diff --git a/inc/controllers/AdminController.class.php b/inc/controllers/AdminController.class.php
index 49c7cb1..f762e4d 100644
--- a/inc/controllers/AdminController.class.php
+++ b/inc/controllers/AdminController.class.php
@@ -26,7 +26,7 @@ class AdminController extends Controller
$this->getView('MainView')->putExistingModel('ConfigModel', $this->getModel('ConfigModel'));
if ($_SERVER['REQUEST_SCHEME'] == 'http')
- $this->forward('https://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']);
+ $this->forward(buildURL($_SERVER['REQUEST_URI']));
if (!$this->getModel('SessionModel')->isLogged())
{
@@ -73,11 +73,11 @@ class AdminController extends Controller
{
//secure pools
$_POST['nick'] = trim(strip_tags($this->db->real_escape_string($_POST['nick'])));
- $_POST['passwd'] = trim(strip_tags($_POST['passwd']));
- $_POST['passwd_confirm'] = trim(strip_tags($_POST['passwd_confirm']));
+ $_POST['passwd'] = trim($_POST['passwd']);
+ $_POST['passwd_confirm'] = trim($_POST['passwd_confirm']);
$_POST['email'] = trim(strip_tags($this->db->real_escape_string($_POST['email'])));
- $_POST['location'] = trim(strip_tags($this->db->real_escape_string($_POST['location'])));
- $_POST['signature'] = trim(strip_tags($this->db->real_escape_string($_POST['signature'])));
+ $_POST['location'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['location'])));
+ $_POST['signature'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['signature'])));
$_POST['user_rank'] = trim(strip_tags($this->db->real_escape_string($_POST['user_rank'])));
if ($_POST['passwd'] != '')
@@ -154,10 +154,10 @@ class AdminController extends Controller
}
}
- $_POST['nick'] = (isset($_POST['nick'])) ? $_POST['nick'] : $user_info['nick'];
- $_POST['email'] = (isset($_POST['email'])) ? $_POST['email'] : $user_info['email'];
- $_POST['location'] = (isset($_POST['location'])) ? $_POST['location'] : $user_info['location'];
- $_POST['signature'] = (isset($_POST['signature'])) ? $_POST['signature'] : $user_info['signature'];
+ $_POST['nick'] = (isset($_POST['nick'])) ? stripslashes($_POST['nick']) : $user_info['nick'];
+ $_POST['email'] = (isset($_POST['email'])) ? stripslashes($_POST['email']) : $user_info['email'];
+ $_POST['location'] = (isset($_POST['location'])) ? stripslashes($_POST['location']) : $user_info['location'];
+ $_POST['signature'] = (isset($_POST['signature'])) ? stripslashes($_POST['signature']) : $user_info['signature'];
$_POST['user_rank'] = (isset($_POST['user_rank'])) ? $_POST['user_rank'] : $user_info['rank'];
$this->getView('MainView')->putExistingModel('UsersModel', $this->getModel('UsersModel'));
@@ -259,7 +259,7 @@ class AdminController extends Controller
if (isset($_POST['forum_name'], $_POST['forum_desc']))
{
$_POST['forum_name'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['forum_name'])));
- $_POST['forum_desc'] = trim(htmlspecialchars($_POST['forum_desc']));
+ $_POST['forum_desc'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['forum_desc'])));
if (strlen($_POST['forum_name']) < 3)
{
@@ -278,7 +278,6 @@ class AdminController extends Controller
if ($msg == '')
{
- $what = '';
if ($_POST['forum_name'] != $this->getModel('ConfigModel')->getConf('forum_name'))
$this->getModel('ConfigModel')->updateConf('forum_name', $_POST['forum_name']);
@@ -290,8 +289,8 @@ class AdminController extends Controller
}
}
- $_POST['forum_name'] = (isset($_POST['forum_name'])) ? $_POST['forum_name'] : $this->getModel('ConfigModel')->getConf('forum_name');
- $_POST['forum_desc'] = (isset($_POST['forum_desc'])) ? $_POST['forum_desc'] : $this->getModel('ConfigModel')->getConf('forum_desc');
+ $_POST['forum_name'] = (isset($_POST['forum_name'])) ? stripslashes($_POST['forum_name']) : $this->getModel('ConfigModel')->getConf('forum_name');
+ $_POST['forum_desc'] = (isset($_POST['forum_desc'])) ? stripslashes($_POST['forum_desc']) : $this->getModel('ConfigModel')->getConf('forum_desc');
if (!isset($lockv))
{
$this->getView('MainView')->admin_config($msg);
@@ -448,9 +447,9 @@ class AdminController extends Controller
if (!isset($lockv))
{
if ($m == 'add')
- $_POST['name'] = (isset($_POST['name'])) ? $_POST['name'] : '';
+ $_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : '';
else
- $_POST['name'] = (isset($_POST['name'])) ? $_POST['name'] : $cat_info['name'];
+ $_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : $cat_info['name'];
$this->getView('MainView')->putExistingModel('ForumsModel', $this->getModel('ForumsModel'));
$this->getView('MainView')->admin_cat_form($msg, $m);
@@ -513,15 +512,15 @@ class AdminController extends Controller
{
if ($m == 'add')
{
- $_POST['name'] = (isset($_POST['name'])) ? $_POST['name'] : '';
- $_POST['desc'] = (isset($_POST['desc'])) ? $_POST['desc'] : '';
+ $_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : '';
+ $_POST['desc'] = (isset($_POST['desc'])) ? stripslashes($_POST['desc']) : '';
$_POST['category_id'] = (isset($_POST['category_id'])) ? $_POST['category_id'] : '';
$_POST['locked'] = (isset($_POST['locked'])) ? $_POST['locked'] : '';
}
else
{
- $_POST['name'] = (isset($_POST['name'])) ? $_POST['name'] : $forum_info['name'];
- $_POST['desc'] = (isset($_POST['desc'])) ? $_POST['desc'] : $forum_info['desc'];
+ $_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : $forum_info['name'];
+ $_POST['desc'] = (isset($_POST['desc'])) ? stripslashes($_POST['desc']) : $forum_info['desc'];
$_POST['category_id'] = (isset($_POST['category_id'])) ? $_POST['category_id'] : $forum_info['category_id'];
$_POST['locked'] = (isset($_POST['locked'])) ? $_POST['locked'] : $forum_info['locked'];
}
@@ -581,7 +580,7 @@ class AdminController extends Controller
if (isset($_POST['user_id'], $_POST['reason']))
{
$_POST['user_id'] = trim(strip_tags($this->db->real_escape_string($_POST['user_id'])));
- $_POST['reason'] = trim(strip_tags($this->db->real_escape_string($_POST['reason'])));
+ $_POST['reason'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['reason'])));
if ($_POST['user_id'] == $this->getModel('SessionModel')->getID())
$msg .= 'You cannot ban your profile!
';
@@ -603,12 +602,11 @@ class AdminController extends Controller
if (!isset($lockv))
{
$_POST['user_id'] = (isset($_POST['user_id'])) ? $_POST['user_id'] : '';
- $_POST['reason'] = (isset($_POST['reason'])) ? $_POST['reason'] : '';
+ $_POST['reason'] = (isset($_POST['reason'])) ? stripslashes($_POST['reason']) : '';
$this->getView('MainView')->admin_ban_form($msg);
}
}
}
}
-
?>
\ No newline at end of file
diff --git a/inc/controllers/MainController.class.php b/inc/controllers/MainController.class.php
index c3fb9a5..4d9705e 100644
--- a/inc/controllers/MainController.class.php
+++ b/inc/controllers/MainController.class.php
@@ -19,8 +19,8 @@ class MainController extends Controller
private function loadDependencies() // zależności (sesje itp)
{
- $this->loadModel('SessionModel'); //aktywacja sesji
- $this->loadModel('ConfigModel'); //konfiguracja ogólna skryptu
+ $this->loadModel('SessionModel'); //initalizing session
+ $this->loadModel('ConfigModel'); //overall forum configuration
$this->loadView('MainView');
$this->getView('MainView')->putExistingModel('SessionModel', $this->getModel('SessionModel'));
$this->getView('MainView')->putExistingModel('ConfigModel', $this->getModel('ConfigModel'));
@@ -94,7 +94,6 @@ class MainController extends Controller
$_POST['sort_desc'] = (isset($_POST['sort_desc'])) ? 'DESC' : 'ASC';
$this->getView('MainView')->userlist();
-
}
public function viewtopic()
@@ -423,14 +422,14 @@ class MainController extends Controller
break;
}
- //przesłanie formularza --------------------------------------------------------------------------------
+ //posting a HTML form --------------------------------------------------------------------------------
if (isset($_POST['post']) && !isset($_POST['preview']) && !isset($lockv))
{
$_POST['post'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['post'])));
if ($type == POSTING_NEWTOPIC || $type == POSTING_EDITTOPIC) //walidacja tytułu tematu (add, edit)
{
- $_POST['topic'] = trim(strip_tags($this->db->real_escape_string($_POST['topic'])));
+ $_POST['topic'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['topic'])));
if (strlen($_POST['topic']) < 3)
$msg .= 'Topic title is too short (min 3 characters)
';
@@ -482,24 +481,23 @@ class MainController extends Controller
{
case POSTING_NEWTOPIC:
case POSTING_REPLY:
- $_POST['post'] = (isset($_POST['post'])) ? $_POST['post'] : '';
+ $_POST['post'] = (isset($_POST['post'])) ? stripslashes($_POST['post']) : '';
break;
case POSTING_EDITTOPIC:
- $_POST['post'] = (isset($_POST['post'])) ? $_POST['post'] : $p['content'];
- $_POST['topic'] = (isset($_POST['topic'])) ? $_POST['topic'] : $t['topic_title'];
+ $_POST['post'] = (isset($_POST['post'])) ? stripslashes($_POST['post']) : $p['content'];
+ $_POST['topic'] = (isset($_POST['topic'])) ? stripslashes($_POST['topic']) : $t['topic_title'];
break;
case POSTING_EDIT:
- $_POST['post'] = (isset($_POST['post'])) ? $_POST['post'] : $p['content'];
+ $_POST['post'] = (isset($_POST['post'])) ? stripslashes($_POST['post']) : $p['content'];
break;
case POSTING_QUOTE:
$quote = ($qp['nick'] != null) ? '='.$qp['nick'] : '';
- $_POST['post'] = (isset($_POST['post'])) ? $_POST['post'] : '[quote'.$quote.']'.$qp['content'].'[/quote]';
- break;
-
+ $_POST['post'] = (isset($_POST['post'])) ? stripslashes($_POST['post']) : '[quote'.$quote.']'.$qp['content'].'[/quote]';
+ break;
}
if ($type == POSTING_NEWTOPIC)
- $_POST['topic'] = (isset($_POST['topic'])) ? $_POST['topic'] : ''; //tylko edycja/tworzenie tematu
+ $_POST['topic'] = (isset($_POST['topic'])) ? stripslashes($_POST['topic']) : '';
$this->getView('MainView')->putExistingModel('PostsModel', $this->getModel('PostsModel'));
$this->getView('MainView')->putExistingModel('ForumsModel', $this->getModel('ForumsModel'));
@@ -550,13 +548,13 @@ class MainController extends Controller
if (isset($_POST['nick'], $_POST['passwd'], $_POST['passwd_confirm'], $_POST['email']))
{
//secure pools
- $_POST['nick'] = trim(strip_tags($this->db->real_escape_string($_POST['nick'])));
- $_POST['passwd_old'] = trim(strip_tags($_POST['passwd_old']));
- $_POST['passwd'] = trim(strip_tags($_POST['passwd']));
- $_POST['passwd_confirm'] = trim(strip_tags($_POST['passwd_confirm']));
+ $_POST['nick'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['nick'])));
+ $_POST['passwd_old'] = trim($_POST['passwd_old']);
+ $_POST['passwd'] = trim($_POST['passwd']);
+ $_POST['passwd_confirm'] = trim($_POST['passwd_confirm']);
$_POST['email'] = trim(strip_tags($this->db->real_escape_string($_POST['email'])));
- $_POST['location'] = trim(strip_tags($this->db->real_escape_string($_POST['location'])));
- $_POST['signature'] = trim(strip_tags($this->db->real_escape_string($_POST['signature'])));
+ $_POST['location'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['location'])));
+ $_POST['signature'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['signature'])));
if ($_POST['email'] != $user_info['email'] || $_POST['passwd'] != '')
{
@@ -621,10 +619,10 @@ class MainController extends Controller
}
}
- $_POST['nick'] = (isset($_POST['nick'])) ? $_POST['nick'] : $user_info['nick'];
- $_POST['email'] = (isset($_POST['email'])) ? $_POST['email'] : $user_info['email'];
- $_POST['location'] = (isset($_POST['location'])) ? $_POST['location'] : $user_info['location'];
- $_POST['signature'] = (isset($_POST['signature'])) ? $_POST['signature'] : $user_info['signature'];
+ $_POST['nick'] = (isset($_POST['nick'])) ? stripslashes($_POST['nick']) : $user_info['nick'];
+ $_POST['email'] = (isset($_POST['email'])) ? stripslashes($_POST['email']) : $user_info['email'];
+ $_POST['location'] = (isset($_POST['location'])) ? stripslashes($_POST['location']) : $user_info['location'];
+ $_POST['signature'] = (isset($_POST['signature'])) ? stripslashes($_POST['signature']) : $user_info['signature'];
$this->getView('MainView')->putExistingModel('UsersModel', $this->getModel('UsersModel'));
@@ -659,7 +657,7 @@ class MainController extends Controller
{
//secure pools
$_POST['nick'] = trim(strip_tags($this->db->real_escape_string($_POST['nick'])));
- $_POST['passwd'] = $this->getModel('UsersModel')->generatePasswordHash($_POST['nick'], trim(strip_tags($this->db->real_escape_string($_POST['passwd']))));
+ $_POST['passwd'] = $this->getModel('UsersModel')->generatePasswordHash($_POST['nick'], trim($this->db->real_escape_string($_POST['passwd'])));
$userinfo = $this->getModel('SessionModel')->tryGetUser($_POST['nick'], $_POST['passwd']);
@@ -684,7 +682,7 @@ class MainController extends Controller
}
}
- $_POST['nick'] = (isset($_POST['nick'])) ? $_POST['nick'] : '';
+ $_POST['nick'] = (isset($_POST['nick'])) ? stripslashes($_POST['nick']) : '';
if (!isset($lockv))
$this->getView('MainView')->login_form($msg);
}
@@ -702,8 +700,8 @@ class MainController extends Controller
{
//secure pools
$_POST['nick'] = trim(strip_tags($this->db->real_escape_string($_POST['nick'])));
- $_POST['passwd'] = trim(strip_tags($_POST['passwd']));
- $_POST['passwd_confirm'] = trim(strip_tags($_POST['passwd_confirm']));
+ $_POST['passwd'] = trim($_POST['passwd']);
+ $_POST['passwd_confirm'] = trim($_POST['passwd_confirm']);
$_POST['email'] = trim(strip_tags($this->db->real_escape_string($_POST['email'])));
if (strlen($_POST['nick']) < 3)
@@ -729,8 +727,8 @@ class MainController extends Controller
}
}
- $_POST['nick'] = (isset($_POST['nick'])) ? $_POST['nick'] : '';
- $_POST['email'] = (isset($_POST['email'])) ? $_POST['email'] : '';
+ $_POST['nick'] = (isset($_POST['nick'])) ? stripslashes($_POST['nick']) : '';
+ $_POST['email'] = (isset($_POST['email'])) ? stripslashes($_POST['email']) : '';
if (!isset($lockv))
$this->getView('MainView')->register_form($msg);
@@ -750,5 +748,4 @@ class MainController extends Controller
echo 'false';
}
}
-
?>
\ No newline at end of file
diff --git a/inc/views/MainView.class.php b/inc/views/MainView.class.php
index f8b354f..d902bec 100644
--- a/inc/views/MainView.class.php
+++ b/inc/views/MainView.class.php
@@ -265,7 +265,7 @@ class MainView extends View
$this->assign('post', $_POST['post']);
if (isset($_POST['preview']))
- $this->assign('preview', addslashes(htmlspecialchars($_POST['post'])));
+ $this->assign('preview', true);
if ($type == POSTING_NEWTOPIC || $type == POSTING_EDITTOPIC)
$this->assign('topic', $_POST['topic']);
diff --git a/templates/posting.tpl.php b/templates/posting.tpl.php
index bb6130a..bbf00d2 100755
--- a/templates/posting.tpl.php
+++ b/templates/posting.tpl.php
@@ -16,7 +16,7 @@