
+ $res = $catManager->update($array, $conditions);
+ if (is_bool($res) && !$res) {
$error = 1;
}
$orderSub++;
}
}
- $result = "{";
- $error = 0;
-
- if ($error) {
- $result .= '"error" : "' . __("Some error ocurred") . '"';
+ if($error) {
+ $result = array( 'error' => __("Some error ocurred") ) ;
} else {
- $result .= '"ok" : "' . __("Order saved") . '"';
+ $result = array( 'ok' => __("Order saved") ) ;
}
- $result .= "}";
-
- echo $result;
+ echo json_encode($result) ;
+
break;
case 'category_edit_iframe':
$this->_exportVariableToView( 'category', Category::newInstance()->findByPrimaryKey( Params::getParam("id") ) ) ;
@@ -158,66 +160,73 @@ function doModel()
break;
case 'field_categories_post':
$error = 0;
- if (!$error) {
- try {
- $field = Field::newInstance()->findByName(Params::getParam("s_name"));
- if (!isset($field['pk_i_id']) || (isset($field['pk_i_id']) && $field['pk_i_id'] == Params::getParam("id"))) {
- Field::newInstance()->cleanCategoriesFromField(Params::getParam("id"));
- $slug = Params::getParam("field_slug") != '' ? Params::getParam("field_slug") : Params::getParam("id");
- $slug = preg_replace('|([-]+)|', '-', preg_replace('|[^a-z0-9_-]|', '-', strtolower($slug)));
- Field::newInstance()->update(array('s_name' => Params::getParam("s_name"), 'e_type' => Params::getParam("field_type"), 's_slug' => $slug, 'b_required' => Params::getParam("field_required") == "1" ? 1 : 0, 's_options' => Params::getParam('s_options')), array('pk_i_id' => Params::getParam("id")));
- Field::newInstance()->insertCategories(Params::getParam("id"), Params::getParam("categories"));
- } else {
+ $field = Field::newInstance()->findByName(Params::getParam("s_name"));
+
+ if (!isset($field['pk_i_id']) || (isset($field['pk_i_id']) && $field['pk_i_id'] == Params::getParam("id"))) {
+ // remove categories from a field
+ Field::newInstance()->cleanCategoriesFromField(Params::getParam("id"));
+ // no error... continue updating fields
+ if($error == 0) {
+ $slug = Params::getParam("field_slug") != '' ? Params::getParam("field_slug") : Params::getParam("id");
+ $slug = preg_replace('|([-]+)|', '-', preg_replace('|[^a-z0-9_-]|', '-', strtolower($slug)));
+ $res = Field::newInstance()->update(array('s_name' => Params::getParam("s_name"), 'e_type' => Params::getParam("field_type"), 's_slug' => $slug, 'b_required' => Params::getParam("field_required") == "1" ? 1 : 0, 's_options' => Params::getParam('s_options')), array('pk_i_id' => Params::getParam("id")));
+ if(is_bool($res) && !$res) {
$error = 1;
- $message = __("Sorry, you already have one field with that name");
}
- } catch (Exception $e) {
- $error = 1;
+ }
+ // no error... continue inserting categories-field
+ if($error == 0) {
+ $aCategories = Params::getParam("categories");
+ if( is_array($aCategories) && count($aCategories) > 0) {
+ $res = Field::newInstance()->insertCategories(Params::getParam("id"), $aCategories);
+ if(!$res) {
+ $error = 1;
+ }
+ }
+ }
+ // error while updating?
+ if($error == 1) {
$message = __("Error while updating.");
}
+ } else {
+ $error = 1;
+ $message = __("Sorry, you already have one field with that name");
}
- $result = "{";
- if ($error) {
- $result .= '"error" : "';
- $result .= $message;
- $result .= '"';
+ if($error) {
+ $result = array( 'error' => $message) ;
} else {
- $result .= '"ok" : "' . __("Saved") . '", "text" : "' . Params::getParam("s_name") . '"';
+ $result = array( 'ok' => __("Saved") , 'text' => Params::getParam("s_name")) ;
}
- $result .= "}";
-
- echo $result;
+
+ echo json_encode($result) ;
+
break;
case 'delete_field':
$id = Params::getParam("id");
$error = 0;
- try {
- $fieldManager = Field::newInstance();
- $fieldManager->deleteByPrimaryKey($id);
-
+ $fieldManager = Field::newInstance();
+ $res = $fieldManager->deleteByPrimaryKey($id);
+
+ if($res > 0) {
$message = __('The custom field have been deleted');
- } catch (Exception $e) {
+ } else {
$error = 1;
$message = __('Error while deleting');
}
- $result = "{";
- if ($error) {
- $result .= '"error" : "';
- $result .= $message;
- $result .= '"';
+ if($error) {
+ $result = array( 'error' => $message) ;
} else {
- $result .= '"ok" : "Saved." ';
+ $result = array( 'ok' => __("Saved") ) ;
}
- $result .= "}";
+ echo json_encode($result) ;
- echo $result;
break;
case 'enable_category':
- $id = Params::getParam("id") ;
- $enabled = (Params::getParam("enabled") != '') ? Params::getParam("enabled") : 0 ;
+ $id = strip_tags( Params::getParam('id') ) ;
+ $enabled = (Params::getParam('enabled') != '') ? Params::getParam('enabled') : 0 ;
$error = 0 ;
$result = array() ;
$aUpdated = array() ;
@@ -277,36 +286,32 @@ function doModel()
}
$result['affectedIds'] = array( array('id' => $id) ) ;
echo json_encode($result) ;
+
break ;
case 'delete_category':
$id = Params::getParam("id");
$error = 0;
-
- try {
- $categoryManager = Category::newInstance();
- $categoryManager->deleteByPrimaryKey($id);
-
+
+ $categoryManager = Category::newInstance();
+ $res = $categoryManager->deleteByPrimaryKey($id);
+
+ if($res > 0) {
$message = __('The categories have been deleted');
- } catch (Exception $e) {
+ } else {
$error = 1;
$message = __('Error while deleting');
}
- $result = "{";
- if ($error) {
- $result .= '"error" : "';
- $result .= $message;
- $result .= '"';
+ if($error) {
+ $result = array( 'error' => $message) ;
} else {
- $result .= '"ok" : "Saved." ';
+ $result = array( 'ok' => __("Saved") ) ;
}
- $result .= "}";
-
- echo $result;
+ echo json_encode($result) ;
+
break;
case 'edit_category_post':
$id = Params::getParam("id");
-
$fields['i_expiration_days'] = (Params::getParam("i_expiration_days") != '') ? Params::getParam("i_expiration_days") : 0;
$error = 0;
@@ -331,10 +336,10 @@ function doModel()
$l = osc_language();
if ($error==0 || ($error==1 && $has_one_title==1)) {
- try {
- $categoryManager = Category::newInstance();
- $categoryManager->updateByPrimaryKey(array('fields' => $fields, 'aFieldsDescription' => $aFieldsDescription), $id);
- } catch (Exception $e) {
+ $categoryManager = Category::newInstance();
+ $res = $categoryManager->updateByPrimaryKey(array('fields' => $fields, 'aFieldsDescription' => $aFieldsDescription), $id);
+
+ if( is_bool($res) ) {
$error = 2;
}
}
@@ -352,6 +357,7 @@ function doModel()
$msg = __('Error while updating');
}
echo json_encode(array('error' => $error, 'msg' => $msg, 'text' => $aFieldsDescription[$l]['s_name']));
+
break;
case 'custom': // Execute via AJAX custom file
$ajaxfile = Params::getParam("ajaxfile");
@@ -403,6 +409,7 @@ function doModel()
$new_order = $actual_order+1;
}
}
+
if($new_order != $actual_order) {
$auxpage = $mPages->findByOrder($new_order);
@@ -414,10 +421,8 @@ function doModel()
$conditions = array('pk_i_id' => $id);
$mPages->update($array, $conditions);
- } else {
-
}
-
+ // TO BE IMPROVED
// json for datatables
$prefLocale = osc_current_admin_locale();
$aPages = $mPages->listAll(0);
@@ -434,7 +439,7 @@ function doModel()
$p_body = str_replace("'", "\'", trim(strip_tags($body['s_title']), "\x22\x27"));
$json .= "[\"<input type='checkbox' name='id[]' value='". $page['pk_i_id'] ."' />\",";
- $json .= "\"".$page['s_internal_name']."<div id='datatables_quick_edit'>";
+ $json .= "\"".osc_esc_html($page['s_internal_name'])."<div id='datatables_quick_edit'>";
$json .= "<a href='". osc_static_page_url() ."'>". __('View page') ."</a> | ";
$json .= "<a href='". osc_admin_base_url(true) ."?page=pages&action=edit&id=". $page['pk_i_id'] ."'>";
$json .= __('Edit') ."</a>";
@@ -454,6 +459,7 @@ function doModel()
$json .= "]";
echo $json;
}
+
break;
/******************************
@@ -475,11 +481,14 @@ function doModel()
/***********************
**** DOWNLOAD FILE ****
***********************/
- if (Params::getParam('file') != '') {
+ $data = osc_file_get_contents("http://osclass.org/latest_version.php");
+ $data = json_decode(substr($data, 1, strlen($data)-3), true);
+ $source_file = $data['url'];
+ if ($source_file != '') {
- $tmp = explode("/", Params::getParam('file'));
+ $tmp = explode("/", $source_file);
$filename = end($tmp);
- $result = osc_downloadFile(Params::getParam('file'), $filename);
+ $result = osc_downloadFile($source_file, $filename);
if ($result) { // Everything is OK, continue
/**********************
@@ -250,7 +250,7 @@ private function toDatatablesFormat() {
if($title != $aRow['s_title']) {
$title .= "...";
}
- $this->sOutput .= '"'.addslashes(preg_replace('|\s+|',' ',$title)).' <br/>';
+ $this->sOutput .= '"'.addslashes(osc_esc_html(preg_replace('|\s+|',' ',$title))).' <br/>';
$this->sOutput .= '<div id=\'datatable_wrapper\'><div id=\'datatables_quick_edit\' ';
if($count % 2) {
$this->sOutput .= ' class=\'even\' ';
@@ -293,12 +293,12 @@ private function toDatatablesFormat() {
$this->sOutput .= '</div></div>",';
}
- $this->sOutput .= '"'.addslashes($aRow['s_user_name']).'",';
- $this->sOutput .= '"'.addslashes($aRow['s_category_name']).'",';
- $this->sOutput .= '"'.$aRow['s_country'].'",';
- $this->sOutput .= '"'.$aRow['s_region'].'",';
- $this->sOutput .= '"'.$aRow['s_city'].'",';
- $this->sOutput .= '"'.addslashes($aRow['dt_pub_date']).'"';
+ $this->sOutput .= '"'.addslashes(osc_esc_html($aRow['s_user_name'])).'",';
+ $this->sOutput .= '"'.addslashes(osc_esc_html($aRow['s_category_name'])).'",';
+ $this->sOutput .= '"'.addslashes(osc_esc_html($aRow['s_country'])).'",';
+ $this->sOutput .= '"'.addslashes(osc_esc_html($aRow['s_region'])).'",';
+ $this->sOutput .= '"'.addslashes(osc_esc_html($aRow['s_city'])).'",';
+ $this->sOutput .= '"'.addslashes(osc_esc_html($aRow['dt_pub_date'])).'"';
if($this->extraCols > 0) $this->sOutput .= ',';
if(isset($aRow['i_num_spam'])) {
View
@@ -96,7 +96,7 @@ function doModel() {
$res = Widget::newInstance()->update(
array(
's_description' => Params::getParam('description')
- ,'s_content' => Params::getParam('content')
+ ,'s_content' => Params::getParam('content', false, false)
),
array('pk_i_id' => Params::getParam('id') )
);
@@ -114,7 +114,7 @@ function doModel() {
's_location' => Params::getParam('location')
,'e_kind' => 'html'
,'s_description' => Params::getParam('description')
- ,'s_content' => Params::getParam('content')
+ ,'s_content' => Params::getParam('content', false, false)
)
);
osc_add_flash_ok_message( _m('Widget added correctly'), 'admin');
Oops, something went wrong.

0 comments on commit ff7ef8a

Please sign in to comment.