Commit 28bf9e89 authored by Dries's avatar Dries
Browse files

- fixed a bug in check_input: html stripping was not 100% correct.
- fixed a bug in account.php: the confirmation url is now correct.
- improved error checking + security in diary.php.
- fixed a bug in the html code of theme zaphod.
- improved the date handling: always call format_date().
- expanded account information in administration pages.
- added a new variable $siteurl to ./includes/config.inc.
- added comment moderation to theme zaphod.
- "alter table users add timezone varchar(8);"

- !!! added new timezone feature !!! :o)
parent 4ede9967
......@@ -106,17 +106,24 @@ function account_page_edit() {
global $theme, $themes, $user;
if ($user->id) {
### Generate output/content:
$output .= "<FORM ACTION=\"account.php\" METHOD=\"post\">\n";
$output .= "<B>Theme:</B><BR>\n";
### Loop (dynamically) through all available themes:
foreach ($themes as $key=>$value) {
$options .= "<OPTION VALUE=\"$key\"". (($user->theme == $key) ? " SELECTED" : "") .">$key - $value[1]</OPTION>";
$options1 .= " <OPTION VALUE=\"$key\"". (($user->theme == $key) ? " SELECTED" : "") .">$key - $value[1]</OPTION>\n";
}
$output .= "<SELECT NAME=\"edit[theme]\">$options</SELECT><BR>\n";
$output .= "<SELECT NAME=\"edit[theme]\">\n$options1</SELECT><BR>\n";
$output .= "<I>Selecting a different theme will change the look and feel of the site.</I><P>\n";
$output .= "<B>Timezone:</B><BR>\n";
$date = time() - date("Z");
for ($zone = -43200; $zone <= 43200; $zone += 3600) {
$options2 .= " <OPTION VALUE=\"$zone\"". (($user->timezone == $zone) ? " SELECTED" : "") .">". date("l, F dS, Y - h:i A", $date + $zone) ." (GMT ". $zone / 3600 .")</OPTION>\n";
}
$output .= "<SELECT NAME=\"edit[timezone]\">\n$options2</SELECT><BR>\n";
$output .= "<I>Select what time you currently have and your timezone settings will be set appropriate.</I><P>\n";
$output .= "<B>Maximum number of stories:</B><BR>\n";
$output .= "<INPUT NAME=\"edit[stories]\" MAXLENGTH=\"3\" SIZE=\"3\" VALUE=\"$user->stories\"><P>\n";
$output .= "<I>The maximum number of stories that will be displayed on the main page.</I><P>\n";
......@@ -143,7 +150,6 @@ function account_page_edit() {
$output .= "<INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Save page settings\"><BR>\n";
$output .= "</FORM>\n";
### Display output/content:
$theme->header();
$theme->box("Customize your page", $output);
$theme->footer();
......@@ -159,6 +165,7 @@ function account_page_save($edit) {
global $user;
if ($user->id) {
$data[theme] = $edit[theme];
$data[timezone] = $edit[timezone];
$data[stories] = $edit[stories];
$data[mode] = $edit[mode];
$data[sort] = $edit[sort];
......@@ -276,8 +283,6 @@ function account_register_enter($user = "", $error = "") {
function account_register_submit($new) {
global $theme, $mail, $sitename, $siteurl;
$siteurl = "www.drop.org"; // temporary solution
if ($rval = account_validate($new)) {
account_register_enter($new, "$rval");
}
......@@ -288,7 +293,7 @@ function account_register_submit($new) {
user_save($new);
$link = "http://$siteurl/account.php?op=confirm&name=$new[userid]&hash=$new[hash]";
$link = $siteurl ."account.php?op=confirm&name=$new[userid]&hash=$new[hash]";
$message = "$new[userid],\n\n\nsomeone signed up for a user account on $sitename and supplied this email address as their contact. If it wasn't you, don't get your panties in a knot and simply ignore this mail.\n\nIf this was you, you have to activate your account first before you can login. You can do so simply by visiting the URL below:\n\n $link\n\nVisiting this URL will automatically activate your account. Once activated you can login using the following information:\n\n username: $new[userid]\n password: $new[passwd]\n\n\n-- $sitename crew\n";
mail($new[real_email], "Account details for $sitename", $message, "From: noreply@$sitename");
......
......@@ -10,6 +10,7 @@
function account_display($order = "username") {
$sort = array("ID" => "id", "fake e-mail address" => "fake_email", "homepage" => "url", "hostname" => "last_host", "last access date" => "last_access", "real e-mail address" => "real_email", "real name" => "name", "status" => "status", "theme" => "theme", "username" => "userid");
$show = array("ID" => "id", "username" => "userid", "$order" => "$sort[$order]", "status" => "status");
$stat = array(0 => "blocked", 1 => "not confirmed", 2 => "open");
### Perform query:
$result = db_query("SELECT u.id, u.userid, u.$sort[$order], u.status FROM users u ORDER BY $sort[$order]");
......@@ -46,7 +47,7 @@ function account_display($order = "username") {
$output .= " <TD>". format_date($account[$value]) ."</TD>\n";
break;
case "status":
$output .= " <TD ALIGN=\"center\"><I>todo</I></TD>\n";
$output .= " <TD ALIGN=\"center\">". $stat[$account[$value]] ."</TD>\n";
break;
case "url":
$output .= " <TD>". format_url($account[$value]) ."</TD>\n";
......@@ -83,12 +84,14 @@ function account_comments($id) {
}
function account_view($name) {
### Perform query:
$status = array(0 => "blocked", 1 => "not confirmed", 2 => "open");
$result = db_query("SELECT * FROM users WHERE userid = '$name'");
if ($account = db_fetch_object($result)) {
$output .= "<TABLE BORDER=\"1\" CELLPADDING=\"3\" CELLSPACING=\"0\">\n";
$output .= " <TR><TD ALIGN=\"right\"><B>ID:</B></TD><TD>$account->id</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Status:</B></TD><TD>". $status[$account->status] ."</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Username:</B></TD><TD>$account->userid</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Real name:</B></TD><TD>". format_data($account->name) ."</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Real e-mail address:</B></TD><TD>". format_email($account->real_email) ."</TD></TR>\n";
......@@ -137,7 +140,7 @@ function log_display($order = "date") {
$output .= " </TR>\n";
while ($log = db_fetch_object($result)) {
$output .= " <TR BGCOLOR=\"". $colors[$log->level] ."\"><TD>". date("D d/m, H:m:s", $log->timestamp) ."</TD><TD ALIGN=\"center\">". format_username($log->userid, 1) ."</A></TD><TD>". substr($log->message, 0, 44) ."</TD><TD ALIGN=\"center\"><A HREF=\"admin.php?section=logs&op=view&id=$log->id\">more</A></TD></TR>\n";
$output .= " <TR BGCOLOR=\"". $colors[$log->level] ."\"><TD>". format_date($log->timestamp) ."</TD><TD ALIGN=\"center\">". format_username($log->userid, 1) ."</A></TD><TD>". substr($log->message, 0, 44) ."</TD><TD ALIGN=\"center\"><A HREF=\"admin.php?section=logs&op=view&id=$log->id\">more</A></TD></TR>\n";
}
$output .= "</TABLE>\n";
......
......@@ -17,7 +17,7 @@ function diary_overview($num = 20) {
$output .= "<DL>\n";
$output .= " <DD><P><B>$diary->userid wrote:</B></P></DD>\n";
$output .= " <DL>\n";
$output .= " <DD><P>". check_output($diary->text) ."</P><P>[ <A HREF=\"diary.php?op=view&name=$diary->userid\">more</A> ]</P></DD>\n";
$output .= " <DD><P>". check_output($diary->text, 1) ."</P><P>[ <A HREF=\"diary.php?op=view&name=$diary->userid\">more</A> ]</P></DD>\n";
$output .= " </DL>\n";
$output .= "</DL>\n";
}
......@@ -38,7 +38,7 @@ function diary_entry($timestamp, $text, $id = 0) {
else {
$output .= "<DL>\n";
$output .= " <DT><B>". date("l, F jS", $timestamp) .":</B></DT>\n";
$output .= " <DD><P>". check_output($text) ."</P></DD>\n";
$output .= " <DD><P>". check_output($text, 1) ."</P></DD>\n";
$output .= "</DL>\n";
}
return $output;
......@@ -97,7 +97,7 @@ function diary_edit($id) {
$output .= "<P>\n";
$output .= " <B>Edit diary entry:</B><BR>\n";
$output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"15\" NAME=\"text\">". check_input(stripslashes($diary->text)) ."</TEXTAREA><BR>\n";
$output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"15\" NAME=\"text\">". check_input($diary->text) ."</TEXTAREA><BR>\n";
$output .= " <SMALL><I>Allowed HTML tags: ". htmlspecialchars($allowed_html) .".</I></SMALL>\n";
$output .= "</P>\n";
......@@ -123,13 +123,14 @@ function diary_preview($text, $timestamp, $id = 0) {
$output .= "<P>\n";
$output .= " <B>Preview diary entry:</B><BR>\n";
$output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"15\" NAME=\"text\">". stripslashes($text) ."</TEXTAREA><BR>\n";
$output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"15\" NAME=\"text\">". check_output($text) ."</TEXTAREA><BR>\n";
$output .= " <SMALL><I>Allowed HTML tags: ". htmlspecialchars($allowed_html) .".</I></SMALL>\n";
$output .= "</P>\n";
$output .= "<P>\n";
$output .= " <INPUT TYPE=\"hidden\" NAME=\"id\" VALUE=\"$id\">\n";
$output .= " <INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Preview diary entry\"> <INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Submit diary entry\">\n";
$output .= " <INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Preview diary entry\">\n";
$output .= " <INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"Submit diary entry\">\n";
$output .= "</P>\n";
$output .= "</FORM>\n";
......@@ -143,11 +144,11 @@ function diary_submit($text, $id = 0) {
global $user, $theme;
if ($id) {
db_query("UPDATE diaries SET text = '". addslashes($text) ."' WHERE id = $id");
db_query("UPDATE diaries SET text = '". check_input($text) ."' WHERE id = $id");
watchdog(1, "old diary entry updated");
}
else {
db_query("INSERT INTO diaries (author, text, timestamp) VALUES ('$user->id', '". addslashes($text) ."', '". time() ."')");
db_query("INSERT INTO diaries (author, text, timestamp) VALUES ('$user->id', '". check_input($text) ."', '". time() ."')");
watchdog(1, "new diary entry added");
}
header("Location: diary.php?op=view&name=$user->userid");
......
......@@ -4,20 +4,19 @@
# MySQL settings:
#
### www.drop.org:
### http://www.drop.org/:
#$dbhost = "zind.net";
#$dbuname = "droporg";
#$dbpass = "DropIes";
#$dbname = "droporg";
### beta.drop.org:
### http://beta.drop.org/:
$dbhost = "zind.net";
$dbuname = "dries";
$dbpass = "Abc123";
$dbname = "dries";
### localhost Dries:
### http://dione/:
#$dbhost = "";
#$dbuname = "dries";
#$dbpass = "oakley";
......@@ -27,12 +26,13 @@
# Name of the site
#
$sitename = "drop.org";
$siteurl = "http://www.drop.org/";
#
# Contact information:
# The contact information will be used to send out automated mails
# to users, account holders or visitors.
$contact_email = "droppies@zind.net";
$contact_email = "droppies@drop.org";
#
# Notify:
......@@ -49,12 +49,19 @@
$notify_email = $contact_email;
$notify_subject = "submission: ";
$notify_message = "New submission: '$subject'\n\n$story";
$notify_from = "droppies@zind.net";
$notify_from = "droppies@drop.org";
#
# Comment meta reasons:
#
$comment_votes = array("none" => "none", "-1" => "- 1", "0" => "+ 0", "+1" => "+ 1", "+2" => "+ 2", "+3" => "+ 3", "+4" => "+ 4", "+5" => "+ 5");
$comment_votes = array("none" => "none",
"-1" => "- 1",
"0" => "+ 0",
"+1" => "+ 1",
"+2" => "+ 2",
"+3" => "+ 3",
"+4" => "+ 4",
"+5" => "+ 5");
#
# Categories:
......@@ -82,7 +89,6 @@
#
$anonymous = "Anonymous Chicken";
#
# Themes:
# the first theme listed in the associative array `$themes' will
......
......@@ -24,12 +24,14 @@ function check_field($message) {
}
function check_input($message) {
return strip_tags($message);
global $allowed_html;
return strip_tags(addslashes($message), $allowed_html);
}
function check_output($message) {
function check_output($message, $nl2br = 0) {
global $allowed_html;
return strip_tags(stripslashes($message), $allowed_html);
if ($nl2br == 1) return nl2br(strip_tags(stripslashes($message), $allowed_html));
else return strip_tags(stripslashes($message), $allowed_html);
}
function discussion_num_replies($id, $count = 0) {
......@@ -49,6 +51,10 @@ function format_plural($count, $one, $more) {
}
function format_date($timestamp, $type = "medium") {
global $user;
$timestamp += ($user->timezone) ? $user->timezone - date("Z") : 0;
switch ($type) {
case "small":
$date = date("D, m/d/y - H:i", $timestamp);
......
......@@ -12,8 +12,8 @@ function submission_displayMain() {
$content .= "<TABLE BORDER=\"0\" CELLSPACING=\"4\" CELLPADDING=\"4\">\n";
$content .= " <TR BGCOLOR=\"$bgcolor1\"><TH>Subject</TH><TH>Category</TH><TH>Date</TH><TH>Author</TH><TH>Score</TH></TR>\n";
while ($submission = db_fetch_object($result)) {
if (user_getHistory($user->history, "s$submission->id")) $content .= " <TR><TD WIDTH=\"100%\"><A HREF=\"$PHP_SELF?op=view&id=$submission->id\">". check_output($submission->subject) ."</A></TD><TD>$submission->category</TD><TD ALIGN=\"center\">". date("Y-m-d", $submission->timestamp) ."<BR>". date("H:m:s", $submission->timestamp) ."</TD><TD ALIGN=\"center\">". format_username($submission->userid) ."</TD><TD ALIGN=\"center\">". submission_score($submission->id) ."</TD></TR>\n";
else $content .= " <TR><TD WIDTH=\"100%\"><A HREF=\"$PHP_SELF?op=view&id=$submission->id\">". check_output($submission->subject) ."</A></TD><TD>$submission->category</TD><TD ALIGN=\"center\">". date("Y-m-d", $submission->timestamp) ."<BR>". date("H:m:s", $submission->timestamp) ."</TD><TD ALIGN=\"center\">". format_username($submission->userid) ."</TD><TD ALIGN=\"center\"><A HREF=\"$PHP_SELF?op=view&id=$submission->id\">vote</A></TD></TR>\n";
if (user_getHistory($user->history, "s$submission->id")) $content .= " <TR><TD WIDTH=\"100%\"><A HREF=\"$PHP_SELF?op=view&id=$submission->id\">". stripslashes($submission->subject) ."</A></TD><TD>$submission->category</TD><TD ALIGN=\"center\">". date("Y-m-d", $submission->timestamp) ."<BR>". date("H:m:s", $submission->timestamp) ."</TD><TD ALIGN=\"center\">". format_username($submission->userid) ."</TD><TD ALIGN=\"center\">". submission_score($submission->id) ."</TD></TR>\n";
else $content .= " <TR><TD WIDTH=\"100%\"><A HREF=\"$PHP_SELF?op=view&id=$submission->id\">". stripslashes($submission->subject) ."</A></TD><TD>$submission->category</TD><TD ALIGN=\"center\">". date("Y-m-d", $submission->timestamp) ."<BR>". date("H:m:s", $submission->timestamp) ."</TD><TD ALIGN=\"center\">". format_username($submission->userid) ."</TD><TD ALIGN=\"center\"><A HREF=\"$PHP_SELF?op=view&id=$submission->id\">vote</A></TD></TR>\n";
}
$content .= "</TABLE>\n";
......
......@@ -118,7 +118,7 @@ function submit_preview($subject, $abstract, $article, $category) {
$output .= "</FORM>\n";
$theme->header();
$theme->preview($user->userid, check_output($subject), check_output($abstract), "", check_output($article), date("l, F d, Y - H:i A", time()), check_output($category), "we-hate-typoes");
$theme->preview($user->userid, check_output($subject), check_output($abstract), "", check_output($article), format_date(time(), "extra large"), check_output($category), "we-hate-typoes");
$theme->box("Submit a story", $output);
$theme->footer();
}
......
......@@ -39,13 +39,17 @@ function header($title) {
<TABLE BORDER="0" CELLPADDING="8" CELLSPACING="0">
<TR>
<TD ROWSPAN="3" WIDTH="30">&nbsp;</TD>
<TD COLSPAN="2"><A HREF="" ><IMG SRC="themes/marvin/images/logo.gif" ALT="drop.org" BORDER="0"></A></TD>
<TD WIDTH="470"><A HREF=""><IMG SRC="themes/marvin/images/logo.gif" ALT="drop.org" BORDER="0"></A></TD>
<TD WIDTH="180">
<LI>Create an <A HREF="account.php?op=register">account</A> and <A HREF="submit.php">submit</A> new stories.</LI>
<LI>Send your questions, feedback and bug reports to <A HREF="mailto:info@drop.org">info@drop.org</A>.</LI>
</TD>
</TR>
<TR>
<TD ALIGN="right" COLSPAN="2"><SMALL><A HREF="">home</A> | <A HREF="faq.php">faq</A> | <A HREF="diary.php">diary</A> | <A HREF="search.php">search</A> | <A HREF="submit.php">submit news</A> | <A HREF="account.php">user account</A></SMALL></TD>
</TR>
<TR>
<TD VALIGN="top" WIDTH="470">
<TD VALIGN="top">
<?
}
......@@ -54,15 +58,13 @@ function header($title) {
# Description..: a function to draw an abstract story box, that is the
# boxes displayed on the main page.
function abstract($story) {
$story->timestamp = date("l, F d, Y - h:i:s A", $story->timestamp);
print "\n<!-- story: \"$story->subject\" -->\n";
print "<TABLE BORDER=\"0\" CELLPADDING=\"0\" CELLSPACING=\"2\" WIDTH=\"100%\">\n";
print " <TR><TD COLSPAN=\"2\"><IMG SRC=\"themes/marvin/images/drop.gif\" ALT=\"\"> &nbsp; <B>$story->subject</B></TD></TR>\n";
print " <TR VALIGN=\"bottom\"><TD COLSPAN=\"2\" BGCOLOR=\"#000000\" WIDTH=\"100%\"><IMG SRC=\"themes/marvin/images/pixel.gif\" WIDTH=\"1\" HEIGHT=\"0\" ALT=\"\"></TD></TR>\n";
print " <TR>\n";
print " <TD>\n";
print " <FONT COLOR=\"#7C7C7C\"><SMALL>Posted by ". format_username($story->userid) ." on $story->timestamp"; ?><? if ($story->department) print "<BR>from the $story->department dept."; ?><? print "</SMALL></FONT></TD><TD ALIGN=\"right\" VALIGN=\"top\" NOWRAP><SMALL><A HREF=\"search.php?category=". urlencode($story->category) ."\"><FONT COLOR=\"#83997A\">$story->category</FONT></A></SMALL>\n";
print " <FONT COLOR=\"#7C7C7C\"><SMALL>Posted by ". format_username($story->userid) ." on ". format_date($story->timestamp, "extra large"). ""; ?><? if ($story->department) print "<BR>from the $story->department dept."; ?><? print "</SMALL></FONT></TD><TD ALIGN=\"right\" VALIGN=\"top\" NOWRAP><SMALL><A HREF=\"search.php?category=". urlencode($story->category) ."\"><FONT COLOR=\"#83997A\">$story->category</FONT></A></SMALL>\n";
print " </TD>\n";
print " </TR>\n";
print " <TR><TD COLSPAN=\"2\">&nbsp;</TD></TR>\n";
......@@ -84,15 +86,13 @@ function abstract($story) {
# comments). It's what you get when you followed for
# instance one of read-more links on the main page.
function article($story, $reply) {
$story->timestamp = date("l, F d, Y - h:i:s A", $story->timestamp);
print "\n<!-- story: \"$story->subject\" -->\n";
print "<TABLE BORDER=\"0\" CELLPADDING=\"0\" CELLSPACING=\"2\" WIDTH=\"100%\">\n";
print " <TR><TD COLSPAN=\"2\"><IMG SRC=\"themes/marvin/images/drop.gif\" ALT=\"\"> &nbsp; <B>$story->subject</B></TD></TR>\n";
print " <TR VALIGN=\"bottom\"><TD COLSPAN=\"2\" BGCOLOR=\"#000000\" WIDTH=\"100%\"><IMG SRC=\"themes/marvin/images/pixel.gif\" WIDTH=\"1\" HEIGHT=\"0\" ALT=\"\"></TD></TR>\n";
print " <TR>\n";
print " <TD>\n";
print " <FONT COLOR=\"#7C7C7C\"><SMALL>Posted by ". format_username($story->userid) ." on $story->timestamp"; ?><? if ($story->department) print "<BR>from the $story->department dept."; ?><? print "</SMALL></FONT></TD><TD ALIGN=\"right\" VALIGN=\"top\" NOWRAP><SMALL><A HREF=\"search.php?category=". urlencode($story->category) ."\"><FONT COLOR=\"#83997A\">$story->category</FONT></A></SMALL>\n";
print " <FONT COLOR=\"#7C7C7C\"><SMALL>Posted by ". format_username($story->userid) ." on ". format_date($story->timestamp, "extra large") .""; ?><? if ($story->department) print "<BR>from the $story->department dept."; ?><? print "</SMALL></FONT></TD><TD ALIGN=\"right\" VALIGN=\"top\" NOWRAP><SMALL><A HREF=\"search.php?category=". urlencode($story->category) ."\"><FONT COLOR=\"#83997A\">$story->category</FONT></A></SMALL>\n";
print " </TD>\n";
print " </TR>\n";
print " <TR><TD COLSPAN=\"2\">&nbsp;</TD></TR>\n";
......@@ -283,7 +283,7 @@ function box($subject, $content) {
function footer() {
?>
</TD>
<TD VALIGN="top" WIDTH="180">
<TD VALIGN="top">
<?
global $PHP_SELF;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment