diff options
| author | Seb Sauvage <sebsauvage@sebsauvage.net> | 2012-01-11 22:17:28 +0100 |
|---|---|---|
| committer | Emilien Klein <emilien@klein.st> | 2012-01-11 22:17:28 +0100 |
| commit | 45e88576b3e9658c9f4987d20e2241538b2b5185 (patch) | |
| tree | fb841a5128446b846d8300264ccac2579e820293 | |
| parent | 3433e5e8a84e3952502b79296f945e6dde2a7d75 (diff) | |
| parent | 24e267ca714f591921eb659457332c3f7fea1930 (diff) | |
| download | Shaarli-45e88576b3e9658c9f4987d20e2241538b2b5185.tar.gz Shaarli-45e88576b3e9658c9f4987d20e2241538b2b5185.tar.zst Shaarli-45e88576b3e9658c9f4987d20e2241538b2b5185.zip | |
Version 0.0.33 beta:
- Corrected: XSS vulnerability patched (thanks to Stanislas D. !)
- Corrected: ATOM feed validates again.
| -rw-r--r-- | index.php | 20 |
1 files changed, 13 insertions, 7 deletions
| @@ -1,5 +1,5 @@ | |||
| 1 | <?php | 1 | <?php |
| 2 | // Shaarli 0.0.32 beta - Shaare your links... | 2 | // Shaarli 0.0.33 beta - Shaare your links... |
| 3 | // The personal, minimalist, super-fast, no-database delicious clone. By sebsauvage.net | 3 | // The personal, minimalist, super-fast, no-database delicious clone. By sebsauvage.net |
| 4 | // http://sebsauvage.net/wiki/doku.php?id=php:shaarli | 4 | // http://sebsauvage.net/wiki/doku.php?id=php:shaarli |
| 5 | // Licence: http://www.opensource.org/licenses/zlib-license.php | 5 | // Licence: http://www.opensource.org/licenses/zlib-license.php |
| @@ -58,7 +58,7 @@ header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); | |||
| 58 | header("Cache-Control: no-store, no-cache, must-revalidate"); | 58 | header("Cache-Control: no-store, no-cache, must-revalidate"); |
| 59 | header("Cache-Control: post-check=0, pre-check=0", false); | 59 | header("Cache-Control: post-check=0, pre-check=0", false); |
| 60 | header("Pragma: no-cache"); | 60 | header("Pragma: no-cache"); |
| 61 | define('shaarli_version','0.0.32 beta'); | 61 | define('shaarli_version','0.0.33 beta'); |
| 62 | if (!is_dir($GLOBALS['config']['DATADIR'])) { mkdir($GLOBALS['config']['DATADIR'],0705); chmod($GLOBALS['config']['DATADIR'],0705); } | 62 | if (!is_dir($GLOBALS['config']['DATADIR'])) { mkdir($GLOBALS['config']['DATADIR'],0705); chmod($GLOBALS['config']['DATADIR'],0705); } |
| 63 | if (!is_file($GLOBALS['config']['DATADIR'].'/.htaccess')) { file_put_contents($GLOBALS['config']['DATADIR'].'/.htaccess',"Allow from none\nDeny from all\n"); } // Protect data files. | 63 | if (!is_file($GLOBALS['config']['DATADIR'].'/.htaccess')) { file_put_contents($GLOBALS['config']['DATADIR'].'/.htaccess',"Allow from none\nDeny from all\n"); } // Protect data files. |
| 64 | if ($GLOBALS['config']['ENABLE_LOCALCACHE']) | 64 | if ($GLOBALS['config']['ENABLE_LOCALCACHE']) |
| @@ -117,6 +117,12 @@ function logm($message) | |||
| 117 | file_put_contents($GLOBALS['config']['DATADIR'].'/log.txt',$t,FILE_APPEND); | 117 | file_put_contents($GLOBALS['config']['DATADIR'].'/log.txt',$t,FILE_APPEND); |
| 118 | } | 118 | } |
| 119 | 119 | ||
| 120 | // Same as nl2br(), but escapes < and > | ||
| 121 | function nl2br_escaped($html) | ||
| 122 | { | ||
| 123 | return str_replace('>','>',str_replace('<','<',nl2br($html))); | ||
| 124 | } | ||
| 125 | |||
| 120 | /* Returns the small hash of a string | 126 | /* Returns the small hash of a string |
| 121 | eg. smallHash('20111006_131924') --> yZH23w | 127 | eg. smallHash('20111006_131924') --> yZH23w |
| 122 | Small hashes: | 128 | Small hashes: |
| @@ -515,8 +521,8 @@ class pageBuilder | |||
| 515 | $this->tpl->assign('linkcount',count($LINKSDB)); | 521 | $this->tpl->assign('linkcount',count($LINKSDB)); |
| 516 | $this->tpl->assign('feedurl',htmlspecialchars(indexUrl())); | 522 | $this->tpl->assign('feedurl',htmlspecialchars(indexUrl())); |
| 517 | $searchcrits=''; // Search criteria | 523 | $searchcrits=''; // Search criteria |
| 518 | if (!empty($_GET['searchtags'])) $searchcrits.='&searchtags='.$_GET['searchtags']; | 524 | if (!empty($_GET['searchtags'])) $searchcrits.='&searchtags='.urlencode($_GET['searchtags']); |
| 519 | elseif (!empty($_GET['searchterm'])) $searchcrits.='&searchterm='.$_GET['searchterm']; | 525 | elseif (!empty($_GET['searchterm'])) $searchcrits.='&searchterm='.urlencode($_GET['searchterm']); |
| 520 | $this->tpl->assign('searchcrits',$searchcrits); | 526 | $this->tpl->assign('searchcrits',$searchcrits); |
| 521 | $this->tpl->assign('source',indexUrl()); | 527 | $this->tpl->assign('source',indexUrl()); |
| 522 | $this->tpl->assign('version',shaarli_version); | 528 | $this->tpl->assign('version',shaarli_version); |
| @@ -791,7 +797,7 @@ function showATOM() | |||
| 791 | if (startsWith($absurl,'?')) $absurl=$pageaddr.$absurl; // make permalink URL absolute | 797 | if (startsWith($absurl,'?')) $absurl=$pageaddr.$absurl; // make permalink URL absolute |
| 792 | $entries.='<entry><title>'.htmlspecialchars($link['title']).'</title><link href="'.$absurl.'" /><id>'.$guid.'</id>'; | 798 | $entries.='<entry><title>'.htmlspecialchars($link['title']).'</title><link href="'.$absurl.'" /><id>'.$guid.'</id>'; |
| 793 | if (!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()) $entries.='<updated>'.htmlspecialchars($iso8601date).'</updated>'; | 799 | if (!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()) $entries.='<updated>'.htmlspecialchars($iso8601date).'</updated>'; |
| 794 | $entries.='<summary>'.nl2br(keepMultipleSpaces(text2clickable(htmlspecialchars($link['description']))))."</summary>\n"; | 800 | $entries.='<content type="html">'.htmlspecialchars(nl2br(keepMultipleSpaces(text2clickable(htmlspecialchars($link['description'])))))."</content>\n"; |
| 795 | if ($link['tags']!='') // Adding tags to each ATOM entry (as mentioned in ATOM specification) | 801 | if ($link['tags']!='') // Adding tags to each ATOM entry (as mentioned in ATOM specification) |
| 796 | { | 802 | { |
| 797 | foreach(explode(' ',$link['tags']) as $tag) | 803 | foreach(explode(' ',$link['tags']) as $tag) |
| @@ -803,14 +809,14 @@ function showATOM() | |||
| 803 | $feed='<?xml version="1.0" encoding="UTF-8"?><feed xmlns="http://www.w3.org/2005/Atom">'; | 809 | $feed='<?xml version="1.0" encoding="UTF-8"?><feed xmlns="http://www.w3.org/2005/Atom">'; |
| 804 | $feed.='<title>'.htmlspecialchars($GLOBALS['title']).'</title>'; | 810 | $feed.='<title>'.htmlspecialchars($GLOBALS['title']).'</title>'; |
| 805 | if (!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()) $feed.='<updated>'.htmlspecialchars($latestDate).'</updated>'; | 811 | if (!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()) $feed.='<updated>'.htmlspecialchars($latestDate).'</updated>'; |
| 806 | $feed.='<link rel="self" href="'.htmlspecialchars($pageaddr).'" />'; | 812 | $feed.='<link rel="self" href="'.htmlspecialchars(serverUrl().$_SERVER["REQUEST_URI"]).'" />'; |
| 807 | if (!empty($GLOBALS['config']['PUBSUBHUB_URL'])) | 813 | if (!empty($GLOBALS['config']['PUBSUBHUB_URL'])) |
| 808 | { | 814 | { |
| 809 | $feed.='<!-- PubSubHubbub Discovery -->'; | 815 | $feed.='<!-- PubSubHubbub Discovery -->'; |
| 810 | $feed.='<link rel="hub" href="'.htmlspecialchars($GLOBALS['config']['PUBSUBHUB_URL']).'" />'; | 816 | $feed.='<link rel="hub" href="'.htmlspecialchars($GLOBALS['config']['PUBSUBHUB_URL']).'" />'; |
| 811 | $feed.='<!-- End Of PubSubHubbub Discovery -->'; | 817 | $feed.='<!-- End Of PubSubHubbub Discovery -->'; |
| 812 | } | 818 | } |
| 813 | $feed.='<author><uri>'.htmlspecialchars($pageaddr).'</uri></author>'; | 819 | $feed.='<author><name>'.htmlspecialchars($pageaddr).'</name><uri>'.htmlspecialchars($pageaddr).'</uri></author>'; |
| 814 | $feed.='<id>'.htmlspecialchars($pageaddr).'</id>'."\n\n"; // Yes, I know I should use a real IRI (RFC3987), but the site URL will do. | 820 | $feed.='<id>'.htmlspecialchars($pageaddr).'</id>'."\n\n"; // Yes, I know I should use a real IRI (RFC3987), but the site URL will do. |
| 815 | $feed.=$entries; | 821 | $feed.=$entries; |
| 816 | $feed.='</feed>'; | 822 | $feed.='</feed>'; |