Merge branch 'release/1.11.1'

xpressengine · Oct 17, 2018 · 44a98c2 · 44a98c2
2 parents 50dc3a8 + ef53939
commit 44a98c2
Show file tree

Hide file tree

Showing 10 changed files with 29 additions and 9 deletions.
diff --git a/.gitignore b/.gitignore
@@ -23,3 +23,4 @@ composer.lock
 *.sublime-project
 .codeintel
 
+install.config.php
diff --git a/common/js/plugins/jquery.fileupload/js/jquery.fileupload.js b/common/js/plugins/jquery.fileupload/js/jquery.fileupload.js
@@ -1144,10 +1144,10 @@
                 $.map(entries, function (entry) {
                     return that._handleFileTreeEntry(entry, path);
                 })
-            ).then(function (entries) {
+            ).then(function () {
                 return Array.prototype.concat.apply(
                     [],
-                    entries
+                    arguments
                 );
             });
         },

diff --git a/common/tpl/common_layout.html b/common/tpl/common_layout.html
@@ -67,7 +67,7 @@
 <!--@if(stripos(Context::get('act'),'admin') || Context::get('module') == 'admin')-->
 {@$isAdminKind = true}
 <!--@end-->
-<body{Context::getBodyClass()}>
+<body{Context::getBodyClass()|noescape}>
 {Context::getBodyHeader()|noescape}
 {$content|noescape}
 {Context::getHtmlFooter()|noescape}

diff --git a/config/config.inc.php b/config/config.inc.php
@@ -29,7 +29,7 @@
 /**
  * Display XE's full version.
  */
-define('__XE_VERSION__', '1.11.0');
+define('__XE_VERSION__', '1.11.1');
 define('__XE_VERSION_ALPHA__', (stripos(__XE_VERSION__, 'alpha') !== false));
 define('__XE_VERSION_BETA__', (stripos(__XE_VERSION__, 'beta') !== false));
 define('__XE_VERSION_RC__', (stripos(__XE_VERSION__, 'rc') !== false));

diff --git a/config/func.inc.php b/config/func.inc.php
@@ -1780,6 +1780,12 @@ function reload($isOpener = FALSE)
 </script>';
 }
 
+
+function isDefinedLangCode($str)
+{
+	return preg_match('!\$user_lang->([a-z0-9\_]+)$!is', trim($str));
+}
+
 /**
  * This function is a shortcut to htmlspecialchars().
  *
@@ -1790,8 +1796,10 @@ function reload($isOpener = FALSE)
  * @param bool $double_escape Set this to false to skip symbols that are already escaped (default: true)
  * @return string
  */
-function escape($str, $double_escape = true)
+function escape($str, $double_escape = true, $escape_defined_lang_code = false)
 {
+	if(!$escape_defined_lang_code && isDefinedLangCode($str)) return $str;
+
 	$flags = ENT_QUOTES | ENT_SUBSTITUTE;
 	return htmlspecialchars($str, $flags, 'UTF-8', $double_escape);
 }

diff --git a/modules/document/document.admin.controller.php b/modules/document/document.admin.controller.php
@@ -108,6 +108,12 @@ function moveDocumentModule($document_srl_list, $module_srl, $category_srl)
 						$file_info['tmp_name'] = $val->uploaded_filename;
 						$file_info['name'] = $val->source_filename;
 						$inserted_file = $oFileController->insertFile($file_info, $module_srl, $obj->document_srl, $val->download_count, true);
+
+						if(!$inserted_file->toBool()) {
+							$oDB->rollback();
+							return $inserted_file;
+						}
+
 						if($inserted_file && $inserted_file->toBool())
 						{
 							// for image/video files
@@ -301,6 +307,12 @@ function copyDocumentModule($document_srl_list, $module_srl, $category_srl)
 					$file_info['name'] = $val->source_filename;
 					$oFileController = getController('file');
 					$inserted_file = $oFileController->insertFile($file_info, $module_srl, $obj->document_srl, 0, true);
+
+					if(!$inserted_file->toBool()) {
+						$oDB->rollback();
+						return $inserted_file;
+					}
+
 					// if image/video files
 					if($val->direct_download == 'Y')
 					{

diff --git a/modules/file/file.controller.php b/modules/file/file.controller.php
@@ -746,7 +746,7 @@ function insertFile($file_info, $module_srl, $upload_target_srl, $download_count
 		if(!FileHandler::makeDir($path)) return new BaseObject(-1,'msg_not_permitted_create');
 
 		// Check uploaded file
-		if(!checkUploadedFile($file_info['tmp_name']))  return new BaseObject(-1,'msg_file_upload_error');
+		if(!$manual_insert && !checkUploadedFile($file_info['tmp_name']))  return new BaseObject(-1,'msg_file_upload_error');
 
 		// Get random number generator
 		$random = new Password();

diff --git a/modules/module/module.model.php b/modules/module/module.model.php
@@ -403,7 +403,6 @@ function getModuleInfoByModuleSrl($module_srl, $columnList = array())
 		else $module_info = $mid_info;
 
 		$oModuleController = getController('module');
-		if(isset($module_info->browser_title)) $oModuleController->replaceDefinedLangCode($module_info->browser_title);
 
 		$this->applyDefaultSkin($module_info);
 		return $this->addModuleExtraVars($module_info);

diff --git a/modules/module/tpl/module_selector.html b/modules/module/tpl/module_selector.html
@@ -43,7 +43,7 @@ <h2 cond="$key" style="margin-top:40px;">{$key}</h2>
 			{@ $_idx =0; }
 			<!--@foreach($val as $k => $v)-->
 				<!--@if($_idx >0)--><tr><!--@end-->
-				{@ $browser_title = str_replace("'", "\\'", htmlspecialchars($v->browser_title, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)); }
+				{@ $browser_title = str_replace("'", "\\'", escape($v->browser_title, false)); }
 				<td>{$k}</td>
 				<td>{$v->browser_title}</td>
 				<td><a href="#" onclick="insertModule('{$id}', {$v->module_srl}, '{$k}', '{$browser_title}',{$type=='single'?'false':'true'}); return false;" class="button green"><span>{$type=='single'?$lang->cmd_select:$lang->cmd_insert}</span></a></td>

diff --git a/modules/seo/seo.class.php b/modules/seo/seo.class.php
@@ -123,7 +123,7 @@ protected function applySEO()
 			$na_script = <<< NASCRIPT
 <!-- NAVER Analytics -->
 <script src="//wcs.naver.net/wcslog.js"></script>
-<script>if(!wcs_add){var wcs_add={wa:'{$config->na_id}'};}if(typeof wcs_do!="undefined"){wcs_do();}</script>
+<script>if(!wcs_add){var wcs_add={};};wcs_add['wa']='{$config->na_id}';if(typeof wcs_do!="undefined"){wcs_do();}</script>
 NASCRIPT;
 			Context::addHtmlFooter($na_script . PHP_EOL);
 		}