lib.contribute.document.php @ 2176

Revision 2176, 17.8 KB checked in by Moe, 14 years ago (diff)

Contribute 1.0-alpha25 :

added a filter against Javascript injections
check installed and active plugins
display more info on post
removed unused code
switched to GPL v2 (previous commit [2172]])

Line
1	<?php
2	# *** BEGIN LICENSE BLOCK ***
3	#
4	# This file is part of Contribute, a plugin for Dotclear 2
5	# Copyright (C) 2008,2009,2010 Moe (http://gniark.net/)
6	#
7	# Contribute is free software; you can redistribute it and/or
8	# modify it under the terms of the GNU General Public License v2.0
9	# as published by the Free Software Foundation.
10	#
11	# Contribute is distributed in the hope that it will be useful,
12	# but WITHOUT ANY WARRANTY; without even the implied warranty of
13	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	# GNU General Public License for more details.
15	#
16	# You should have received a copy of the GNU General Public License
17	# along with this program; if not, see <http://www.gnu.org/licenses/>.
18	#
19	# Icon (icon.png) is from Silk Icons :
20	# <http://www.famfamfam.com/lab/icons/silk/>
21	#
22	# *** END LICENSE BLOCK ***
23
24	if (!defined('DC_RC_PATH')) {return;}
25
26	/**
27	@ingroup Contribute
28	@brief Document
29	*/
30	class contributeDocument extends dcUrlHandlers
31	{
32	/**
33	serve the document
34	@param args <b>string</b> Argument
35	*/
36	public static function page($args)
37	{
38	# from /dotclear/inc/public/lib.urlhandlers.php
39	# Spam trap
40	if (!empty($_POST['f_mail']))
41	{
42	http::head(412,'Precondition Failed');
43	header('Content-Type: text/plain');
44	echo "So Long, and Thanks For All the Fish";
45	exit;
46	}
47	# /from /dotclear/inc/public/lib.urlhandlers.php
48
49	global $core;
50
51	$settings =& $core->blog->settings;
52
53	if (!$settings->contribute_active)
54	{
55	self::p404();
56	return;
57	}
58
59	$disabled_plugins = $core->plugins->getDisabledModules();
60
61	$_ctx =& $GLOBALS['_ctx'];
62
63	$_ctx->contribute = new ArrayObject();
64	$_ctx->contribute->help = @base64_decode($settings->contribute_help);
65	$_ctx->contribute->message = '';
66	$_ctx->contribute->preview = false;
67	$_ctx->contribute->form = true;
68	$_ctx->contribute->choose_format = false;
69	# selected tags
70	$_ctx->contribute->selected_tags = array();
71
72	# Metadata
73	if ($core->plugins->moduleExists('metadata')
74	&& !array_key_exists('metadata',$disabled_plugins))
75	{
76	$meta = new dcMeta($core);
77	}
78	else
79	{
80	$meta = false;
81	}
82
83	# My Meta
84	if ($core->plugins->moduleExists('mymeta')
85	&& ($settings->contribute_allow_mymeta)
86	&& !array_key_exists('mymeta',$disabled_plugins))
87	{
88	$mymeta_values = array();
89
90	$_ctx->contribute->mymeta = new myMeta($core);
91
92	if ($_ctx->contribute->mymeta->hasMeta())
93	{
94	$mymeta_values = @unserialize(@base64_decode(
95	$settings->contribute_mymeta_values));
96
97	if (!is_array($mymeta_values)) {$mymeta_values = array();}
98
99	$mymeta = array();
100
101	foreach ($_ctx->contribute->mymeta->getAll() as $k => $v)
102	{
103	if (((bool) $v->enabled) && in_array($k,$mymeta_values))
104	{
105	$mymeta[] = $k;
106	}
107	}
108
109	unset($mymeta_values);
110	}
111	else
112	{
113	$_ctx->contribute->mymeta = false;
114	}
115	}
116	else
117	{
118	$_ctx->contribute->mymeta = false;
119	}
120	# /My Meta
121
122	# name, mail and site of the contributor
123
124	$name = '';
125	$mail = '';
126	$site = '';
127
128	# inspired by contactMe/_public.php
129	if ($args == 'sent')
130	{
131	$_ctx->contribute->message = 'sent';
132	$_ctx->contribute->preview = false;
133	$_ctx->contribute->form = false;
134	# avoid error with <tpl:ContributeIf format="xhtml">
135	$_ctx->posts = new ArrayObject();
136	$_ctx->posts->post_format = '';
137	}
138	else
139	{
140	try
141	{
142	# default post
143	$default_post = $settings->contribute_default_post;
144	if (is_int($default_post) && ($default_post > 0))
145	{
146	# get default post
147	$_ctx->posts = $core->auth->sudo(array($core->blog,'getPosts'),
148	array('post_id' => $default_post));
149
150	if ($_ctx->posts->isEmpty())
151	{
152	throw new Exception(__('No default post.'));
153	}
154
155	# modify $_ctx->posts for preview
156	$post =& $_ctx->posts;
157
158	# tags
159	# remove selected tags
160	$post_meta = unserialize($_ctx->posts->post_meta);
161
162	if (isset($post_meta['tag']) && !empty($post_meta['tag']))
163	{
164	foreach ($post_meta['tag'] as $k => $tag)
165	{
166	$_ctx->contribute->selected_tags[] = $tag;
167	}
168	}
169
170	# My Meta
171	$post->mymeta = array();
172
173	if ($_ctx->contribute->mymeta !== false)
174	{
175	foreach ($mymeta as $k => $v)
176	{
177	$post->mymeta[$v] = $meta->getMetaStr($post->post_meta,$v);
178	}
179	}
180	# /My Meta
181	}
182	# empty post
183	else
184	{
185	# create empty fields from default columns
186	$record = array();
187	$empty_post = $core->auth->sudo(array($core->blog,'getPosts'),
188	array('post_id' => -1));
189
190	$record[0] = array();
191
192	foreach ($empty_post->columns() as $k => $v)
193	{
194	$record[0][$v] = '';
195	}
196	$_ctx->posts = staticRecord::newFromArray($record);
197
198	unset($empty_post,$record);
199
200	$_ctx->posts->core = $core;
201	$_ctx->posts->extend('rsExtPost');
202
203	# --BEHAVIOR-- coreBlogGetPosts
204	$core->callBehavior('coreBlogGetPosts',$_ctx->posts);
205
206	# modify $_ctx->posts for preview
207	$post =& $_ctx->posts;
208
209	# My Meta
210	$post->mymeta = array();
211	# /My Meta
212
213	# formats
214	# default format setting
215	$post->post_format = $settings->contribute_format;
216
217	# contributor can choose the post format,
218	# it overrides the default format
219	if ($settings->contribute_format == '')
220
221	{
222	$_ctx->contribute->choose_format = true;
223
224	if ((isset($_POST['post_format']))
225	&& in_array($_POST['post_format'],$core->getFormaters()))
226	{
227	$post->post_format = $_POST['post_format'];
228	}
229	}
230	}
231
232	unset($default_post);
233
234	# formats
235	$formaters_combo = array();
236	# Formaters combo
237	foreach ($core->getFormaters() as $v)
238	{
239	$formaters_combo[] = array('format' => $v);
240	}
241	$_ctx->contribute->formaters =
242	staticRecord::newFromArray($formaters_combo);
243
244	unset($formaters_combo);
245
246	# current date
247	$post->post_dt = dt::str('%Y-%m-%d %T',null,
248	$settings->blog_timezone);
249	# remove URL
250	$post->post_url = '';
251
252	if (isset($_POST['post_title']))
253	{
254	$post->post_title = $_POST['post_title'];
255	}
256
257	# excerpt
258	if (($settings->contribute_allow_excerpt)
259	&& (isset($_POST['post_excerpt'])))
260	{
261	$post->post_excerpt = $_POST['post_excerpt'];
262	}
263	# content
264	if (isset($_POST['post_content']))
265	{
266	$post->post_content = $_POST['post_content'];
267	}
268
269	# avoid Notice: Indirect modification of overloaded property
270	# record::$post_excerpt has no effect in [this file]
271	# on line [...]
272
273	# filter to remove JavaScript
274	$post_excerpt = contribute::HTMLfilter($post->post_excerpt);
275	$post_excerpt_xhtml = contribute::HTMLfilter($post->post_excerpt_xhtml);
276	$post_content = contribute::HTMLfilter($post->post_content);
277	$post_content_xhtml = contribute::HTMLfilter($post->post_content_xhtml);
278
279	$core->blog->setPostContent(
280	'',$post->post_format,$settings->lang,
281	$post_excerpt,$post_excerpt_xhtml,
282	$post_content,$post_content_xhtml
283	);
284
285	$post->post_excerpt = $post_excerpt;
286	$post->post_excerpt_xhtml = $post_excerpt_xhtml;
287	$post->post_content = $post_content;
288	$post->post_content_xhtml = $post_content_xhtml;
289
290	unset($post_excerpt,$post_excerpt_xhtml,$post_content,
291	$post_content_xhtml);
292
293	if ($_ctx->contribute->choose_format
294	&& (isset($_POST['convert-xhtml']))
295	&& ($post->post_format != 'xhtml'))
296	{
297	$post->post_excerpt = $post->post_excerpt_xhtml;
298	$post->post_content = $post->post_content_xhtml;
299	$post->post_format = 'xhtml';
300	}
301
302	$_ctx->formaters = new ArrayObject;
303	$_ctx->formaters->format = $post->post_format;
304
305	# category
306	if (($settings->contribute_allow_category)
307	&& (isset($_POST['cat_id'])))
308	{
309	# check category
310	if (($_POST['cat_id'] != '')
311	&& (!preg_match('/^[0-9]+$/',$_POST['cat_id'])))
312	{
313	throw new Exception(__('Invalid cat_id'));
314	}
315
316	$cat = $core->blog->getCategories(array(
317	'start' => $_POST['cat_id'],
318	'level' => 1,
319	'cat_id' => $_POST['cat_id']
320	));
321
322	while ($cat->fetch())
323	{
324	# set category
325	$post->cat_id = $cat->cat_id;
326	$post->cat_title = $cat->cat_title;
327	$post->cat_url = $cat->cat_url;
328	break;
329	}
330
331	unset($cat);
332	}
333	# /category
334
335	if ($meta !== false)
336	{
337	# tags
338	if (($settings->contribute_allow_tags)
339	&& (isset($_POST['post_tags'])))
340	{
341	$post_meta = unserialize($_ctx->posts->post_meta);
342
343	# remove post tags
344	unset($post_meta['tag']);
345
346	# get all the existing tags
347	$available_tags = contribute::getTags();
348
349	# set post tags
350	# from /dotclear/plugins/metadata/_admin.php
351	foreach ($meta->splitMetaValues($_POST['post_tags'])
352	as $k => $tag)
353	{
354	# /from /dotclear/plugins/metadata/_admin.php
355	$tag = dcMeta::sanitizeMetaID($tag);
356
357	if ($settings->contribute_allow_new_tags)
358	{
359	$post_meta['tag'][] = $tag;
360	$_ctx->contribute->selected_tags[] = $tag;
361	}
362	else
363	{
364	# check that this tag already exists
365	if (in_array($tag,$available_tags))
366	{
367	$post_meta['tag'][] = $tag;
368	$_ctx->contribute->selected_tags[] = $tag;
369	}
370	}
371	}
372
373	unset($available_tags);
374
375	$_ctx->posts->post_meta = serialize($post_meta);
376	unset($post_meta);
377
378	}
379
380	# My Meta
381	if ($_ctx->contribute->mymeta !== false)
382	{
383	foreach ($mymeta as $k => $v)
384	{
385	$post->mymeta[$v] = (isset($_POST['mymeta_'.$v])
386	? $_POST['mymeta_'.$v] : '');
387	}
388	}
389	# /My Meta
390	}
391
392	# notes
393	if (($settings->contribute_allow_notes)
394	&& (isset($_POST['post_notes'])))
395	{
396	$post->post_notes = contribute::HTMLfilter($_POST['post_notes']);
397	}
398
399	# author
400	if (($meta !== false)
401	&& ($settings->contribute_allow_author))
402	{
403	$post_meta = unserialize($_ctx->posts->post_meta);
404
405	if (isset($_POST['c_name']) && (!empty($_POST['c_name'])))
406	{
407	$post_meta['contribute_author'][] = $name = $_POST['c_name'];
408	}
409	if (isset($_POST['c_mail']) && (!empty($_POST['c_mail'])))
410	{
411	$post_meta['contribute_mail'][] = $mail = $_POST['c_mail'];
412	}
413	# inspired by dcBlog > getCommentCursor()
414	if (isset($_POST['c_site']) && (!empty($_POST['c_site'])))
415	{
416	$site = $_POST['c_site'];
417
418	if (!preg_match('\|^http(s?)://\|',$site))
419	{
420	$site = 'http://'.$site;
421	}
422	# /inspired by dcBlog > getCommentCursor()
423
424	$post_meta['contribute_site'][] = $site;
425	}
426
427	$_ctx->posts->post_meta = serialize($post_meta);
428	unset($post_meta);
429	}
430
431	# check some inputs
432	if ((isset($_POST['preview'])) \|\| (isset($_POST['add'])))
433	{
434	# these fields can't be empty
435	if (isset($_POST['post_content']) && empty($post->post_content))
436	{
437	throw new Exception(__('No entry content'));
438	} elseif (isset($_POST['post_title']) && empty($post->post_title))
439	{
440	throw new Exception(__('No entry title'));
441	}
442
443	# if name and email address are required
444	if (($settings->contribute_allow_author)
445	&& ($settings->contribute_require_name_email))
446	{
447	if (empty($name))
448	{
449	$_ctx->contribute->preview = false;
450	$_ctx->contribute->message = '';
451	throw new Exception(__('You must provide an author name'));
452	} elseif (!text::isEmail($mail))
453	{
454	$_ctx->contribute->preview = false;
455	$_ctx->contribute->message = '';
456	throw new Exception(
457	__('You must provide a valid email address.'));
458	}
459	}
460	}
461
462	if (isset($_POST['preview']))
463	{
464	$_ctx->contribute->preview = true;
465	$_ctx->contribute->message = 'preview';
466	}
467
468	if (isset($_POST) && empty($_POST))
469	{
470	$_ctx->contribute->preview = false;
471	$_ctx->contribute->message = '';
472	}
473
474	if (isset($_POST['add']))
475	{
476	# log in as the user
477	# usage OR contentadmin permission is needed
478	$core->auth->checkUser($settings->contribute_user);
479
480	if (!$core->auth->check('usage,contentadmin',$core->blog->id))
481	{
482	throw new Exception(
483	__('The user is not allowed to create an entry'));
484	}
485
486	$post_status = 0;
487
488	# antispam
489	if ($settings->contribute_enable_antispam
490	&& $core->plugins->moduleExists('antispam')
491	&& !array_key_exists('antispam',$disabled_plugins))
492	{
493	$cur = $core->con->openCursor($core->prefix.'comment');
494
495	$cur->comment_trackback = 0;
496	$cur->comment_author = $name;
497	$cur->comment_email = $mail;
498	$cur->comment_site = $site;
499	$cur->comment_ip = http::realIP();
500	$cur->comment_content = $post->post_excerpt."\n".
501	$post->post_content;
502	$cur->post_id = $core->con->select(
503	'SELECT MAX(post_id) '.
504	'FROM '.$core->prefix.'post ')->f(0) + 1;
505	$cur->comment_status = 0;
506
507	$is_spam = contributeAntispam::isSpam($cur);
508
509	if ($is_spam === true)
510	{
511	$post_status = -2;
512
513	# if the auto deletion is enable, don't save the post and exit
514	# empty() doesn't work with $cur->comment_content
515	$comment_content = $cur->comment_content;
516	if (empty($comment_content))
517	{
518	http::redirect($core->blog->url.
519	$core->url->getBase('contribute').'/sent');
520	}
521	unset($comment_content,$cur);
522	}
523	}
524	# /antispam
525
526	$cur = $core->con->openCursor($core->prefix.'post');
527
528	$cur->user_id = $core->auth->userID();
529	$cur->cat_id = ((empty($post->cat_id)) ? NULL : $post->cat_id);
530	$cur->post_dt = $post->post_dt;
531	$cur->post_status = $post_status;
532	$cur->post_title = $post->post_title;
533	$cur->post_format = $post->post_format;
534	$cur->post_excerpt = $post->post_excerpt;
535	$cur->post_content = $post->post_content;
536	$cur->post_notes = $post->post_notes;
537	$cur->post_lang = $core->auth->getInfo('user_lang');
538	$cur->post_open_comment = (integer) $settings->allow_comments;
539	$cur->post_open_tb = (integer) $settings->allow_trackbacks;
540
541	unset($post_status);
542
543	# --BEHAVIOR-- publicBeforePostCreate
544	$core->callBehavior('publicBeforePostCreate',$cur);
545
546	$post_id = $core->blog->addPost($cur);
547
548	# l10n from $core->blog->addPost();
549	__('You are not allowed to create an entry');
550
551	# --BEHAVIOR-- publicAfterPostCreate
552	$core->callBehavior('publicAfterPostCreate',$cur,$post_id);
553
554	if ($meta !== false)
555	{
556	# inspired by planet/insert_feeds.php
557	if (!empty($name))
558	{
559	$meta->setPostMeta($post_id,'contribute_author',$name);
560	}
561	if (!empty($mail))
562	{
563	$meta->setPostMeta($post_id,'contribute_mail',$mail);
564	}
565	if (!empty($site))
566	{
567	$meta->setPostMeta($post_id,'contribute_site',$site);
568	}
569
570	# tags
571	$post_meta = unserialize($_ctx->posts->post_meta);
572	if (($settings->contribute_allow_tags)
573	&& (isset($post_meta['tag']))
574	&& (is_array($post_meta['tag'])))
575	{
576	foreach ($post_meta['tag'] as $k => $tag)
577	{
578	# from /dotclear/plugins/metadata/_admin.php
579	$meta->setPostMeta($post_id,'tag',$tag);
580	}
581
582	unset($post_meta);
583	}
584	# /tags
585
586	# My Meta
587	if ($_ctx->contribute->mymeta !== false)
588	{
589	foreach ($post->mymeta as $k => $v)
590	{
591	$meta->setPostMeta($post_id,$k,$v);
592	}
593	}
594	# /My Meta
595	}
596
597	# send email notification
598	if ($settings->contribute_email_notification)
599	{
600	$headers = array(
601	'From: '.'dotclear@'.$_SERVER['HTTP_HOST'],
602	'MIME-Version: 1.0',
603	'Content-Type: text/plain; charset=UTF-8;',
604	'X-Mailer: Dotclear'
605	);
606
607	$subject = sprintf(__('New post submitted on %s'),
608	$core->blog->name);
609
610	$content = sprintf(__('Title: %s'),$post->post_title);
611	$content .= "\n\n";
612
613	if (!empty($name))
614	{
615	$content .= sprintf(__('Author: %s'),$name);
616	$content .= "\n\n";
617	}
618
619	if (!empty($mail))
620	{
621	$headers[] = 'Reply-To: '.$mail;
622
623	$content .= sprintf(__('Email address: %s'),$mail);
624	$content .= "\n\n";
625	}
626
627	$params = array();
628	$params['post_id'] = $post_id;
629
630	$post = $core->blog->getPosts($params);
631
632	$content .= __('URL:').' '.$post->getURL();
633	unset($post);
634	$content .= "\n\n";
635
636	$content .= __('Edit this entry:').' '.DC_ADMIN_URL.
637	((substr(DC_ADMIN_URL,-1) == '/') ? '' : '/').
638	'post.php?id='.$post_id.'&switchblog='.$core->blog->id;
639	$content .= "\n\n".
640	__('You must log in on the backend before clicking on this link to go directly to the post.');
641
642	foreach(explode(',',
643	$settings->contribute_email_notification)
644	as $to)
645	{
646	$to = trim($to);
647	if (text::isEmail($to))
648	{
649	# don't display errors
650	try {
651	# from /dotclear/admin/auth.php : mail::B64Header($subject)
652	mail::sendMail($to,mail::B64Header($subject),
653	wordwrap($content,70),$headers);
654	} catch (Exception $e) {}
655	}
656	}
657	}
658	# /send email notification
659
660	http::redirect($core->blog->url.
661	$core->url->getBase('contribute').'/sent');
662	}
663
664	$_ctx->comment_preview = new ArrayObject();
665	$_ctx->comment_preview['name'] = $name;
666	$_ctx->comment_preview['mail'] = $mail;
667	$_ctx->comment_preview['site'] = $site;
668	}
669	catch (Exception $e)
670	{
671	$_ctx->form_error = $e->getMessage();
672	}
673	}
674
675	$core->tpl->setPath($core->tpl->getPath(),
676	dirname(__FILE__).'/../default-templates/');
677
678	self::serveDocument('contribute.html','text/html');
679	}
680	}
681
682	?>

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: plugins/contribute/inc/lib.contribute.document.php @ 2176

Download in other formats:

Sites map