Added https to list of authorized protocols.

[github/shaarli/Shaarli.git] / index.php
diff --git a/index.php b/index.php

index f84ec17f58688244fabe5ac31790f110383fe0af..222f329587355f84d1bb1ad8af6f7ee345c581d1 100644 (file)
--- a/index.php
+++ b/index.php
@@ -96,6 +96,8 @@ require $GLOBALS['config']['CONFIG_FILE'];  // Read login/password hash into $GL
  if (empty($GLOBALS['title'])) $GLOBALS['title']='Shared links on '.htmlspecialchars(indexUrl());
  if (empty($GLOBALS['timezone'])) $GLOBALS['timezone']=date_default_timezone_get();
  if (empty($GLOBALS['disablesessionprotection'])) $GLOBALS['disablesessionprotection']=false;
+if (empty($GLOBALS['disablejquery'])) $GLOBALS['disablejquery']=false;
+// I really need to rewrite Shaarli with a proper configuation manager.
  
  autoLocale(); // Sniff browser language and set date format accordingly.
  header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling.
@@ -408,7 +410,9 @@ if (isset($_POST['login']))
      else
      {
          ban_loginFailed();
-        echo '<script language="JavaScript">alert("Wrong login/password.");document.location=\'?do=login\';</script>'; // Redirect to login screen.
+        $redir = '';
+        if (isset($_GET['post'])) { $redir = '&post='.urlencode($_GET['post']).(!empty($_GET['title'])?'&title='.urlencode($_GET['title']):'').(!empty($_GET['source'])?'&source='.urlencode($_GET['source']):'');  }
+        echo '<script language="JavaScript">alert("Wrong login/password.");document.location=\'?do=login'.$redir.'\';</script>'; // Redirect to login screen.
          exit;
      }
  }
@@ -1261,7 +1265,11 @@ function renderPage()
      if (isset($_GET['linksperpage']))
      {
          if (is_numeric($_GET['linksperpage'])) { $_SESSION['LINKS_PER_PAGE']=abs(intval($_GET['linksperpage'])); }
-        header('Location: '.(empty($_SERVER['HTTP_REFERER'])?'?':$_SERVER['HTTP_REFERER']));
+        // Make sure the referer is from Shaarli itself.
+        $referer = '?';
+        if (!empty($_SERVER['HTTP_REFERER']) && strcmp(parse_url($_SERVER['HTTP_REFERER'],PHP_URL_HOST),$_SERVER['SERVER_NAME'])==0)
+            $referer = $_SERVER['HTTP_REFERER'];
+        header('Location: '.$referer);
          exit;
      }
      
@@ -1276,7 +1284,11 @@ function renderPage()
          {
              unset($_SESSION['privateonly']); // See all links
          }
-        header('Location: '.(empty($_SERVER['HTTP_REFERER'])?'?':$_SERVER['HTTP_REFERER']));
+        // Make sure the referer is from Shaarli itself.
+        $referer = '?';
+        if (!empty($_SERVER['HTTP_REFERER']) && strcmp(parse_url($_SERVER['HTTP_REFERER'],PHP_URL_HOST),$_SERVER['SERVER_NAME'])==0)
+            $referer = $_SERVER['HTTP_REFERER'];
+        header('Location: '.$referer);
          exit;
      }
  
@@ -1350,6 +1362,7 @@ function renderPage()
              $GLOBALS['title']=$_POST['title'];
              $GLOBALS['redirector']=$_POST['redirector'];
              $GLOBALS['disablesessionprotection']=!empty($_POST['disablesessionprotection']);
+            $GLOBALS['disablejquery']=!empty($_POST['disablejquery']);
              writeConfig();
              echo '<script language="JavaScript">alert("Configuration was saved.");document.location=\'?do=tools\';</script>';
              exit;
@@ -1432,7 +1445,10 @@ function renderPage()
          if (!tokenOk($_POST['token'])) die('Wrong token.'); // Go away !
          $tags = trim(preg_replace('/\s\s+/',' ', $_POST['lf_tags'])); // Remove multiple spaces.
          $linkdate=$_POST['lf_linkdate'];
-        $link = array('title'=>trim($_POST['lf_title']),'url'=>trim($_POST['lf_url']),'description'=>trim($_POST['lf_description']),'private'=>(isset($_POST['lf_private']) ? 1 : 0),
+        $url = trim($_POST['lf_url']);
+        if (!startsWith($url,'http:') && !startsWith($url,'https:') && !startsWith($url,'ftp:') && !startsWith($url,'magnet:') && !startsWith($url,'?'))
+            $url = 'http://'.$url;
+        $link = array('title'=>trim($_POST['lf_title']),'url'=>$url,'description'=>trim($_POST['lf_description']),'private'=>(isset($_POST['lf_private']) ? 1 : 0),
                        'linkdate'=>$linkdate,'tags'=>str_replace(',',' ',$tags));
          if ($link['title']=='') $link['title']=$link['url']; // If title is empty, use the URL as title.
          $LINKSDB[$linkdate] = $link;
@@ -1951,6 +1967,11 @@ function lazyThumbnail($url,$href=false)
      $html='<a href="'.htmlspecialchars($t['href']).'">';
      
      // Lazy image (only loaded by javascript when in the viewport).
+    if (!empty($GLOBALS['disablejquery'])) // (except if jQuery is disabled)
+        $html.='<img class="lazyimage" src="'.htmlspecialchars($t['src']).'"';
+    else
+        $html.='<img class="lazyimage" src="#" data-original="'.htmlspecialchars($t['src']).'"';
+
      $html.='<img class="lazyimage" src="#" data-original="'.htmlspecialchars($t['src']).'"';
      if (!empty($t['width']))  $html.=' width="'.htmlspecialchars($t['width']).'"';
      if (!empty($t['height'])) $html.=' height="'.htmlspecialchars($t['height']).'"';
@@ -1958,7 +1979,7 @@ function lazyThumbnail($url,$href=false)
      if (!empty($t['alt']))    $html.=' alt="'.htmlspecialchars($t['alt']).'"';
      $html.='>';
      
-    // No-javascript fallback:
+    // No-javascript fallback.
      $html.='<noscript><img src="'.htmlspecialchars($t['src']).'"';
      if (!empty($t['width']))  $html.=' width="'.htmlspecialchars($t['width']).'"';
      if (!empty($t['height'])) $html.=' height="'.htmlspecialchars($t['height']).'"';
@@ -2065,8 +2086,8 @@ function templateTZform($ptz=false)
          foreach($continents as $continent)
              $continents_html.='<option  value="'.$continent.'"'.($pcontinent==$continent?'selected':'').'>'.$continent.'</option>';
          $cities_html = $cities[$pcontinent];
-        $timezone_form = "Continent: <select name=\"continent\" id=\"continent\" onChange=\"onChangecontinent();\">${continents_html}</select><br /><br />";
-        $timezone_form .= "City: <select name=\"city\" id=\"city\">${cities[$pcontinent]}</select><br /><br />";
+        $timezone_form = "Continent: <select name=\"continent\" id=\"continent\" onChange=\"onChangecontinent();\">${continents_html}</select>";
+        $timezone_form .= "&nbsp;&nbsp;&nbsp;&nbsp;City: <select name=\"city\" id=\"city\">${cities[$pcontinent]}</select><br />";
          $timezone_js = "<script language=\"JavaScript\">";
          $timezone_js .= "function onChangecontinent(){document.getElementById(\"city\").innerHTML = citiescontinent[document.getElementById(\"continent\").value];}";
          $timezone_js .= "var citiescontinent = ".json_encode($cities).";" ;
@@ -2137,12 +2158,11 @@ function processWS()
  function writeConfig()
  {
      if (is_file($GLOBALS['config']['CONFIG_FILE']) && !isLoggedIn()) die('You are not authorized to alter config.'); // Only logged in user can alter config.
-    if (empty($GLOBALS['redirector'])) $GLOBALS['redirector']='';
-    if (empty($GLOBALS['disablesessionprotection'])) $GLOBALS['disablesessionprotection']=false;
      $config='<?php $GLOBALS[\'login\']='.var_export($GLOBALS['login'],true).'; $GLOBALS[\'hash\']='.var_export($GLOBALS['hash'],true).'; $GLOBALS[\'salt\']='.var_export($GLOBALS['salt'],true).'; ';
      $config .='$GLOBALS[\'timezone\']='.var_export($GLOBALS['timezone'],true).'; date_default_timezone_set('.var_export($GLOBALS['timezone'],true).'); $GLOBALS[\'title\']='.var_export($GLOBALS['title'],true).';';
      $config .= '$GLOBALS[\'redirector\']='.var_export($GLOBALS['redirector'],true).'; ';
      $config .= '$GLOBALS[\'disablesessionprotection\']='.var_export($GLOBALS['disablesessionprotection'],true).'; ';
+    $config .= '$GLOBALS[\'disablejquery\']='.var_export($GLOBALS['disablejquery'],true).'; ';
      $config .= ' ?>';
      if (!file_put_contents($GLOBALS['config']['CONFIG_FILE'],$config) || strcmp(file_get_contents($GLOBALS['config']['CONFIG_FILE']),$config)!=0)
      {