------------------------------------------------------------
revno: 907
committer: Roger Martin <[email protected]>
branch nick: aikiframework
timestamp: Sun 2011-10-09 22:35:24 +0200
message:
security corrected
modified:
src/libs/security.php
--
lp:aikiframework
https://code.launchpad.net/~aikiframework-devel/aikiframework/trunk
Your team Aiki Framework Developers is subscribed to branch lp:aikiframework.
To unsubscribe from this branch go to
https://code.launchpad.net/~aikiframework-devel/aikiframework/trunk/+edit-subscription
=== modified file 'src/libs/security.php'
--- src/libs/security.php 2011-06-15 03:27:33 +0000
+++ src/libs/security.php 2011-10-09 20:35:24 +0000
@@ -33,6 +33,8 @@
/**
* Comb through and remove some scary markup from the fields.
*
+ * Tag (including child) form, edit, script and iframe will be removed.
+ *
* @param string $text text for processing
* @return string
*/
@@ -53,36 +55,33 @@
* Handle inline permission.
*
* @param string $text text for processing
- * @global membership $membership global membership instance
- * @global array $db global db instance
+ * @return string text parsed.
+ * @global aiki $aiki
+ * @global array $db
*/
public function inlinePermissions($text)
{
- global $membership, $db;
+ global $aiki, $db;
- $inline = preg_match_all('/\(\#\(permissions\:(.*)\)\#\)/Us',
- $text, $matchs);
- if ($inline > 0)
- {
- foreach ($matchs[1] as $inline_per)
+ if ( preg_match_all('/\(\#\(permissions\:(.*)\)\#\)/Us', $text, $matchs)){
+ foreach ($matchs[1] as $i=>$inline_per)
{
- $get_sides = explode("||", $inline_per);
-
- $side1= isset($get_sides[1]) ? "||" .$get_sides[1] : "";
- $get_group_level = $db->get_var ("SELECT group_level from " .
- "aiki_users_groups where group_permissions='$get_sides[0]'");
+ // tip to capture always two elements.
+ $get_sides = explode("||", $inline_per."||",2);
+
+ $sql = "SELECT group_level" .
+ " FROM aiki_users_groups".
+ " WHERE group_permissions='". addslashes($get_sides[0]) ."'";
+
+ $get_group_level = $db->get_var ($sql);
- if ($get_sides[0] == $membership->permissions or
- $membership->group_level < $get_group_level)
- {
- $text =
- str_replace("(#(permissions:{$get_sides[0]}$side1)#)",
- $get_sides[1], $text);
- }else{
- $text =
- str_replace("(#(permissions:{$get_sides[0]}$side1)#)",
- '', $text);
+ if ($get_sides[0] == $aiki->membership->permissions ||
+ $aiki->membership->group_level < $get_group_level){
+ $replace = $get_sides[1];
+ } else {
+ $replace = "";
}
+ $text = str_replace($matchs[0][$i],$replace, $text);
}
}
return $text;
_______________________________________________
Mailing list: https://launchpad.net/~aikiframework-devel
Post to : [email protected]
Unsubscribe : https://launchpad.net/~aikiframework-devel
More help : https://help.launchpad.net/ListHelp
