diff --git a/inc/controllers/AdminController.class.php b/inc/controllers/AdminController.class.php index 49c7cb1..f762e4d 100644 --- a/inc/controllers/AdminController.class.php +++ b/inc/controllers/AdminController.class.php @@ -26,7 +26,7 @@ class AdminController extends Controller $this->getView('MainView')->putExistingModel('ConfigModel', $this->getModel('ConfigModel')); if ($_SERVER['REQUEST_SCHEME'] == 'http') - $this->forward('https://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']); + $this->forward(buildURL($_SERVER['REQUEST_URI'])); if (!$this->getModel('SessionModel')->isLogged()) { @@ -73,11 +73,11 @@ class AdminController extends Controller { //secure pools $_POST['nick'] = trim(strip_tags($this->db->real_escape_string($_POST['nick']))); - $_POST['passwd'] = trim(strip_tags($_POST['passwd'])); - $_POST['passwd_confirm'] = trim(strip_tags($_POST['passwd_confirm'])); + $_POST['passwd'] = trim($_POST['passwd']); + $_POST['passwd_confirm'] = trim($_POST['passwd_confirm']); $_POST['email'] = trim(strip_tags($this->db->real_escape_string($_POST['email']))); - $_POST['location'] = trim(strip_tags($this->db->real_escape_string($_POST['location']))); - $_POST['signature'] = trim(strip_tags($this->db->real_escape_string($_POST['signature']))); + $_POST['location'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['location']))); + $_POST['signature'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['signature']))); $_POST['user_rank'] = trim(strip_tags($this->db->real_escape_string($_POST['user_rank']))); if ($_POST['passwd'] != '') @@ -154,10 +154,10 @@ class AdminController extends Controller } } - $_POST['nick'] = (isset($_POST['nick'])) ? $_POST['nick'] : $user_info['nick']; - $_POST['email'] = (isset($_POST['email'])) ? $_POST['email'] : $user_info['email']; - $_POST['location'] = (isset($_POST['location'])) ? $_POST['location'] : $user_info['location']; - $_POST['signature'] = (isset($_POST['signature'])) ? $_POST['signature'] : $user_info['signature']; + $_POST['nick'] = (isset($_POST['nick'])) ? stripslashes($_POST['nick']) : $user_info['nick']; + $_POST['email'] = (isset($_POST['email'])) ? stripslashes($_POST['email']) : $user_info['email']; + $_POST['location'] = (isset($_POST['location'])) ? stripslashes($_POST['location']) : $user_info['location']; + $_POST['signature'] = (isset($_POST['signature'])) ? stripslashes($_POST['signature']) : $user_info['signature']; $_POST['user_rank'] = (isset($_POST['user_rank'])) ? $_POST['user_rank'] : $user_info['rank']; $this->getView('MainView')->putExistingModel('UsersModel', $this->getModel('UsersModel')); @@ -259,7 +259,7 @@ class AdminController extends Controller if (isset($_POST['forum_name'], $_POST['forum_desc'])) { $_POST['forum_name'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['forum_name']))); - $_POST['forum_desc'] = trim(htmlspecialchars($_POST['forum_desc'])); + $_POST['forum_desc'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['forum_desc']))); if (strlen($_POST['forum_name']) < 3) { @@ -278,7 +278,6 @@ class AdminController extends Controller if ($msg == '') { - $what = ''; if ($_POST['forum_name'] != $this->getModel('ConfigModel')->getConf('forum_name')) $this->getModel('ConfigModel')->updateConf('forum_name', $_POST['forum_name']); @@ -290,8 +289,8 @@ class AdminController extends Controller } } - $_POST['forum_name'] = (isset($_POST['forum_name'])) ? $_POST['forum_name'] : $this->getModel('ConfigModel')->getConf('forum_name'); - $_POST['forum_desc'] = (isset($_POST['forum_desc'])) ? $_POST['forum_desc'] : $this->getModel('ConfigModel')->getConf('forum_desc'); + $_POST['forum_name'] = (isset($_POST['forum_name'])) ? stripslashes($_POST['forum_name']) : $this->getModel('ConfigModel')->getConf('forum_name'); + $_POST['forum_desc'] = (isset($_POST['forum_desc'])) ? stripslashes($_POST['forum_desc']) : $this->getModel('ConfigModel')->getConf('forum_desc'); if (!isset($lockv)) { $this->getView('MainView')->admin_config($msg); @@ -448,9 +447,9 @@ class AdminController extends Controller if (!isset($lockv)) { if ($m == 'add') - $_POST['name'] = (isset($_POST['name'])) ? $_POST['name'] : ''; + $_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : ''; else - $_POST['name'] = (isset($_POST['name'])) ? $_POST['name'] : $cat_info['name']; + $_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : $cat_info['name']; $this->getView('MainView')->putExistingModel('ForumsModel', $this->getModel('ForumsModel')); $this->getView('MainView')->admin_cat_form($msg, $m); @@ -513,15 +512,15 @@ class AdminController extends Controller { if ($m == 'add') { - $_POST['name'] = (isset($_POST['name'])) ? $_POST['name'] : ''; - $_POST['desc'] = (isset($_POST['desc'])) ? $_POST['desc'] : ''; + $_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : ''; + $_POST['desc'] = (isset($_POST['desc'])) ? stripslashes($_POST['desc']) : ''; $_POST['category_id'] = (isset($_POST['category_id'])) ? $_POST['category_id'] : ''; $_POST['locked'] = (isset($_POST['locked'])) ? $_POST['locked'] : ''; } else { - $_POST['name'] = (isset($_POST['name'])) ? $_POST['name'] : $forum_info['name']; - $_POST['desc'] = (isset($_POST['desc'])) ? $_POST['desc'] : $forum_info['desc']; + $_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : $forum_info['name']; + $_POST['desc'] = (isset($_POST['desc'])) ? stripslashes($_POST['desc']) : $forum_info['desc']; $_POST['category_id'] = (isset($_POST['category_id'])) ? $_POST['category_id'] : $forum_info['category_id']; $_POST['locked'] = (isset($_POST['locked'])) ? $_POST['locked'] : $forum_info['locked']; } @@ -581,7 +580,7 @@ class AdminController extends Controller if (isset($_POST['user_id'], $_POST['reason'])) { $_POST['user_id'] = trim(strip_tags($this->db->real_escape_string($_POST['user_id']))); - $_POST['reason'] = trim(strip_tags($this->db->real_escape_string($_POST['reason']))); + $_POST['reason'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['reason']))); if ($_POST['user_id'] == $this->getModel('SessionModel')->getID()) $msg .= 'You cannot ban your profile!
'; @@ -603,12 +602,11 @@ class AdminController extends Controller if (!isset($lockv)) { $_POST['user_id'] = (isset($_POST['user_id'])) ? $_POST['user_id'] : ''; - $_POST['reason'] = (isset($_POST['reason'])) ? $_POST['reason'] : ''; + $_POST['reason'] = (isset($_POST['reason'])) ? stripslashes($_POST['reason']) : ''; $this->getView('MainView')->admin_ban_form($msg); } } } } - ?> \ No newline at end of file diff --git a/inc/controllers/MainController.class.php b/inc/controllers/MainController.class.php index c3fb9a5..4d9705e 100644 --- a/inc/controllers/MainController.class.php +++ b/inc/controllers/MainController.class.php @@ -19,8 +19,8 @@ class MainController extends Controller private function loadDependencies() // zależności (sesje itp) { - $this->loadModel('SessionModel'); //aktywacja sesji - $this->loadModel('ConfigModel'); //konfiguracja ogólna skryptu + $this->loadModel('SessionModel'); //initalizing session + $this->loadModel('ConfigModel'); //overall forum configuration $this->loadView('MainView'); $this->getView('MainView')->putExistingModel('SessionModel', $this->getModel('SessionModel')); $this->getView('MainView')->putExistingModel('ConfigModel', $this->getModel('ConfigModel')); @@ -94,7 +94,6 @@ class MainController extends Controller $_POST['sort_desc'] = (isset($_POST['sort_desc'])) ? 'DESC' : 'ASC'; $this->getView('MainView')->userlist(); - } public function viewtopic() @@ -423,14 +422,14 @@ class MainController extends Controller break; } - //przesłanie formularza -------------------------------------------------------------------------------- + //posting a HTML form -------------------------------------------------------------------------------- if (isset($_POST['post']) && !isset($_POST['preview']) && !isset($lockv)) { $_POST['post'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['post']))); if ($type == POSTING_NEWTOPIC || $type == POSTING_EDITTOPIC) //walidacja tytułu tematu (add, edit) { - $_POST['topic'] = trim(strip_tags($this->db->real_escape_string($_POST['topic']))); + $_POST['topic'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['topic']))); if (strlen($_POST['topic']) < 3) $msg .= 'Topic title is too short (min 3 characters)
'; @@ -482,24 +481,23 @@ class MainController extends Controller { case POSTING_NEWTOPIC: case POSTING_REPLY: - $_POST['post'] = (isset($_POST['post'])) ? $_POST['post'] : ''; + $_POST['post'] = (isset($_POST['post'])) ? stripslashes($_POST['post']) : ''; break; case POSTING_EDITTOPIC: - $_POST['post'] = (isset($_POST['post'])) ? $_POST['post'] : $p['content']; - $_POST['topic'] = (isset($_POST['topic'])) ? $_POST['topic'] : $t['topic_title']; + $_POST['post'] = (isset($_POST['post'])) ? stripslashes($_POST['post']) : $p['content']; + $_POST['topic'] = (isset($_POST['topic'])) ? stripslashes($_POST['topic']) : $t['topic_title']; break; case POSTING_EDIT: - $_POST['post'] = (isset($_POST['post'])) ? $_POST['post'] : $p['content']; + $_POST['post'] = (isset($_POST['post'])) ? stripslashes($_POST['post']) : $p['content']; break; case POSTING_QUOTE: $quote = ($qp['nick'] != null) ? '='.$qp['nick'] : ''; - $_POST['post'] = (isset($_POST['post'])) ? $_POST['post'] : '[quote'.$quote.']'.$qp['content'].'[/quote]'; - break; - + $_POST['post'] = (isset($_POST['post'])) ? stripslashes($_POST['post']) : '[quote'.$quote.']'.$qp['content'].'[/quote]'; + break; } if ($type == POSTING_NEWTOPIC) - $_POST['topic'] = (isset($_POST['topic'])) ? $_POST['topic'] : ''; //tylko edycja/tworzenie tematu + $_POST['topic'] = (isset($_POST['topic'])) ? stripslashes($_POST['topic']) : ''; $this->getView('MainView')->putExistingModel('PostsModel', $this->getModel('PostsModel')); $this->getView('MainView')->putExistingModel('ForumsModel', $this->getModel('ForumsModel')); @@ -550,13 +548,13 @@ class MainController extends Controller if (isset($_POST['nick'], $_POST['passwd'], $_POST['passwd_confirm'], $_POST['email'])) { //secure pools - $_POST['nick'] = trim(strip_tags($this->db->real_escape_string($_POST['nick']))); - $_POST['passwd_old'] = trim(strip_tags($_POST['passwd_old'])); - $_POST['passwd'] = trim(strip_tags($_POST['passwd'])); - $_POST['passwd_confirm'] = trim(strip_tags($_POST['passwd_confirm'])); + $_POST['nick'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['nick']))); + $_POST['passwd_old'] = trim($_POST['passwd_old']); + $_POST['passwd'] = trim($_POST['passwd']); + $_POST['passwd_confirm'] = trim($_POST['passwd_confirm']); $_POST['email'] = trim(strip_tags($this->db->real_escape_string($_POST['email']))); - $_POST['location'] = trim(strip_tags($this->db->real_escape_string($_POST['location']))); - $_POST['signature'] = trim(strip_tags($this->db->real_escape_string($_POST['signature']))); + $_POST['location'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['location']))); + $_POST['signature'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['signature']))); if ($_POST['email'] != $user_info['email'] || $_POST['passwd'] != '') { @@ -621,10 +619,10 @@ class MainController extends Controller } } - $_POST['nick'] = (isset($_POST['nick'])) ? $_POST['nick'] : $user_info['nick']; - $_POST['email'] = (isset($_POST['email'])) ? $_POST['email'] : $user_info['email']; - $_POST['location'] = (isset($_POST['location'])) ? $_POST['location'] : $user_info['location']; - $_POST['signature'] = (isset($_POST['signature'])) ? $_POST['signature'] : $user_info['signature']; + $_POST['nick'] = (isset($_POST['nick'])) ? stripslashes($_POST['nick']) : $user_info['nick']; + $_POST['email'] = (isset($_POST['email'])) ? stripslashes($_POST['email']) : $user_info['email']; + $_POST['location'] = (isset($_POST['location'])) ? stripslashes($_POST['location']) : $user_info['location']; + $_POST['signature'] = (isset($_POST['signature'])) ? stripslashes($_POST['signature']) : $user_info['signature']; $this->getView('MainView')->putExistingModel('UsersModel', $this->getModel('UsersModel')); @@ -659,7 +657,7 @@ class MainController extends Controller { //secure pools $_POST['nick'] = trim(strip_tags($this->db->real_escape_string($_POST['nick']))); - $_POST['passwd'] = $this->getModel('UsersModel')->generatePasswordHash($_POST['nick'], trim(strip_tags($this->db->real_escape_string($_POST['passwd'])))); + $_POST['passwd'] = $this->getModel('UsersModel')->generatePasswordHash($_POST['nick'], trim($this->db->real_escape_string($_POST['passwd']))); $userinfo = $this->getModel('SessionModel')->tryGetUser($_POST['nick'], $_POST['passwd']); @@ -684,7 +682,7 @@ class MainController extends Controller } } - $_POST['nick'] = (isset($_POST['nick'])) ? $_POST['nick'] : ''; + $_POST['nick'] = (isset($_POST['nick'])) ? stripslashes($_POST['nick']) : ''; if (!isset($lockv)) $this->getView('MainView')->login_form($msg); } @@ -702,8 +700,8 @@ class MainController extends Controller { //secure pools $_POST['nick'] = trim(strip_tags($this->db->real_escape_string($_POST['nick']))); - $_POST['passwd'] = trim(strip_tags($_POST['passwd'])); - $_POST['passwd_confirm'] = trim(strip_tags($_POST['passwd_confirm'])); + $_POST['passwd'] = trim($_POST['passwd']); + $_POST['passwd_confirm'] = trim($_POST['passwd_confirm']); $_POST['email'] = trim(strip_tags($this->db->real_escape_string($_POST['email']))); if (strlen($_POST['nick']) < 3) @@ -729,8 +727,8 @@ class MainController extends Controller } } - $_POST['nick'] = (isset($_POST['nick'])) ? $_POST['nick'] : ''; - $_POST['email'] = (isset($_POST['email'])) ? $_POST['email'] : ''; + $_POST['nick'] = (isset($_POST['nick'])) ? stripslashes($_POST['nick']) : ''; + $_POST['email'] = (isset($_POST['email'])) ? stripslashes($_POST['email']) : ''; if (!isset($lockv)) $this->getView('MainView')->register_form($msg); @@ -750,5 +748,4 @@ class MainController extends Controller echo 'false'; } } - ?> \ No newline at end of file diff --git a/inc/views/MainView.class.php b/inc/views/MainView.class.php index f8b354f..d902bec 100644 --- a/inc/views/MainView.class.php +++ b/inc/views/MainView.class.php @@ -265,7 +265,7 @@ class MainView extends View $this->assign('post', $_POST['post']); if (isset($_POST['preview'])) - $this->assign('preview', addslashes(htmlspecialchars($_POST['post']))); + $this->assign('preview', true); if ($type == POSTING_NEWTOPIC || $type == POSTING_EDITTOPIC) $this->assign('topic', $_POST['topic']); diff --git a/templates/posting.tpl.php b/templates/posting.tpl.php index bb6130a..bbf00d2 100755 --- a/templates/posting.tpl.php +++ b/templates/posting.tpl.php @@ -16,7 +16,7 @@
- TPL['preview']); ?> + TPL['post']); ?>