This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
1 | <?php |
||||
2 | /** |
||||
3 | * Module: Lexikon - glossary module |
||||
4 | * Author: hsalazar |
||||
5 | * Licence: GNU |
||||
6 | */ |
||||
7 | |||||
8 | use Xmf\Request; |
||||
9 | use XoopsModules\Lexikon\{ |
||||
10 | Helper, |
||||
11 | Utility |
||||
12 | }; |
||||
13 | /** @var Helper $helper */ |
||||
14 | |||||
15 | $GLOBALS['xoopsOption']['template_main'] = 'lx_submit.tpl'; |
||||
16 | require __DIR__ . '/header.php'; |
||||
17 | require XOOPS_ROOT_PATH . '/header.php'; |
||||
18 | |||||
19 | require_once XOOPS_ROOT_PATH . '/class/xoopsformloader.php'; |
||||
20 | |||||
21 | |||||
22 | $helper = Helper::getInstance(); |
||||
23 | |||||
24 | global $xoTheme, $xoopsUser, $xoopsConfig, $xoopsModule; |
||||
25 | |||||
26 | $result = $xoopsDB->query('SELECT * FROM ' . $xoopsDB->prefix('lxcategories') . ' '); |
||||
27 | if ('0' == $xoopsDB->getRowsNum($result) && '1' == $helper->getConfig('multicats')) { |
||||
28 | redirect_header('index.php', 1, _AM_LEXIKON_NOCOLEXISTS); |
||||
29 | } |
||||
30 | |||||
31 | $op = 'form'; |
||||
32 | |||||
33 | //if (\Xmf\Request::hasVar('post', 'POST')) { |
||||
34 | // $op = trim('post'); |
||||
35 | //} elseif (\Xmf\Request::hasVar('edit', 'POST')) { |
||||
36 | // $op = trim('edit'); |
||||
37 | //} |
||||
38 | |||||
39 | $op = Request::hasVar('post', 'POST') ? 'post' : (Request::hasVar('edit', 'POST') ? 'edit' : $op); |
||||
40 | |||||
41 | //$suggest = isset($_GET['suggest']) ? $_GET['suggest'] : (isset($_POST['suggest']) ? $_POST['suggest'] : ''); |
||||
42 | |||||
43 | if (!function_exists('mb_ucfirst') && function_exists('mb_substr')) { |
||||
44 | /** |
||||
45 | * @param $string |
||||
46 | * @return string |
||||
47 | */ |
||||
48 | function mb_ucfirst($string) |
||||
49 | { |
||||
50 | $string = mb_ereg_replace('^[\ ]+', '', $string); |
||||
51 | $string = mb_strtoupper(mb_substr($string, 0, 1, 'UTF-8'), 'UTF-8') . mb_substr($string, 1, mb_strlen($string), 'UTF-8'); |
||||
52 | |||||
53 | return $string; |
||||
54 | } |
||||
55 | } |
||||
56 | |||||
57 | $suggest = Request::getInt('suggest', 0, 'GET'); //isset($_GET['suggest']) ? (int)$_GET['suggest'] : 0; |
||||
58 | |||||
59 | if ($suggest > 0) { |
||||
60 | $terminosql = $xoopsDB->query('SELECT term FROM ' . $xoopsDB->prefix('lxentries') . ' WHERE datesub < ' . time() . " AND datesub > 0 AND request = '1' AND entryID = '" . $suggest . "'"); |
||||
61 | [$termino] = $xoopsDB->fetchRow($terminosql); |
||||
62 | } else { |
||||
63 | $termino = ''; |
||||
64 | } |
||||
65 | //--- Permissions --- |
||||
66 | /** @var \XoopsGroupPermHandler $grouppermHandler */ |
||||
67 | $grouppermHandler = xoops_getHandler('groupperm'); |
||||
68 | $groups = is_object($xoopsUser) ? $xoopsUser->getGroups() : XOOPS_GROUP_ANONYMOUS; |
||||
69 | $module_id = $xoopsModule->getVar('mid'); |
||||
70 | $perm_itemid = Request::getInt('categoryID', 0, 'POST'); |
||||
71 | if (!$grouppermHandler->checkRight('lexikon_submit', $perm_itemid, $groups, $module_id)) { |
||||
72 | redirect_header('index.php', 3, _MD_LEXIKON_MUSTREGFIRST); |
||||
73 | } |
||||
74 | $totalcats = $grouppermHandler->getItemIds('lexikon_submit', $groups, $module_id); |
||||
75 | $permitsubmit = count($totalcats); |
||||
76 | if (0 == $permitsubmit && '1' == $helper->getConfig('multicats')) { |
||||
77 | redirect_header('<script>javascript:history.go(-1)</script>', 3, _NOPERM); |
||||
78 | } |
||||
79 | switch ($op) { |
||||
80 | case 'post': |
||||
81 | //--- Captcha |
||||
82 | if (0 !== $helper->getConfig('captcha')) { |
||||
83 | xoops_load('XoopsCaptcha'); |
||||
84 | if (@require_once XOOPS_ROOT_PATH . '/class/captcha/xoopscaptcha.php') { |
||||
85 | $xoopsCaptcha = XoopsCaptcha::getInstance(); |
||||
86 | if (!$xoopsCaptcha->verify()) { |
||||
87 | echo $xoopsCaptcha->getMessage(); |
||||
88 | redirect_header('<script>javascript:history.go(-1)</script>', 2, _CAPTCHA_INVALID_CODE); |
||||
89 | } |
||||
90 | } |
||||
91 | } |
||||
92 | //------- |
||||
93 | |||||
94 | global $xoTheme, $xoopsUser, $xoopsModule; |
||||
95 | require_once XOOPS_ROOT_PATH . '/modules/' . $xoopsModule->getVar('dirname') . '/class/Utility.php'; |
||||
96 | $myts = MyTextSanitizer:: getInstance(); |
||||
97 | //permissions |
||||
98 | /** @var \XoopsGroupPermHandler $grouppermHandler */ |
||||
99 | $grouppermHandler = xoops_getHandler('groupperm'); |
||||
100 | $groups = is_object($xoopsUser) ? $xoopsUser->getGroups() : XOOPS_GROUP_ANONYMOUS; |
||||
101 | $module_id = $xoopsModule->getVar('mid'); |
||||
102 | $perm_itemid = Request::getInt('categoryID', 0, 'POST'); |
||||
103 | |||||
104 | $html = 1; |
||||
105 | if ($xoopsUser) { |
||||
106 | $uid = $xoopsUser->getVar('uid'); |
||||
107 | if ($xoopsUser->isAdmin($xoopsModule->mid())) { |
||||
108 | $html = empty($html) ? 0 : 1; |
||||
109 | } |
||||
110 | } else { |
||||
111 | if (!is_object($xoopsUser) |
||||
112 | && $grouppermHandler->checkRight('lexikon_submit', $perm_itemid, $groups, $module_id)) { |
||||
113 | $uid = 0; |
||||
114 | } else { |
||||
115 | redirect_header('index.php', 3, _NOPERM); |
||||
116 | } |
||||
117 | } |
||||
118 | |||||
119 | $block = isset($block) ? (int)$block : 1; |
||||
120 | $smiley = $smiley ?? 1; |
||||
121 | $xcodes = $xcodes ?? 1; |
||||
122 | $breaks = $breaks ?? 1; |
||||
123 | $notifypub = !empty($_POST['notifypub']) ? 1 : 0; |
||||
124 | |||||
125 | if (1 == $helper->getConfig('multicats')) { |
||||
126 | $categoryID = \Xmf\Request::getInt('categoryID', 1, 'POST'); |
||||
127 | } |
||||
128 | $term = $myts->addSlashes($myts->censorString($_POST['term'])); |
||||
0 ignored issues
–
show
Deprecated Code
introduced
by
Loading history...
|
|||||
129 | $definition = $myts->addSlashes($myts->censorString($_POST['definition'])); |
||||
0 ignored issues
–
show
The function
MyTextSanitizer::censorString() has been deprecated.
(
Ignorable by Annotation
)
If this is a false-positive, you can also ignore this issue in your code via the
Loading history...
|
|||||
130 | $ref = $myts->addSlashes($myts->censorString($_POST['ref'])); |
||||
0 ignored issues
–
show
The function
MyTextSanitizer::censorString() has been deprecated.
(
Ignorable by Annotation
)
If this is a false-positive, you can also ignore this issue in your code via the
Loading history...
|
|||||
131 | $url = $myts->addSlashes($_POST['url']); |
||||
132 | if (empty($url)) { |
||||
133 | $url = ''; |
||||
134 | } |
||||
135 | // this is for terms with umlaut or accented initials |
||||
136 | $term4sql = $utility::sanitizeFieldName(htmlspecialchars($_POST['term'], ENT_QUOTES | ENT_HTML5)); |
||||
137 | $init = mb_substr($term4sql, 0, 1); |
||||
138 | $init = preg_match('/[a-zA-Zа-яА-Я0-9]/u', $init) ? mb_strtoupper($init) : '#'; |
||||
139 | |||||
140 | $datesub = time(); |
||||
141 | |||||
142 | $submit = 1; |
||||
143 | $offline = 1; |
||||
144 | $request = 0; |
||||
145 | $block = 1; |
||||
146 | $autoapprove = 0; |
||||
147 | |||||
148 | if ($grouppermHandler->checkRight('lexikon_approve', $perm_itemid, $groups, $module_id)) { |
||||
149 | $submit = 0; |
||||
150 | $offline = 0; |
||||
151 | $autoapprove = 1; |
||||
152 | } |
||||
153 | // verify that the term not exists |
||||
154 | if ($utility::isTermPresent($term, $xoopsDB->prefix('lxentries'))) { |
||||
155 | redirect_header('<script>javascript:history.go(-1)</script>', 2, _MD_LEXIKON_ITEMEXISTS . '<br>' . $term); |
||||
156 | } |
||||
157 | $result = $xoopsDB->query( |
||||
158 | 'INSERT INTO ' |
||||
159 | . $xoopsDB->prefix('lxentries') |
||||
160 | . " (categoryID, term, init, definition, ref, url, uid, submit, datesub, html, smiley, xcodes, breaks, block, offline, notifypub ) VALUES ('$categoryID', '$term', '$init', '$definition', '$ref', '$url', '$uid', '$submit', '$datesub', '$html', '$smiley', '$xcodes', '$breaks','$block', '$offline', '$notifypub')" |
||||
161 | ); |
||||
162 | $newid = $xoopsDB->getInsertId(); |
||||
163 | // Increment author's posts count |
||||
164 | if (is_object($xoopsUser) && empty($entryID) && $autoapprove) { |
||||
165 | /** @var \XoopsMemberHandler $memberHandler */ |
||||
166 | $memberHandler = xoops_getHandler('member'); |
||||
167 | $submitter = $memberHandler->getUser($uid); |
||||
168 | if (is_object($submitter)) { |
||||
169 | $submitter->setVar('posts', $submitter->getVar('posts') + 1); |
||||
170 | $res = $memberHandler->insertUser($submitter, true); |
||||
171 | unset($submitter); |
||||
172 | } |
||||
173 | } |
||||
174 | // trigger Notification |
||||
175 | if (!empty($helper->getConfig('notification_enabled'))) { |
||||
176 | global $xoopsModule; |
||||
177 | if (0 == $newid) { |
||||
178 | $newid = $xoopsDB->getInsertId(); |
||||
179 | } |
||||
180 | /** @var XoopsNotificationHandler $notificationHandler */ |
||||
181 | $notificationHandler = xoops_getHandler('notification'); |
||||
182 | $tags = []; |
||||
183 | $shortdefinition = htmlspecialchars(xoops_substr(strip_tags($definition), 0, 45), ENT_QUOTES | ENT_HTML5); |
||||
184 | $tags['ITEM_NAME'] = $term; |
||||
185 | $tags['ITEM_BODY'] = $shortdefinition; |
||||
186 | $tags['DATESUB'] = formatTimestamp($datesub, 'd M Y'); |
||||
187 | $tags['ITEM_URL'] = XOOPS_URL . '/modules/' . $xoopsModule->getVar('dirname') . '/admin/entry.php?op=mod&entryID=' . $newid; |
||||
188 | $sql = 'SELECT name FROM ' . $xoopsDB->prefix('lxcategories') . ' WHERE categoryID=' . $categoryID; |
||||
189 | $result = $xoopsDB->query($sql); |
||||
190 | $row = $xoopsDB->fetchArray($result); |
||||
191 | $tags['CATEGORY_NAME'] = $row['name']; |
||||
192 | $tags['CATEGORY_URL'] = XOOPS_URL . '/modules/' . $xoopsModule->getVar('dirname') . '/category.php?categoryID=' . $categoryID; |
||||
193 | if (1 == $helper->getConfig('autoapprove')) { |
||||
194 | $notificationHandler->triggerEvent('category', $categoryID, 'new_post', $tags); |
||||
195 | $notificationHandler->triggerEvent('global', 0, 'new_post', $tags); |
||||
196 | //sample: $notificationHandler->triggerEvent($category, $item_id, $events, $tags, $user_list=array(), $module_id=null, $omit_user_id=null) |
||||
197 | } else { |
||||
198 | $notificationHandler->triggerEvent('global', 0, 'term_submit', $tags); |
||||
199 | $notificationHandler->triggerEvent('category', 0, 'term_submit', $tags); |
||||
200 | if ($notifypub) { |
||||
201 | require_once XOOPS_ROOT_PATH . '/include/notification_constants.php'; |
||||
202 | $notificationHandler->subscribe('term', $newid, 'approve', XOOPS_NOTIFICATION_MODE_SENDONCETHENDELETE); |
||||
203 | } |
||||
204 | } |
||||
205 | } |
||||
206 | if ($result) { |
||||
207 | if (!is_object($xoopsUser)) { |
||||
208 | $username = _MD_LEXIKON_GUEST; |
||||
209 | $usermail = ''; |
||||
210 | } else { |
||||
211 | $username = $xoopsUser->getVar('uname', 'E'); |
||||
212 | $result = $xoopsDB->query('select email from ' . $xoopsDB->prefix('users') . " WHERE uname='$username'"); |
||||
213 | [$usermail] = $xoopsDB->fetchRow($result); |
||||
214 | } |
||||
215 | |||||
216 | if (1 == $helper->getConfig('mailtoadmin')) { |
||||
217 | $adminMessage = sprintf(_MD_LEXIKON_WHOSUBMITTED, $username); |
||||
218 | $adminMessage .= '<b>' . $term . "</b>\n"; |
||||
219 | $adminMessage .= '' . _MD_LEXIKON_EMAILLEFT . " $usermail\n"; |
||||
220 | $adminMessage .= "\n"; |
||||
221 | if ('1' == $notifypub) { |
||||
222 | $adminMessage .= _MD_LEXIKON_NOTIFYONPUB; |
||||
223 | } |
||||
224 | $adminMessage .= "\n" . $_SERVER['HTTP_USER_AGENT'] . "\n"; |
||||
225 | $subject = $xoopsConfig['sitename'] . ' - ' . _MD_LEXIKON_DEFINITIONSUB; |
||||
226 | $xoopsMailer = xoops_getMailer(); |
||||
227 | $xoopsMailer->useMail(); |
||||
228 | $xoopsMailer->multimailer->isHTML(true); |
||||
229 | $xoopsMailer->setToEmails($xoopsConfig['adminmail']); |
||||
230 | $xoopsMailer->setFromEmail($usermail); |
||||
231 | $xoopsMailer->setFromName($xoopsConfig['sitename']); |
||||
232 | $xoopsMailer->setSubject($subject); |
||||
233 | $xoopsMailer->setBody($adminMessage); |
||||
234 | $xoopsMailer->send(); |
||||
235 | $messagesent = sprintf(_MD_LEXIKON_MESSAGESENT, $xoopsConfig['sitename']) . '<br>' . _MD_LEXIKON_THANKS1 . ''; |
||||
236 | } |
||||
237 | |||||
238 | //if ($helper->getConfig('autoapprove') == 1) { |
||||
239 | if (1 == $autoapprove) { |
||||
240 | redirect_header('index.php', 2, _MD_LEXIKON_RECEIVEDANDAPPROVED); |
||||
241 | } else { |
||||
242 | //send received mail |
||||
243 | if (1 == $helper->getConfig('mailtosender') && $usermail) { |
||||
244 | $conf_subject = _MD_LEXIKON_THANKS3; |
||||
245 | $userMessage = sprintf(_MD_LEXIKON_GOODDAY2, $username); |
||||
246 | $userMessage .= "\n\n"; |
||||
247 | $userMessage .= sprintf(_MD_LEXIKON_THANKYOU3, $xoopsConfig['sitename']); |
||||
248 | $userMessage .= "\n"; |
||||
249 | $userMessage .= sprintf(_MD_LEXIKON_SUBMISSIONSENT, $xoopsConfig['sitename']); |
||||
250 | $userMessage .= "\n"; |
||||
251 | $userMessage .= "--------------\n"; |
||||
252 | $userMessage .= '' . $xoopsConfig['sitename'] . ' ' . _MD_LEXIKON_WEBMASTER . "\n"; |
||||
253 | $userMessage .= '' . $xoopsConfig['adminmail'] . ''; |
||||
254 | |||||
255 | $xoopsMailer = xoops_getMailer(); |
||||
256 | $xoopsMailer->useMail(); |
||||
257 | $xoopsMailer->multimailer->isHTML(true); |
||||
258 | $xoopsMailer->setToEmails($usermail); |
||||
259 | $xoopsMailer->setFromEmail($xoopsConfig['adminmail']); |
||||
260 | $xoopsMailer->setFromName($xoopsConfig['sitename']); |
||||
261 | $xoopsMailer->setSubject($conf_subject); |
||||
262 | $xoopsMailer->setBody($userMessage); |
||||
263 | $xoopsMailer->send(); |
||||
264 | $messagesent = _MD_LEXIKON_RECEIVED . '<br>' . _MD_LEXIKON_THANKS1 . ''; |
||||
265 | $messagesent .= sprintf(_MD_LEXIKON_SENTCONFIRMMAIL, $usermail); |
||||
266 | } else { |
||||
267 | $messagesent = sprintf(_MD_LEXIKON_RECEIVED) . '<br>' . _MD_LEXIKON_THANKS1 . ''; |
||||
268 | } |
||||
269 | redirect_header('index.php', 2, $messagesent); |
||||
270 | } |
||||
271 | } else { |
||||
272 | redirect_header('submit.php', 2, _MD_LEXIKON_ERRORSAVINGDB); |
||||
273 | } |
||||
274 | exit(); |
||||
275 | break; |
||||
276 | case 'form': |
||||
277 | default: |
||||
278 | global $xoopsUser, $_SERVER; |
||||
279 | require_once XOOPS_ROOT_PATH . '/modules/' . $xoopsModule->dirname() . '/class/Utility.php'; // to create pagetitle |
||||
280 | $myts = MyTextSanitizer:: getInstance(); |
||||
281 | if (!is_object($xoopsUser)) { |
||||
282 | $name = _MD_LEXIKON_GUEST; |
||||
283 | } else { |
||||
284 | $name = mb_ucfirst($xoopsUser->getVar('uname')); |
||||
285 | } |
||||
286 | |||||
287 | $xoopsTpl->assign('send_def_to', sprintf(_MD_LEXIKON_SUB_SNEWNAME, mb_ucfirst($xoopsModule->name()))); |
||||
288 | $xoopsTpl->assign('send_def_g', sprintf(_MD_LEXIKON_SUB_SNEWNAME, mb_ucfirst($xoopsModule->name()))); |
||||
289 | $xoopsTpl->assign('lx_user_name', $name); |
||||
290 | |||||
291 | $block = 1; |
||||
292 | $html = 1; |
||||
293 | $smiley = 1; |
||||
294 | $xcodes = 1; |
||||
295 | $breaks = 1; |
||||
296 | $categoryID = 0; |
||||
297 | $notifypub = 1; |
||||
298 | $term = $termino; |
||||
299 | $definition = ''; |
||||
300 | $ref = ''; |
||||
301 | $url = ''; |
||||
302 | |||||
303 | require_once __DIR__ . '/include/storyform.inc.php'; |
||||
304 | |||||
305 | $xoopsTpl->assign('modulename', $xoopsModule->dirname()); |
||||
306 | |||||
307 | $sform->assign($xoopsTpl); |
||||
308 | |||||
309 | $xoopsTpl->assign('lang_modulename', $xoopsModule->name()); |
||||
310 | $xoopsTpl->assign('lang_moduledirname', $xoopsModule->getVar('dirname')); |
||||
311 | $xoopsTpl->assign('xoops_pagetitle', htmlspecialchars($xoopsModule->name(), ENT_QUOTES | ENT_HTML5) . ' - ' . _MD_LEXIKON_SUBMITART); |
||||
312 | $xoopsTpl->assign('xoops_module_header', '<link rel="stylesheet" type="text/css" href="assets/css/style.css">'); |
||||
313 | // Meta data |
||||
314 | $meta_description = _MD_LEXIKON_SUBMITART . ' - ' . htmlspecialchars($xoopsModule->name(), ENT_QUOTES | ENT_HTML5); |
||||
315 | if (isset($xoTheme) && is_object($xoTheme)) { |
||||
316 | $xoTheme->addMeta('meta', 'description', $meta_description); |
||||
317 | } else { |
||||
318 | $xoopsTpl->assign('xoops_meta_description', $meta_description); |
||||
319 | } |
||||
320 | |||||
321 | require XOOPS_ROOT_PATH . '/footer.php'; |
||||
322 | break; |
||||
323 | } |
||||
324 |