aboutsummaryrefslogtreecommitdiff
path: root/engine/lib/input.php
diff options
context:
space:
mode:
Diffstat (limited to 'engine/lib/input.php')
-rw-r--r--engine/lib/input.php331
1 files changed, 259 insertions, 72 deletions
diff --git a/engine/lib/input.php b/engine/lib/input.php
index 4ba6f500c..80b0b8766 100644
--- a/engine/lib/input.php
+++ b/engine/lib/input.php
@@ -8,46 +8,51 @@
*/
/**
- * Get some input from variables passed on the GET or POST line.
+ * Get some input from variables passed submitted through GET or POST.
+ *
+ * If using any data obtained from get_input() in a web page, please be aware that
+ * it is a possible vector for a reflected XSS attack. If you are expecting an
+ * integer, cast it to an int. If it is a string, escape quotes.
*
* Note: this function does not handle nested arrays (ex: form input of param[m][n])
* because of the filtering done in htmlawed from the filter_tags call.
+ * @todo Is this ^ still true?
*
- * @param string $variable The variable we want to return.
+ * @param string $variable The variable name we want.
* @param mixed $default A default value for the variable if it is not found.
- * @param bool $filter_result If true then the result is filtered for bad tags.
+ * @param bool $filter_result If true, then the result is filtered for bad tags.
*
- * @return string
+ * @return mixed
*/
function get_input($variable, $default = NULL, $filter_result = TRUE) {
global $CONFIG;
+ $result = $default;
+
+ elgg_push_context('input');
+
if (isset($CONFIG->input[$variable])) {
- $var = $CONFIG->input[$variable];
+ $result = $CONFIG->input[$variable];
if ($filter_result) {
- $var = filter_tags($var);
+ $result = filter_tags($result);
}
-
- return $var;
- }
-
- if (isset($_REQUEST[$variable])) {
+ } elseif (isset($_REQUEST[$variable])) {
if (is_array($_REQUEST[$variable])) {
- $var = $_REQUEST[$variable];
+ $result = $_REQUEST[$variable];
} else {
- $var = trim($_REQUEST[$variable]);
+ $result = trim($_REQUEST[$variable]);
}
if ($filter_result) {
- $var = filter_tags($var);
+ $result = filter_tags($result);
}
-
- return $var;
}
- return $default;
+ elgg_pop_context();
+
+ return $result;
}
/**
@@ -55,8 +60,8 @@ function get_input($variable, $default = NULL, $filter_result = TRUE) {
*
* Note: this function does not handle nested arrays (ex: form input of param[m][n])
*
- * @param string $variable The name of the variable
- * @param string $value The value of the variable
+ * @param string $variable The name of the variable
+ * @param string|string[] $value The value of the variable
*
* @return void
*/
@@ -83,7 +88,7 @@ function set_input($variable, $value) {
* @return mixed The filtered result - everything will be strings
*/
function filter_tags($var) {
- return trigger_plugin_hook('validate', 'input', null, $var);
+ return elgg_trigger_plugin_hook('validate', 'input', null, $var);
}
/**
@@ -98,20 +103,151 @@ function is_email_address($address) {
}
/**
+ * Load all the REQUEST variables into the sticky form cache
+ *
+ * Call this from an action when you want all your submitted variables
+ * available if the submission fails validation and is sent back to the form
+ *
+ * @param string $form_name Name of the sticky form
+ *
+ * @return void
+ * @link http://docs.elgg.org/Tutorials/UI/StickyForms
+ * @since 1.8.0
+ */
+function elgg_make_sticky_form($form_name) {
+
+ elgg_clear_sticky_form($form_name);
+
+ if (!isset($_SESSION['sticky_forms'])) {
+ $_SESSION['sticky_forms'] = array();
+ }
+ $_SESSION['sticky_forms'][$form_name] = array();
+
+ foreach ($_REQUEST as $key => $var) {
+ // will go through XSS filtering on the get function
+ $_SESSION['sticky_forms'][$form_name][$key] = $var;
+ }
+}
+
+/**
+ * Clear the sticky form cache
+ *
+ * Call this if validation is successful in the action handler or
+ * when they sticky values have been used to repopulate the form
+ * after a validation error.
+ *
+ * @param string $form_name Form namespace
+ *
+ * @return void
+ * @link http://docs.elgg.org/Tutorials/UI/StickyForms
+ * @since 1.8.0
+ */
+function elgg_clear_sticky_form($form_name) {
+ unset($_SESSION['sticky_forms'][$form_name]);
+}
+
+/**
+ * Has this form been made sticky?
+ *
+ * @param string $form_name Form namespace
+ *
+ * @return boolean
+ * @link http://docs.elgg.org/Tutorials/UI/StickyForms
+ * @since 1.8.0
+ */
+function elgg_is_sticky_form($form_name) {
+ return isset($_SESSION['sticky_forms'][$form_name]);
+}
+
+/**
+ * Get a specific sticky variable
+ *
+ * @param string $form_name The name of the form
+ * @param string $variable The name of the variable
+ * @param mixed $default Default value if the variable does not exist in sticky cache
+ * @param boolean $filter_result Filter for bad input if true
+ *
+ * @return mixed
+ *
+ * @todo should this filter the default value?
+ * @link http://docs.elgg.org/Tutorials/UI/StickyForms
+ * @since 1.8.0
+ */
+function elgg_get_sticky_value($form_name, $variable = '', $default = NULL, $filter_result = true) {
+ if (isset($_SESSION['sticky_forms'][$form_name][$variable])) {
+ $value = $_SESSION['sticky_forms'][$form_name][$variable];
+ if ($filter_result) {
+ // XSS filter result
+ $value = filter_tags($value);
+ }
+ return $value;
+ }
+ return $default;
+}
+
+/**
+ * Get all the values in a sticky form in an array
+ *
+ * @param string $form_name The name of the form
+ * @param bool $filter_result Filter for bad input if true
+ *
+ * @return array
+ * @since 1.8.0
+ */
+function elgg_get_sticky_values($form_name, $filter_result = true) {
+ if (!isset($_SESSION['sticky_forms'][$form_name])) {
+ return array();
+ }
+
+ $values = $_SESSION['sticky_forms'][$form_name];
+ if ($filter_result) {
+ foreach ($values as $key => $value) {
+ // XSS filter result
+ $values[$key] = filter_tags($value);
+ }
+ }
+ return $values;
+}
+
+/**
+ * Clear a specific sticky variable
+ *
+ * @param string $form_name The name of the form
+ * @param string $variable The name of the variable to clear
+ *
+ * @return void
+ * @link http://docs.elgg.org/Tutorials/UI/StickyForms
+ * @since 1.8.0
+ */
+function elgg_clear_sticky_value($form_name, $variable) {
+ unset($_SESSION['sticky_forms'][$form_name][$variable]);
+}
+
+/**
* Page handler for autocomplete endpoint.
*
- * @param array $page Pages array
+ * @todo split this into functions/objects, this is way too big
*
- * @return unknown_type
+ * /livesearch?q=<query>
+ *
+ * Other options include:
+ * match_on string all or array(groups|users|friends)
+ * match_owner int 0/1
+ * limit int default is 10
+ *
+ * @param array $page
+ * @return string JSON string is returned and then exit
+ * @access private
*/
function input_livesearch_page_handler($page) {
global $CONFIG;
+
// only return results to logged in users.
- if (!$user = get_loggedin_user()) {
+ if (!$user = elgg_get_logged_in_user_entity()) {
exit;
}
- if (!$q = get_input('q')) {
+ if (!$q = get_input('term', get_input('q'))) {
exit;
}
@@ -121,91 +257,123 @@ function input_livesearch_page_handler($page) {
$q = str_replace(array('_', '%'), array('\_', '\%'), $q);
$match_on = get_input('match_on', 'all');
- if ($match_on == 'all' || $match_on[0] == 'all') {
- $match_on = array('users', 'groups');
- }
if (!is_array($match_on)) {
$match_on = array($match_on);
}
+ // all = users and groups
+ if (in_array('all', $match_on)) {
+ $match_on = array('users', 'groups');
+ }
+
if (get_input('match_owner', false)) {
- $owner_guid = $user->getGUID();
$owner_where = 'AND e.owner_guid = ' . $user->getGUID();
} else {
- $owner_guid = null;
$owner_where = '';
}
- $limit = get_input('limit', 10);
+ $limit = sanitise_int(get_input('limit', 10));
// grab a list of entities and send them in json.
$results = array();
- foreach ($match_on as $type) {
- switch ($type) {
- case 'all':
- // only need to pull up title from objects.
-
- $options = array('owner_guid' => $owner_guid, 'limit' => $limit);
- if (!$entities = elgg_get_entities($options) AND is_array($entities)) {
- $results = array_merge($results, $entities);
- }
- break;
-
+ foreach ($match_on as $match_type) {
+ switch ($match_type) {
case 'users':
$query = "SELECT * FROM {$CONFIG->dbprefix}users_entity as ue, {$CONFIG->dbprefix}entities as e
WHERE e.guid = ue.guid
AND e.enabled = 'yes'
AND ue.banned = 'no'
- AND (ue.name LIKE '$q%' OR ue.username LIKE '$q%')
+ AND (ue.name LIKE '$q%' OR ue.name LIKE '% $q%' OR ue.username LIKE '$q%')
LIMIT $limit
";
if ($entities = get_data($query)) {
foreach ($entities as $entity) {
- $json = json_encode(array(
+ // @todo use elgg_get_entities (don't query in a loop!)
+ $entity = get_entity($entity->guid);
+ /* @var ElggUser $entity */
+ if (!$entity) {
+ continue;
+ }
+
+ if (in_array('groups', $match_on)) {
+ $value = $entity->guid;
+ } else {
+ $value = $entity->username;
+ }
+
+ $output = elgg_view_list_item($entity, array(
+ 'use_hover' => false,
+ 'class' => 'elgg-autocomplete-item',
+ ));
+
+ $icon = elgg_view_entity_icon($entity, 'tiny', array(
+ 'use_hover' => false,
+ ));
+
+ $result = array(
'type' => 'user',
'name' => $entity->name,
'desc' => $entity->username,
- 'icon' => '<img class="livesearch_icon" src="' .
- get_entity($entity->guid)->getIcon('tiny') . '" />',
- 'guid' => $entity->guid
- ));
- $results[$entity->name . rand(1, 100)] = $json;
+ 'guid' => $entity->guid,
+ 'label' => $output,
+ 'value' => $value,
+ 'icon' => $icon,
+ 'url' => $entity->getURL(),
+ );
+ $results[$entity->name . rand(1, 100)] = $result;
}
}
break;
case 'groups':
// don't return results if groups aren't enabled.
- if (!is_plugin_enabled('groups')) {
+ if (!elgg_is_active_plugin('groups')) {
continue;
}
$query = "SELECT * FROM {$CONFIG->dbprefix}groups_entity as ge, {$CONFIG->dbprefix}entities as e
WHERE e.guid = ge.guid
AND e.enabled = 'yes'
$owner_where
- AND (ge.name LIKE '$q%' OR ge.description LIKE '%$q%')
+ AND (ge.name LIKE '$q%' OR ge.name LIKE '% $q%' OR ge.description LIKE '% $q%')
LIMIT $limit
";
if ($entities = get_data($query)) {
foreach ($entities as $entity) {
- $json = json_encode(array(
+ // @todo use elgg_get_entities (don't query in a loop!)
+ $entity = get_entity($entity->guid);
+ /* @var ElggGroup $entity */
+ if (!$entity) {
+ continue;
+ }
+
+ $output = elgg_view_list_item($entity, array(
+ 'use_hover' => false,
+ 'class' => 'elgg-autocomplete-item',
+ ));
+
+ $icon = elgg_view_entity_icon($entity, 'tiny', array(
+ 'use_hover' => false,
+ ));
+
+ $result = array(
'type' => 'group',
'name' => $entity->name,
'desc' => strip_tags($entity->description),
- 'icon' => '<img class="livesearch_icon" src="'
- . get_entity($entity->guid)->getIcon('tiny') . '" />',
- 'guid' => $entity->guid
- ));
-
- $results[$entity->name . rand(1, 100)] = $json;
+ 'guid' => $entity->guid,
+ 'label' => $output,
+ 'value' => $entity->guid,
+ 'icon' => $icon,
+ 'url' => $entity->getURL(),
+ );
+
+ $results[$entity->name . rand(1, 100)] = $result;
}
}
break;
case 'friends':
- $access = get_access_sql_suffix();
$query = "SELECT * FROM
{$CONFIG->dbprefix}users_entity as ue,
{$CONFIG->dbprefix}entity_relationships as er,
@@ -216,36 +384,54 @@ function input_livesearch_page_handler($page) {
AND e.guid = ue.guid
AND e.enabled = 'yes'
AND ue.banned = 'no'
- AND (ue.name LIKE '$q%' OR ue.username LIKE '$q%')
+ AND (ue.name LIKE '$q%' OR ue.name LIKE '% $q%' OR ue.username LIKE '$q%')
LIMIT $limit
";
if ($entities = get_data($query)) {
foreach ($entities as $entity) {
- $json = json_encode(array(
+ // @todo use elgg_get_entities (don't query in a loop!)
+ $entity = get_entity($entity->guid);
+ /* @var ElggUser $entity */
+ if (!$entity) {
+ continue;
+ }
+
+ $output = elgg_view_list_item($entity, array(
+ 'use_hover' => false,
+ 'class' => 'elgg-autocomplete-item',
+ ));
+
+ $icon = elgg_view_entity_icon($entity, 'tiny', array(
+ 'use_hover' => false,
+ ));
+
+ $result = array(
'type' => 'user',
'name' => $entity->name,
'desc' => $entity->username,
- 'icon' => '<img class="livesearch_icon" src="'
- . get_entity($entity->guid)->getIcon('tiny') . '" />',
- 'guid' => $entity->guid
- ));
- $results[$entity->name . rand(1, 100)] = $json;
+ 'guid' => $entity->guid,
+ 'label' => $output,
+ 'value' => $entity->username,
+ 'icon' => $icon,
+ 'url' => $entity->getURL(),
+ );
+ $results[$entity->name . rand(1, 100)] = $result;
}
}
break;
default:
- // arbitrary subtype.
- //@todo you cannot specify a subtype without a type.
- // did this ever work?
- elgg_get_entities(array('subtype' => $type, 'owner_guid' => $owner_guid));
+ header("HTTP/1.0 400 Bad Request", true);
+ echo "livesearch: unknown match_on of $match_type";
+ exit;
break;
}
}
ksort($results);
- echo implode($results, "\n");
+ header("Content-Type: application/json");
+ echo json_encode(array_values($results));
exit;
}
@@ -253,10 +439,11 @@ function input_livesearch_page_handler($page) {
* Register input functions and sanitize input
*
* @return void
+ * @access private
*/
function input_init() {
// register an endpoint for live search / autocomplete.
- register_page_handler('livesearch', 'input_livesearch_page_handler');
+ elgg_register_page_handler('livesearch', 'input_livesearch_page_handler');
if (ini_get_bool('magic_quotes_gpc')) {
@@ -330,4 +517,4 @@ function input_init() {
}
}
-register_elgg_event_handler('init', 'system', 'input_init');
+elgg_register_event_handler('init', 'system', 'input_init');
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-13 09:01:49 +0000