zorg Code v4.8.1-hotfix

www/actions/comment_edit.php

@@ -54,7 +54,7 @@
 	header('Location: '.changeURL(base64url_decode($_POST['url']), $url_querystring)); // Redirect user back to where he came from
 	exit;
 } else {
-	$commentText = escape_text($_POST['text']);
+	$commentText = htmlspecialchars_decode($_POST['text'], ENT_COMPAT | ENT_SUBSTITUTE);
 	$_POST['text'] = $commentText; // required for passing to Comment::update() later...
 }
 if (DEVELOPMENT) error_log(sprintf('[DEBUG] <%s:%d> $_POST[text]: OK', __FILE__, __LINE__));

www/actions/comment_new.php

@@ -25,7 +25,7 @@
 	user_error('keine leeren Posts erlaubt.', E_USER_WARNING);
 	die();
 } else {
-	$commentText = escape_text($_POST['text']);
+	$commentText = htmlspecialchars_decode($_POST['text'], ENT_COMPAT | ENT_SUBSTITUTE);
 }
 
 if(!is_numeric($_POST['parent_id']) || $_POST['parent_id'] == '')

www/actions/events.php

@@ -27,7 +27,7 @@
 if ( !empty($_POST['location'])) $eventLocation = sanitize_userinput($_POST['location']);
 if ( !empty($_POST['link'])) $eventLink = escape_text((filter_var($_POST['link'], FILTER_VALIDATE_URL)===false?(filter_var(SITE_PROTOCOL.$_POST['link'], FILTER_VALIDATE_URL)!==false?SITE_PROTOCOL.$_POST['link']:$error='Ungültiger Event-Link'):$_POST['link']));
 if ( !empty($_POST['review_url'])) $eventReviewlink = escape_text((filter_var($_POST['review_url'], FILTER_VALIDATE_URL)===false?(filter_var(SITE_PROTOCOL.$_POST['review_url'], FILTER_VALIDATE_URL)!==false?SITE_PROTOCOL.$_POST['review_url']:$error='Ungültige Review-URL'):$_POST['review_url']));
-if ( !empty($_POST['description'])) $eventDescription = sanitize_userinput($_POST['description']);
+if ( !empty($_POST['description'])) $eventDescription = htmlspecialchars_decode($_POST['description'], ENT_COMPAT | ENT_SUBSTITUTE);
 if ( isset($_POST['gallery_id']) && is_numeric($_POST['gallery_id']) && $_POST['gallery_id'] >= 0) $eventGallery = $_POST['gallery_id'];
 if ( isset($_GET['join']) && is_numeric($_GET['join']) && $_GET['join'] >= 0) $eventJoinId = $_GET['join'];
 if ( isset($_GET['unjoin']) && is_numeric($_GET['unjoin']) && $_GET['unjoin'] >= 0) $eventUnjoinId = $_GET['unjoin'];

www/includes/config.inc.php

@@ -354,8 +354,11 @@
 if (!defined('ERRORLOG_FILETYPE')) define('ERRORLOG_FILETYPE', (isset($_ENV['ERRORLOG_FILETYPE']) ? $_ENV['ERRORLOG_FILETYPE'] : '.log'));
 if (!defined('ERRORLOG_DIR')) define('ERRORLOG_DIR', (isset($_ENV['ERRORLOG_DIR']) ? $_ENV['ERRORLOG_DIR'] : null));
 if (!defined('ERRORLOG_FILE')) define('ERRORLOG_FILE', ERRORLOG_DIR.date('Y-m-d').ERRORLOG_FILETYPE);
-if (!defined('ERRORLOG_LEVELS')) define('ERRORLOG_LEVELS', (isset($_ENV['ERROR_REPORTING_LEVELS']) ? $_ENV['ERROR_REPORTING_LEVELS'] : null));
-if (!defined('ERRORLOG_DEBUG_SCOPE')) define('ERRORLOG_DEBUG_SCOPE', (isset($_ENV['DEBUG_SCOPE']) ? $_ENV['DEBUG_SCOPE'] : null));
+if (!defined('ERRORLOG_LEVELS')) define('ERRORLOG_LEVELS', (isset($_ENV['ERROR_REPORTING_LEVELS']) ? $_ENV['ERROR_REPORTING_LEVELS'] : E_ERROR));
+if (!defined('ERRORLOG_DEBUG_SCOPE')) {
+    define('ERRORLOG_DEBUG_SCOPE', isset($_ENV['DEBUG_SCOPE']) ? explode(',', $_ENV['DEBUG_SCOPE']) : []);
+}
+error_reporting(ERRORLOG_LEVELS);
 require_once INCLUDES_DIR.'errlog.inc.php';
 //set_error_handler('zorgErrorHandler');
 

www/includes/errlog.inc.php

@@ -20,7 +20,6 @@
 if (!defined('ERROR')) define('ERROR', E_USER_WARNING);
 if (!defined('WARNING')) define('WARNING', E_USER_NOTICE);
 
-error_reporting(ERRORLOG_LEVELS);
 //error_reporting(FATAL | ERROR | WARNING);
 //set_error_handler('zorgErrorHandler');
 
@@ -94,6 +93,8 @@ class zorgDebugger
     public function __construct()
     {
         $this->isDevelopmentEnvironment = defined('DEVELOPMENT') && DEVELOPMENT;
+		$this->debug('%s', [$this->isDevelopmentEnvironment ? 'Development Environment' : 'Non-Dev Environment']);
+		$this->debug('SITE_HOSTNAME: %s', [SITE_HOSTNAME]);
     }
 
 	/**
@@ -129,8 +130,8 @@ public function debug($message, $params = [], $customLoglevel='DEBUG')
 			$origin = $this->getOrigin();
 
 			if (is_null(ERRORLOG_DEBUG_SCOPE) ||
-				ERRORLOG_DEBUG_SCOPE === $origin['function'] ||
-				ERRORLOG_DEBUG_SCOPE === basename($origin['file']))
+				in_array($origin['function'], ERRORLOG_DEBUG_SCOPE) ||
+				in_array(basename($origin['file']), ERRORLOG_DEBUG_SCOPE))
 				{
             		$this->log($customLoglevel, $message, $params, $origin);
         	}

www/includes/forum.inc.php

@@ -699,7 +699,8 @@ static function post($parent_id, $board, $user_id, $text, $msg_users=NULL)
 		if (Thread::hasRights($board, $thread_id, $user_id))
 		{
 			/** Böse Sachen aus dem Text entfernen */
-			$text = sanitize_userinput($text);
+			//$text = sanitize_userinput($text);
+			$text = htmlspecialchars_decode($text, ENT_COMPAT | ENT_SUBSTITUTE);
 
 			/** Comment in die DB abspeichern */
 			$comment_error = (isset($comment_error) ? $comment_error : '');

www/includes/geo2ip.inc.php

@@ -79,8 +79,8 @@ public function __construct()
 			 */
 			$this->storeUserIPToSession($this->UserIPaddress);
 			$this->setMaxmindIPDetails();
-		} elseif (DEVELOPMENT === true) {
-			error_log(sprintf('[DEBUG] <%s:%d> getDataFromSession(%s): SESSION CACHE HIT!', __METHOD__, __LINE__, $this->UserIPaddress));
+		} else {
+			\zorgDebugger::me()->debug('getDataFromSession(%s): SESSION CACHE HIT!', [$this->UserIPaddress]);
 		}
 	}
 
@@ -120,7 +120,7 @@ private function getRealIPaddress()
 				foreach(explode(',', $_SERVER[$ServerVar]) as $ip_address)
 				{
 					/** Validate IP-Address from $_SERVER var */
-					if (DEVELOPMENT === true) error_log(sprintf('[DEBUG] <%s:%d> %s => %s', __METHOD__, __LINE__, $ServerVar, $ip_address));
+					\zorgDebugger::me()->debug('%s => %s', [$ServerVar, $ip_address]);
 					$checked_IPaddress = $this->validateIPaddress((string)$ip_address);
 
 					if (!empty($checked_IPaddress) && false !== $checked_IPaddress)
@@ -129,7 +129,7 @@ private function getRealIPaddress()
 						return $checked_IPaddress;
 					}
 				}
-				if (DEVELOPMENT === true) error_log(sprintf('[DEBUG] <%s:%d> %s => %s', __METHOD__, __LINE__, $ip_address, (empty($checked_IPaddress) ? 'empty' : ($checked_IPaddress === false ? 'false' : $checked_IPaddress))));
+				\zorgDebugger::me()->debug('%s => %s', [$ip_address, (empty($checked_IPaddress) ? 'empty' : ($checked_IPaddress === false ? 'false' : $checked_IPaddress))]);
 			}
 		}
 

www/includes/mysql.inc.php

@@ -111,7 +111,7 @@ function query($sql, $file='', $line=0, $funktion='', $params=[]) {
 			if (empty($params)) {
 				$result = mysqli_query($this->conn, $sql);
 				/* Log SQL-Queries not upgraded to Prepared Statements */
-				if (DEVELOPMENT) error_log(sprintf('[DEPRECATED] <%s> Required SQL-Query update for mysqli_prepare(): %s:%d', $funktion, $file, $line));
+				zorgDebugger::me()->debug('<%s> is no SQL prepared statement, in %s:%d', [$funktion, $file, $line]);
 			} else {
 				$stmt = mysqli_prepare($this->conn, $sql);
 				if ($stmt === false) throw new mysqli_sql_exception(mysqli_error($this->conn));
@@ -187,7 +187,7 @@ function query($sql, $file='', $line=0, $funktion='', $params=[]) {
 				}
 			}
 		} catch (mysqli_sql_exception $e) {
-			if (DEVELOPMENT === true) var_dump([$file, $funktion, $line, $sql, $params]);
+			zorgDebugger::me()->debug('%s', [$e->getMessage()]);
 			die($e->getMessage());
 		}
 	}
@@ -310,7 +310,7 @@ function numfields($result) {
 	 * @return array
 	 */
 	function tables() {
-		$query = "SHOW TABLES FROM " . $_ENV['MYSQL_DATABASE'];
+		$query = 'SHOW TABLES FROM '.$_ENV['MYSQL_DATABASE'];
 		$result = mysqli_query($this->conn, $query);
 		$tables = array();
 		while ($row = mysqli_fetch_row($result)) {
@@ -348,7 +348,7 @@ function insert($table, $values, $file='', $line=0, $funktion=null)
 		$insertKeys = '(`'.implode('`,`', array_keys($values)).'`)';
 		$insertValues = implode(',', array_fill(0, count($values), '?'));
 		$sql = sprintf('INSERT INTO `%s` %s VALUES (%s)', $table, $insertKeys, $insertValues);
-		if (DEVELOPMENT === true) error_log(sprintf('[DEBUG] <%s:%d> $db->insert() query: %s%s', __METHOD__, __LINE__, $sql, print_r($values,true)));
+		zorgDebugger::me()->debug('$db->insert() SQL: %s%s', [$sql, print_r($values,true)]);
 		foreach ($values as $key => $val) {
 			if (strtolower($val) === 'now()') {
 				$values[$key] = timestamp(true); // Fix "NOW()" => NOW() without quotes
@@ -429,15 +429,14 @@ function update($table, $id, $values, $file='', $line='', $funktion='')
 				$conditions[$id[$i]] = $id[$i+1]; // map $id[0] => $id[1], $id[2] => $id[3],... to $conditions-Array
 				$i++;
 			}
-			//if (DEVELOPMENT === true) error_log(sprintf('[DEBUG] <%s:%d> $db->update() $conditions[ %s ]', __METHOD__, __LINE__, print_r($conditions,true)));
 			foreach ($conditions as $field => $value) {
 				$sql .= $field.'=?';//.(is_numeric($value) ? $value : '"'.$value.'"');
 				$params[] = $value;
 				end($conditions); // @link https://stackoverflow.com/a/8780881/5750030
 				if ($field !== key($conditions)) $sql .= ' OR ';  // Add Separator if not last Array-Iteration
 			}
 		}
-		if (DEVELOPMENT === true) error_log(sprintf('[DEBUG] <%s:%d> $db->update() $sql: %s', __METHOD__, __LINE__, $sql));
+		zorgDebugger::me()->debug('$db->update() SQL: %s', [$sql]);
 		return $this->query($sql, $file, $line, $funktion, $params);
 		//return mysql_affected_rows();
 	}

www/includes/smarty.fnc.php

@@ -1181,21 +1181,21 @@ function smarty_menuname_exec ($name)
 		}*/
 		foreach ($nameArray as $it)
 		{
-			if (DEVELOPMENT === true) error_log(sprintf('[DEBUG] <%s:%d> smarty_menuname_exec: "%s" on tpl_id %d', __FUNCTION__, __LINE__, $it, $tpl_id));
+			zorgDebugger::me()->debug('«%s» on tpl_id %s', [$it, strval($tpl_id)]);
 			if (!empty($it)) {
 				/** Check if menu with same name already exists... */
 				$menuExists = $db->fetch($db->query('SELECT * FROM menus WHERE name=?',
 								__FILE__, __LINE__, __FUNCTION__, [$it]));
 				//if (DEVELOPMENT === true) error_log(sprintf('[DEBUG] <%s:%d> $menuExists Query: %s', __FUNCTION__, __LINE__, print_r($menuExists,true)));
 				if ($menuExists !== false && $menuExists['tpl_id'] === $tpl_id)
 				{
-					if (DEVELOPMENT === true) error_log(sprintf('[DEBUG] <%s:%d> $menuExists: TRUE (tpl_id: %d)', __FUNCTION__, __LINE__, $tpl_id));
+					zorgDebugger::me()->debug('$menuExists: TRUE (tpl_id: %d)', [strval($tpl_id)]);
 					//return sprintf('Menuname "%s" existiert schon mit der id#%d und wurde deshalb nicht gespeichert!<br>Bitte anderen Namen verwenden.', $it, $tpl_id);
 				}
 
 				/** Menu mit $name gibt es noch nicht, deshlab erstellen wir es neu */
 				else {
-					if (DEVELOPMENT === true) error_log(sprintf('[DEBUG] <%s:%d> $menuExists: FALSE (adding new)', __FUNCTION__, __LINE__));
+					zorgDebugger::me()->debug('$menuExists: FALSE (adding new)');
 					$db->query('INSERT INTO menus (tpl_id, name) VALUES (?, ?)',
 								__FILE__, __LINE__, __FUNCTION__, [$tpl_id, $it]);
 					//$smarty->assign('error', ['type' => 'success', 'dismissable' => 'true', 'title' => sprintf('Neues Menu "%s" erfolgreich gespeichert', $it), 'message' => 'Du kannst es jetzt im Template-Editor einer Page auswählen.']);

www/includes/smarty.inc.php

@@ -337,7 +337,7 @@ function load_packages($tpl_id, &$smarty)
 		$packagesQuery = 'SELECT pkg.name as name FROM packages pkg INNER JOIN tpl_packages tplp ON pkg.id = tplp.package_id WHERE tplp.tpl_id=?';
 		$packagesFound = $db->query($packagesQuery, __FILE__, __LINE__, __FUNCTION__, [$tpl]);
 		$numPackagesFound = (int)$db->num($packagesFound);
-		if (DEVELOPMENT === true) error_log(sprintf('[DEBUG] <%s:%d> Found %d packages for template #%d', __FUNCTION__, __LINE__, $numPackagesFound, $tpl));
+		zorgDebugger::me()->debug('Found %d packages for template «%s»', [$numPackagesFound, strval($tpl)]);
 
 		/** 1 or more Packages found */
 		if ($numPackagesFound > 0)
@@ -347,7 +347,7 @@ function load_packages($tpl_id, &$smarty)
 				/** Check if $package matches a PHP-File (Package) */
 				$package_file = basename($packages['name']); // Remove any directory traversal characters
 				$package_filepath = SMARTY_PACKAGES_DIR.$package_file.SMARTY_PACKAGES_EXTENSION;
-				if (DEVELOPMENT === true) error_log(sprintf('[DEBUG] <%s:%d> Loading package "%s" from %s', __FUNCTION__, __LINE__, $package_file, $package_filepath));
+				zorgDebugger::me()->debug('Loading package «%s» from %s', [$package_file, $package_filepath]);
 				if (is_file($package_filepath) !== false)
 				{
 					require_once $package_filepath;
@@ -364,7 +364,7 @@ function load_packages($tpl_id, &$smarty)
 		/** 0 Packages found (but this is no error) */
 		elseif ($numPackagesFound === 0)
 		{
-			if (DEVELOPMENT === true) error_log(sprintf('[DEBUG] <%s:%d> Template #%d has no packages associated', __FUNCTION__, __LINE__, $tpl));
+			zorgDebugger::me()->debug('Template «%s» has no packages associated', [strval($tpl)]);
 			return true;
 		}
 	} else {

www/includes/spaceweather.inc.php

@@ -232,7 +232,7 @@ function spaceweather_ticker() {
 			}
 			if(isset($add[$rs['name']]) && !empty($add[$rs['name']][0]))
 			{
-				if (DEVELOPMENT) error_log(sprintf('[DEBUG] <%s:%d> $rs[name] exists: %s | value: %s', __FUNCTION__, __LINE__, $add[$rs['name']][0], (isset($add[$rs['name']][1]) ? $add[$rs['name']][1] : 'null')));
+				zorgDebugger::me()->debug('$rs[name]=%s exists, value: %s', [$add[$rs['name']][0], (isset($add[$rs['name']][1]) ? $add[$rs['name']][1] : 'null')]);
 				$sw[] = [ 'type' => $add[$rs['name']][0], 'value' => $rs['wert'].(isset($add[$rs['name']][1]) ? " ".$add[$rs['name']][1] : '') ];
 			}
 		}