Nucleus CMS日本語版用プラグインのうち、日本語版開発者がサポートしているもの
Revision | 0fc5988748083128a86cbf36afafba564075f9ad (tree) |
---|---|
Time | 2006-11-26 02:27:12 |
Author | satona <satona@1ca2...> |
Commiter | satona |
再チェック
git-svn-id: https://svn.sourceforge.jp/svnroot/nucleus-jp/plugin@491 1ca29b6e-896d-4ea0-84a5-967f57386b96
@@ -95,7 +95,7 @@ ADD `ordid` INT( 11 ) DEFAULT '100' NOT NULL AFTER `parentid` ; | ||
95 | 95 | } |
96 | 96 | if (!in_array("subcategories",$names)) { |
97 | 97 | sql_query ('ALTER TABLE '.sql_table('plug_multiple_categories').' ADD subcategories varchar(255) not null'); |
98 | - sql_query('ALTER TABLE ' . sql_table('plug_multiple_categories'). ' MODIFY categories varchar(255) not null'); | |
98 | + sql_query('ALTER TABLE ' .sql_table('plug_multiple_categories').' MODIFY categories varchar(255) not null'); | |
99 | 99 | } |
100 | 100 | $query = 'CREATE TABLE IF NOT EXISTS '. sql_table('plug_multiple_categories_sub'). '(' |
101 | 101 | . 'scatid int(11) not null auto_increment,' |
@@ -172,13 +172,13 @@ ADD `ordid` INT( 11 ) DEFAULT '100' NOT NULL AFTER `parentid` ; | ||
172 | 172 | $subcatid = intRequestVar($this->getRequestName()); |
173 | 173 | } |
174 | 174 | if ($subcatid && !$catid) { |
175 | - $catid = intval($this->_getParentCatID($subcatid)); | |
175 | + $catid = intval($this->_getParentCatID($subcatid));//Intval is not needed. ($subcatid) <sato(na)0.5j /> | |
176 | 176 | if (!$catid) { |
177 | 177 | $subcatid = null; |
178 | 178 | $catid = null; |
179 | 179 | } |
180 | 180 | } elseif ($subcatid) { |
181 | - $pcatid = intval($this->_getParentCatID($subcatid)); | |
181 | + $pcatid = intval($this->_getParentCatID($subcatid));//Intval is not needed. ($subcatid) <sato(na)0.5j /> | |
182 | 182 | if ($pcatid != $catid) $subcatid = null; |
183 | 183 | } |
184 | 184 |
@@ -223,7 +223,7 @@ ADD `ordid` INT( 11 ) DEFAULT '100' NOT NULL AFTER `parentid` ; | ||
223 | 223 | $query = 'SELECT scatid FROM '.sql_table('plug_multiple_categories_sub').' WHERE catid=' . intval($id); |
224 | 224 | $res = sql_query($query); |
225 | 225 | while ($row = mysql_fetch_row($res)){ |
226 | - $aResult[] = $row[0]; | |
226 | + $aResult[] = intval($row[0]); //<sato(na)0.5j />ultrarich | |
227 | 227 | } |
228 | 228 | return $aResult; |
229 | 229 | } |
@@ -286,11 +286,11 @@ ADD `ordid` INT( 11 ) DEFAULT '100' NOT NULL AFTER `parentid` ; | ||
286 | 286 | return explode(",", $subOrderString); |
287 | 287 | } |
288 | 288 | function _getSubOrder($pid){ |
289 | - $sql_str = 'SELECT scatid FROM '.sql_table('plug_multiple_categories_sub').' WHERE parentid='.$pid.' ORDER BY ordid'; | |
289 | + $sql_str = 'SELECT scatid FROM '.sql_table('plug_multiple_categories_sub').' WHERE parentid='.intval($pid).' ORDER BY ordid'; //<sato(na)0.5j /> | |
290 | 290 | $qid_scat = mysql_query($sql_str); |
291 | 291 | if ($qid_scat === FALSE) return ''; //<sato(na)0.403j /> |
292 | 292 | $scat_str = ''; |
293 | - while ($row_scat = mysql_fetch_object($qid_scat)) $scat_str .= ',' . $row_scat->scatid . $this->_getSubOrder($row_scat->scatid); | |
293 | + while ($row_scat = mysql_fetch_object($qid_scat)) $scat_str .= ',' . intval($row_scat->scatid) . $this->_getSubOrder($row_scat->scatid); //<sato(na)0.5j /> | |
294 | 294 | return $scat_str; |
295 | 295 | } |
296 | 296 | function permuteSubcategories($subcategories){ |
@@ -313,11 +313,11 @@ function orderKey(key, sequence) { | ||
313 | 313 | while($row = mysql_fetch_array($res)) { |
314 | 314 | //<sato(na)0.5j> |
315 | 315 | echo 'scatDat['.($i++).'] = new setScatDat('. |
316 | - $row['scatid']. | |
316 | + intval($row['scatid']). | |
317 | 317 | ' , "'. |
318 | - addslashes($row['sname']). | |
318 | + htmlspecialchars($row['sname'], ENT_QUOTES). | |
319 | 319 | '", "'. |
320 | - addslashes($row['sdesc']). | |
320 | + htmlspecialchars($row['sdesc'], ENT_QUOTES). | |
321 | 321 | '");'."\n"; |
322 | 322 | //</sato(na)0.5j> |
323 | 323 | } |
@@ -335,7 +335,7 @@ function orderKey(key, sequence) { | ||
335 | 335 | } |
336 | 336 | } |
337 | 337 | |
338 | - function event_AddItemFormExtras($data) { | |
338 | + function event_AddItemFormExtras($data) { | |
339 | 339 | $aCategories = $this->_getCategories($data['blog']->blogid); |
340 | 340 | if(count($aCategories) > 1) { |
341 | 341 | $this->showForm($aCategories,$data['itemid']); |
@@ -358,20 +358,20 @@ function orderKey(key, sequence) { | ||
358 | 358 | if (!count($aDefinedScats)) return; |
359 | 359 | |
360 | 360 | $itemScats = array(); |
361 | - if($subcatlist = $this->_getSubCategories($itemid)) | |
361 | + if($subcatlist = $this->_getSubCategories($itemid))//Intval is not needed. ($itemid) <sato(na)0.5j /> | |
362 | 362 | $itemScats = explode(",",$subcatlist); |
363 | 363 | |
364 | 364 | //<sato(na)>$snum = 0;</sato(na)> |
365 | 365 | echo '<h3>Multiple Categories</h3>'; |
366 | 366 | echo "<fieldset><legend>Sub Categories</legend>"; |
367 | 367 | //<sato(na)> |
368 | - $sql_str = 'SELECT * FROM '.sql_table('plug_multiple_categories_sub').' WHERE catid='.$aCategories[0]['catid'].' AND parentid=0'; | |
368 | + $sql_str = 'SELECT * FROM '.sql_table('plug_multiple_categories_sub').' WHERE catid='.intval($aCategories[0]['catid']).' AND parentid=0'; //<sato(na)0.5j /> | |
369 | 369 | $qid = sql_query($sql_str); |
370 | 370 | while ($aSub = mysql_fetch_assoc($qid)) { |
371 | 371 | $schecked = (in_array($aSub['scatid'], $itemScats)) ? " checked=checked" : ""; |
372 | 372 | echo '<input type="checkbox" id="npmc_scat'.$aSub['scatid'].'" name="npmc_scat['.$aSub['scatid'].']"'.$schecked.' value="'.$aSub['scatid'].'" />'; |
373 | - echo '<label for="npmc_scat'.$aSub['scatid'].'">'.htmlspecialchars($aSub['sname']).'</label><br />'; | |
374 | - echo $this->showFormHierarchical($aSub['scatid'], $itemScats); | |
373 | + echo '<label for="npmc_scat'.$aSub['scatid'].'">'.htmlspecialchars($aSub['sname'], ENT_QUOTES).'</label><br />'; //<sato(na)0.5j /> | |
374 | + $this->showFormHierarchical($aSub['scatid'], $itemScats); //<sato(na)0.5j /> | |
375 | 375 | } |
376 | 376 | //</sato(na)> |
377 | 377 | echo "</fieldset>"; |
@@ -380,9 +380,9 @@ function orderKey(key, sequence) { | ||
380 | 380 | function showForm($aCategories,$itemid) { |
381 | 381 | $itemcats = array(); |
382 | 382 | $itemScats = array(); |
383 | - if($multicatlist = $this->_getMultiCategories($itemid)) | |
383 | + if($multicatlist = $this->_getMultiCategories($itemid))//Intval is not needed. ($itemid) <sato(na)0.5j /> | |
384 | 384 | $itemcats = explode(",",$multicatlist); |
385 | - if($subcatlist = $this->_getSubCategories($itemid)) | |
385 | + if($subcatlist = $this->_getSubCategories($itemid))//Intval is not needed. ($itemid) <sato(na)0.5j /> | |
386 | 386 | $itemScats = explode(",",$subcatlist); |
387 | 387 | |
388 | 388 | echo '<h3 style="margin-bottom:0px;">Multiple Categories</h3>'; |
@@ -396,20 +396,20 @@ function orderKey(key, sequence) { | ||
396 | 396 | if(in_array($aCategory['catid'],$itemcats)) $checked = " checked=checked"; |
397 | 397 | echo '<tr><td>'; |
398 | 398 | echo '<input type="checkbox" id="npmc_cat'.$num.'" name="npmc_cat['.$num.']"'.$checked.' value="'.$aCategory['catid'].'" />'; |
399 | - echo '<label for="npmc_cat'.$num.'">'.htmlspecialchars($aCategory['name']); | |
400 | - if ($aCategory['cdesc']) echo "(".$aCategory['cdesc'].")"; | |
399 | + echo '<label for="npmc_cat'.$num.'">'.htmlspecialchars($aCategory['name'], ENT_QUOTES); //<sato(na)0.5j /> | |
400 | + if ($aCategory['cdesc']) echo "(".htmlspecialchars($aCategory['cdesc'], ENT_QUOTES).")"; //<sato(na)0.5j /> | |
401 | 401 | echo '</label>'; |
402 | 402 | $num ++; |
403 | 403 | //<sato(na)> |
404 | - $sql_str = 'SELECT * FROM '.sql_table('plug_multiple_categories_sub').' WHERE catid='.$aCategory['catid'].' AND parentid=0'; | |
404 | + $sql_str = 'SELECT * FROM '.sql_table('plug_multiple_categories_sub').' WHERE catid='.intval($aCategory['catid']).' AND parentid=0'; //<sato(na)0.5j /> | |
405 | 405 | $qid = sql_query($sql_str); |
406 | 406 | if (mysql_num_rows($qid)) { |
407 | 407 | echo "<fieldset style=\"margin-left:1.5em;border:none\">"; |
408 | 408 | while ($aSub = mysql_fetch_assoc($qid)) { |
409 | 409 | $schecked = (in_array($aSub['scatid'], $itemScats)) ? " checked=checked" : ""; |
410 | 410 | echo '<input type="checkbox" id="npmc_scat'.$aSub['scatid'].'" name="npmc_scat['.$aSub['scatid'].']"'.$schecked.' value="'.$aSub['scatid'].'" />'; |
411 | - echo '<label for="npmc_scat'.$aSub['scatid'].'">'.htmlspecialchars($aSub['sname']).'</label><br />'; | |
412 | - echo $this->showFormHierarchical($aSub['scatid'], $itemScats); | |
411 | + echo '<label for="npmc_scat'.$aSub['scatid'].'">'.htmlspecialchars($aSub['sname'], ENT_QUOTES).'</label><br />'; //<sato(na)0.5j /> | |
412 | + $this->showFormHierarchical($aSub['scatid'], $itemScats); //<sato(na)0.5j /> | |
413 | 413 | } |
414 | 414 | echo "</fieldset>"; |
415 | 415 | } |
@@ -426,8 +426,8 @@ function orderKey(key, sequence) { | ||
426 | 426 | while ($aSub = mysql_fetch_assoc($qid)) { |
427 | 427 | $schecked = (in_array($aSub['scatid'], $itemScats)) ? " checked=checked" : ""; |
428 | 428 | echo '<input type="checkbox" id="npmc_scat'.$aSub['scatid'].'" name="npmc_scat['.$aSub['scatid'].']"'.$schecked.' value="'.$aSub['scatid'].'" />'; |
429 | - echo '<label for="npmc_scat'.$aSub['scatid'].'">'.htmlspecialchars($aSub['sname']).'</label><br />'; | |
430 | - echo $this->showFormHierarchical($aSub['scatid'], $itemScats); | |
429 | + echo '<label for="npmc_scat'.$aSub['scatid'].'">'.htmlspecialchars($aSub['sname'], ENT_QUOTES).'</label><br />'; //<sato(na)0.5j /> | |
430 | + $this->showFormHierarchical($aSub['scatid'], $itemScats); //<sato(na)0.5j /> | |
431 | 431 | } |
432 | 432 | echo "</div>"; |
433 | 433 | } |
@@ -494,7 +494,7 @@ function orderKey(key, sequence) { | ||
494 | 494 | $value .= ', ""'; |
495 | 495 | } |
496 | 496 | |
497 | - $query = 'REPLACE INTO '.sql_table('plug_multiple_categories').' (item_id,categories,subcategories) VALUES('.intval($itemid).$value.');'; | |
497 | + $query = 'REPLACE INTO '.sql_table('plug_multiple_categories').' (item_id,categories,subcategories) VALUES('.intval($itemid).$value.');'; //$value : addslashes | |
498 | 498 | sql_query($query); |
499 | 499 | } |
500 | 500 |
@@ -522,11 +522,12 @@ function orderKey(key, sequence) { | ||
522 | 522 | $o->categories = preg_replace("/^(?:(.*),)?$catid(?:,(.*))?$/","$1,$2",$o->categories); |
523 | 523 | $o->subcategories = preg_replace("/^(?:(.*),)?$catid(?:,(.*))?$/","$1,$2",$o->subcategories); |
524 | 524 | if ((!$o->categories || $o->categories == ',') && (!$o->subcategories || $o->subcategories == ',')) { |
525 | - $del[] = $o->item_id; | |
525 | + $del[] = intval($o->item_id); //<sato(na)0.5j />ultrarich | |
526 | 526 | } else { |
527 | 527 | $o->categories = preg_replace("/(^,+|(?<=,),+|,+$)/","",$o->categories); |
528 | 528 | $o->subcategories = preg_replace("/(^,+|(?<=,),+|,+$)/","",$o->subcategories); |
529 | - $up[] = "UPDATE ". sql_table("plug_multiple_categories") ." SET categories='".addslashes($o->categories)."', subcategories='".addslashes($o->subcategories)."' WHERE item_id=".$o->item_id; | |
529 | + $up[] = "UPDATE ". sql_table("plug_multiple_categories") ." SET categories='".addslashes($o->categories). | |
530 | + "', subcategories='".addslashes($o->subcategories)."' WHERE item_id=".intval($o->item_id); //<sato(na)0.5j />ultrarich | |
530 | 531 | } |
531 | 532 | } |
532 | 533 |
@@ -546,7 +547,7 @@ function orderKey(key, sequence) { | ||
546 | 547 | $params = func_get_args(); |
547 | 548 | // item skin |
548 | 549 | if ($params[0] == 'item' && $params[1] != "1") { |
549 | - if ($itemid) $this->_parseItem($params[1], $itemid); | |
550 | + if ($itemid) $this->_parseItem($params[1], intval($itemid));//<sato(na)0.5j /> | |
550 | 551 | return; |
551 | 552 | } |
552 | 553 |
@@ -554,17 +555,17 @@ function orderKey(key, sequence) { | ||
554 | 555 | switch ($params[2]) { |
555 | 556 | case 'id': |
556 | 557 | if (!$subcatid || !$catid) return; |
557 | - echo $subcatid; | |
558 | + echo intval($subcatid);//<sato(na)0.5j /> | |
558 | 559 | return; |
559 | 560 | break; |
560 | 561 | case 'desc': |
561 | 562 | if (!$subcatid || !$catid) return; |
562 | - echo htmlspecialchars($this->_getScatDescFromID($subcatid)); | |
563 | + echo htmlspecialchars($this->_getScatDescFromID($subcatid), ENT_QUOTES);//Intval is not needed. ($subcatid) <sato(na)0.5j /> | |
563 | 564 | return; |
564 | 565 | break; |
565 | 566 | case 'name': |
566 | 567 | if (!$subcatid || !$catid) return; |
567 | - echo htmlspecialchars($this->_getScatNameFromID($subcatid)); | |
568 | + echo htmlspecialchars($this->_getScatNameFromID($subcatid), ENT_QUOTES);//Intval is not needed. ($subcatid) <sato(na)0.5j /> | |
568 | 569 | return; |
569 | 570 | break; |
570 | 571 | case 'url': |
@@ -575,18 +576,19 @@ function orderKey(key, sequence) { | ||
575 | 576 | $b =& $manager->getBlog($CONF['DefaultBlog']); |
576 | 577 | } |
577 | 578 | $this->_setCommonData($b->getID()); |
578 | - $sparams = array_merge($this->param,array($this->getRequestName() => $subcatid)); | |
579 | - $url = createCategoryLink($catid, $sparams); | |
579 | + $sparams = array_merge($this->param, array($this->getRequestName() => intval($subcatid)));//<sato(na)0.5j /> | |
580 | + $url = createCategoryLink(intval($catid), $sparams);//<sato(na)0.5j /> | |
580 | 581 | if ($CONF['URLMode'] != 'pathinfo') { |
581 | 582 | list(,$temp_param) = explode("?",$url); |
582 | 583 | $url = $this->url. "?" . $temp_param; |
583 | 584 | } |
584 | - echo $url; | |
585 | + $url = preg_replace(array("/</", "/>/"), array("<", ">"), $url); //<sato(na)0.5j /> | |
586 | + echo $url; //$sparams escape OK <sato(na)0.5j /> | |
585 | 587 | return; |
586 | 588 | break; |
587 | 589 | case 'link': |
588 | 590 | if ($params[0] != 'item') return; |
589 | - $item = $this->_getItemObject($itemid); | |
591 | + $item = $this->_getItemObject(intval($itemid));//<sato(na)0.5j /> | |
590 | 592 | if ($item) { |
591 | 593 | $this->doTemplateVar(&$item); |
592 | 594 | } |
@@ -601,17 +603,18 @@ function orderKey(key, sequence) { | ||
601 | 603 | $bid = $b->getID(); |
602 | 604 | $this->_setCommonData($bid); |
603 | 605 | $cur_params = array(); |
604 | - if ($catid) $cur_params['catid'] = $catid; | |
606 | + if ($catid) $cur_params['catid'] = intval($catid);//<sato(na)0.5j /> | |
605 | 607 | if ($subcatid) { |
606 | 608 | $rname = $this->getRequestName(); |
607 | - $cur_params[$rname] = $subcatid; | |
609 | + $cur_params[$rname] = intval($subcatid);//<sato(na)0.5j /> | |
608 | 610 | } |
609 | 611 | $url = createArchiveListLink($bid, $cur_params); |
610 | 612 | if ($CONF['URLMode'] != 'pathinfo') { |
611 | 613 | list(,$temp_param) = explode("?",$url); |
612 | 614 | $url = $this->url. "?" . $temp_param; |
613 | 615 | } |
614 | - echo $url; | |
616 | + $url = preg_replace(array("/</", "/>/"), array("<", ">"), $url); //<sato(na)0.5j /> | |
617 | + echo $url; //$cur_params escape OK <sato(na)0.5j /> | |
615 | 618 | return; |
616 | 619 | break; |
617 | 620 | case 'categorylist': |
@@ -639,13 +642,12 @@ function orderKey(key, sequence) { | ||
639 | 642 | $b =& $manager->getBlog($CONF['DefaultBlog']); |
640 | 643 | } |
641 | 644 | |
642 | - $mycatid = 0; | |
643 | - if ($catid) $mycatid = $catid; | |
644 | - $mysubcatid = 0; | |
645 | - if ($subcatid) $mysubcatid = $subcatid; | |
645 | + $mycatid = ($catid) ? intval($catid) : 0;//<sato(na)0.5j /> | |
646 | + $mysubcatid = ($subcatid) ? intval($subcatid) : 0;//<sato(na)0.5j /> | |
646 | 647 | $templateName = $params[1]; |
647 | 648 | $amountEntries = 0; |
648 | 649 | $offset = 0; |
650 | + $startpos = intval($startpos);//<sato(na)0.5j /> | |
649 | 651 | if (isset($params[2])) { |
650 | 652 | list($amountEntries, $offset) = sscanf($params[2], '%d(%d)'); |
651 | 653 | if ($offset) { |
@@ -675,7 +677,7 @@ function orderKey(key, sequence) { | ||
675 | 677 | } |
676 | 678 | |
677 | 679 | $query .= ' WHERE i.iauthor=m.mnumber' |
678 | - . ' and i.iblog='.$b->getID() | |
680 | + . ' and i.iblog='.intval($b->getID()) //<sato(na)0.5j /> | |
679 | 681 | . ' and i.icat=c.catid' |
680 | 682 | . ' and i.idraft=0'; |
681 | 683 | if ($params[0] == 'archive' && $archive) { |
@@ -726,9 +728,9 @@ function orderKey(key, sequence) { | ||
726 | 728 | if ($what == 'itemlink') { |
727 | 729 | $sparams = array(); |
728 | 730 | if ($catid) { |
729 | - $sparams['catid'] = $catid; | |
731 | + $sparams['catid'] = intval($catid);//<sato(na)0.5j /> | |
730 | 732 | if ($subcatid) { |
731 | - $sparams[$this->getRequestName()] = $subcatid; | |
733 | + $sparams[$this->getRequestName()] = intval($subcatid);//<sato(na)0.5j /> | |
732 | 734 | } |
733 | 735 | } |
734 | 736 | $url = createItemLink($item->itemid, $sparams); |
@@ -736,7 +738,8 @@ function orderKey(key, sequence) { | ||
736 | 738 | list(,$temp_param) = explode("?",$url); |
737 | 739 | $url = $this->url. "?" . $temp_param; |
738 | 740 | } |
739 | - echo $url; | |
741 | + $url = preg_replace(array("/</", "/>/"), array("<", ">"), $url); //<sato(na)0.5j /> | |
742 | + echo $url; //$cur_params escape OK <sato(na)0.5j /> | |
740 | 743 | return; |
741 | 744 | } |
742 | 745 |
@@ -745,7 +748,7 @@ function orderKey(key, sequence) { | ||
745 | 748 | list(,$temp_param) = explode("?",$url); |
746 | 749 | $url = $this->url. "?" . $temp_param; |
747 | 750 | } |
748 | - $mcat_string = '<a href="'.$url.'">'.htmlspecialchars($this->_getCatNameFromID($item->catid)).'</a>'; | |
751 | + $mcat_string = '<a href="'.$this->cnvHtmlUrlAttribute($url).'">'.htmlspecialchars($this->_getCatNameFromID($item->catid), ENT_QUOTES).'</a>'; //<sato(na)0.5j /> | |
749 | 752 | |
750 | 753 | $itemScats = array(); |
751 | 754 | if ($itemscatstr = $this->_getSubCategories($item->itemid)) { |
@@ -761,7 +764,7 @@ function orderKey(key, sequence) { | ||
761 | 764 | } else { |
762 | 765 | $surl = addLinkParams($url,array($this->getRequestName() => $id)); |
763 | 766 | } |
764 | - $extra_scat_string[] = '<a href="'.$surl.'">'.htmlspecialchars($name).'</a>'; | |
767 | + $extra_scat_string[] = '<a href="'.$this->cnvHtmlUrlAttribute($surl).'">'.htmlspecialchars($name, ENT_QUOTES).'</a>'; //<sato(na)0.5j /> | |
765 | 768 | } |
766 | 769 | $scat_string = implode($this->ssep,$extra_scat_string); |
767 | 770 | $cat_string = str_replace(array("<%category%>","<%subcategory%>"), array($mcat_string,$scat_string), $this->sform); |
@@ -779,7 +782,7 @@ function orderKey(key, sequence) { | ||
779 | 782 | list(,$temp_param) = explode("?",$url); |
780 | 783 | $url = $this->url. "?" . $temp_param; |
781 | 784 | } |
782 | - $mcat_string = '<a href="'.$url.'">'.htmlspecialchars($this->_getCatNameFromID($icat)).'</a>'; | |
785 | + $mcat_string = '<a href="'.$this->cnvHtmlUrlAttribute($url).'">'.htmlspecialchars($this->_getCatNameFromID($icat), ENT_QUOTES).'</a>'; //<sato(na)0.5j /> | |
783 | 786 | |
784 | 787 | if (count($itemScats) > 0 && array_key_exists($icat,$scatMaps)) { |
785 | 788 | $extra_scat_string = array(); |
@@ -790,7 +793,7 @@ function orderKey(key, sequence) { | ||
790 | 793 | } else { |
791 | 794 | $surl = addLinkParams($url,array($this->getRequestName() => $id)); |
792 | 795 | } |
793 | - $extra_scat_string[] = '<a href="'.$surl.'">'.htmlspecialchars($name).'</a>'; | |
796 | + $extra_scat_string[] = '<a href="'.$this->cnvHtmlUrlAttribute($surl).'">'.htmlspecialchars($name, ENT_QUOTES).'</a>'; //<sato(na)0.5j /> | |
794 | 797 | } |
795 | 798 | $scat_string = implode($this->ssep,$extra_scat_string); |
796 | 799 | $extra_cat_string[] = str_replace(array("<%category%>","<%subcategory%>"), array($mcat_string,$scat_string), $this->sform); |
@@ -800,11 +803,23 @@ function orderKey(key, sequence) { | ||
800 | 803 | } |
801 | 804 | } |
802 | 805 | if (count($extra_cat_string) > 0) { |
803 | - $cat_string .= $this->msep . join($this->ssep,$extra_cat_string); | |
806 | + $cat_string .= $this->msep . implode($this->ssep,$extra_cat_string); | |
804 | 807 | } |
805 | 808 | } |
806 | - echo $cat_string; | |
809 | + echo $cat_string;//$mcat_string, $scat_string escape OK <sato(na)0.5j /> | |
807 | 810 | } |
811 | + //<sato(na)0.5j> | |
812 | + function cnvHtmlUrlAttribute($forHtmlAtt__str) | |
813 | + { | |
814 | + //onEvent | |
815 | + $forHtmlAtt__str = preg_replace('/[\'"]/', '', $forHtmlAtt__str); | |
816 | + | |
817 | + //href="javascript:" | |
818 | + $forHtmlAtt__str = preg_replace('/javascript/i', '', preg_replace('/[\x00-\x20\x22\x27]/', '', $forHtmlAtt__str)); | |
819 | + | |
820 | + return $forHtmlAtt__str; | |
821 | + } | |
822 | + //</sato(na)0.5j> | |
808 | 823 | |
809 | 824 | function _setCommonData($bid) { |
810 | 825 | global $CONF; |
@@ -814,7 +829,7 @@ function orderKey(key, sequence) { | ||
814 | 829 | $this->addindex = ($this->getOption('addindex') == 'yes'); |
815 | 830 | $this->addbiddef = ($this->getOption('addblogid_def') == 'yes'); |
816 | 831 | $this->addbid = ($this->getOption('addblogid') == 'yes'); |
817 | - $this->defurl = quickQuery("SELECT burl as result from ".sql_table('blog')." WHERE bnumber=".$CONF['DefaultBlog']); | |
832 | + $this->defurl = quickQuery("SELECT burl as result from ".sql_table('blog')." WHERE bnumber=".addslashes($CONF['DefaultBlog'])); //<sato(na)0.5j /> | |
818 | 833 | if (!$this->defurl) $this->defurl = $CONF['Self']; |
819 | 834 | $this->_setBlogData($bid); |
820 | 835 | } |
@@ -833,16 +848,16 @@ function orderKey(key, sequence) { | ||
833 | 848 | $this->url .= "index.php"; |
834 | 849 | } |
835 | 850 | if ($this->bid == $CONF['DefaultBlog'] && $this->addbiddef) { |
836 | - $this->param['blogid'] = $this->bid; | |
851 | + $this->param['blogid'] = $this->bid; //$this->bid intval OK | |
837 | 852 | } elseif ($this->bid != $CONF['DefaultBlog'] && ($this->url == $this->defurl || $this->addbid)){ |
838 | - $this->param['blogid'] = $this->bid; | |
853 | + $this->param['blogid'] = $this->bid; //$this->bid intval OK | |
839 | 854 | } |
840 | 855 | } |
841 | 856 | |
842 | 857 | function _parseItem($template, $itemid) { |
843 | 858 | global $manager; |
844 | 859 | |
845 | - $b =& $manager->getBlog(getBlogIDFromItemID($itemid)); | |
860 | + $b =& $manager->getBlog(getBlogIDFromItemID($itemid));//Intval is not needed. ($itemid) <sato(na)0.5j /> | |
846 | 861 | |
847 | 862 | $query = 'SELECT i.inumber as itemid, i.ititle as title, i.ibody as body, m.mname as author, m.mrealname as authorname, i.itime, i.imore as more, m.mnumber as authorid, m.memail as authormail, m.murl as authorurl, c.cname as category, i.icat as catid, i.iclosed as closed'; |
848 | 863 |
@@ -850,7 +865,7 @@ function orderKey(key, sequence) { | ||
850 | 865 | //$query .= ' FROM '.sql_table('item').' as i, '.sql_table('member').' as m, '.sql_table('category').' as c' |
851 | 866 | $query .= ' FROM '.sql_table('category').' as c, '.sql_table('member').' as m, '.sql_table('item').' as i' |
852 | 867 | //</sato(na)0.5j> |
853 | - . ' WHERE i.iblog='.$b->getID() | |
868 | + . ' WHERE i.iblog='.intval($b->getID()) //<sato(na)0.5j /> | |
854 | 869 | . ' and i.iauthor=m.mnumber' |
855 | 870 | . ' and i.icat=c.catid' |
856 | 871 | . ' and i.idraft=0' // exclude drafts |
@@ -867,12 +882,26 @@ function orderKey(key, sequence) { | ||
867 | 882 | global $CONF, $manager, $blog, $catid, $subcatid; |
868 | 883 | global $archive, $archivelist; |
869 | 884 | |
885 | + //<sato(na)0.5j> | |
886 | + if ($archive) { | |
887 | + sscanf ($archive,'%d-%d-%d', $y, $m, $d); | |
888 | + if ($d) { | |
889 | + $archive = sprintf ('%04d-%02d-%02d', $y, $m, $d); | |
890 | + } else { | |
891 | + $archive = sprintf ('%4d-%2d', $y, $m); | |
892 | + } | |
893 | + } | |
894 | + // check archivelist | |
895 | + if (! is_numeric($archivelist)) $archivelist = getBlogIDFromName($archivelist); | |
896 | + //</sato(na)0.5j> | |
897 | + | |
870 | 898 | if ($blog) { |
871 | 899 | $b =& $blog; |
872 | 900 | } else { |
873 | 901 | $b =& $manager->getBlog($CONF['DefaultBlog']); |
874 | 902 | } |
875 | 903 | $blogid = $b->getID(); |
904 | + $blogid = (is_numeric($blogid)) ? intval($blogid) : getBlogIDFromName($blogid); //<sato(na)0.5j /> | |
876 | 905 | |
877 | 906 | if (!isset($this->defurl)) $this->_setCommonData($blogid); |
878 | 907 |
@@ -905,7 +934,8 @@ function orderKey(key, sequence) { | ||
905 | 934 | 'self' => $CONF['Self'] |
906 | 935 | )); |
907 | 936 | |
908 | - $query = 'SELECT c.catid, c.cdesc as catdesc, c.cname as catname FROM '.sql_table('category').' as c WHERE c.cblog=' . $blogid . ' GROUP BY c.cname ORDER BY c.cname ASC'; | |
937 | + $query = 'SELECT c.catid, c.cdesc as catdesc, c.cname as catname FROM '.sql_table('category'). | |
938 | + ' as c WHERE c.cblog=' . intval($blogid) . ' GROUP BY c.cname ORDER BY c.cname ASC'; //<sato(na)0.5j /> | |
909 | 939 | $res = sql_query($query); |
910 | 940 | |
911 | 941 | $tp = array(); |
@@ -919,6 +949,7 @@ function orderKey(key, sequence) { | ||
919 | 949 | } |
920 | 950 | |
921 | 951 | while ($data = mysql_fetch_assoc($res)) { |
952 | + $data['catid'] = intval($data['catid']); //<sato(na)0.5j />ultrarich | |
922 | 953 | $data['blogid'] = $blogid; |
923 | 954 | $data['blogurl'] = $blogurl; |
924 | 955 | $data['catlink'] = createCategoryLink($data['catid'], $linkparams); |
@@ -927,7 +958,7 @@ function orderKey(key, sequence) { | ||
927 | 958 | $data['catlink'] = $this->url. "?" . $temp_param; |
928 | 959 | } |
929 | 960 | $data['self'] = $CONF['Self']; |
930 | - if ($data['catid'] == $catid) { | |
961 | + if ($data['catid'] == intval($catid)) { //<sato(na)0.5j /> | |
931 | 962 | $data['catflag'] = $this->getOption('catflag'); |
932 | 963 | } |
933 | 964 | $cq = 'SELECT count(*) as result FROM '.sql_table('item').' as i'; |
@@ -946,6 +977,7 @@ function orderKey(key, sequence) { | ||
946 | 977 | $subliststr = ""; |
947 | 978 | |
948 | 979 | while ($sdata = mysql_fetch_assoc($sres)) { |
980 | + $sdata['subcatid'] = intval($sdata['subcatid']); //<sato(na)0.5j />ultrarich | |
949 | 981 | $ares = sql_query( |
950 | 982 | 'SELECT count(i.inumber) FROM ' |
951 | 983 | . sql_table('item').' as i, ' |
@@ -1004,8 +1036,8 @@ function orderKey(key, sequence) { | ||
1004 | 1036 | $b =& $manager->getBlog($CONF['DefaultBlog']); |
1005 | 1037 | } |
1006 | 1038 | |
1007 | - if ($catid) $linkparams = array('catid' => $catid); | |
1008 | - if ($subcatid) $linkparams['subcatid'] = $subcatid; | |
1039 | + if ($catid) $linkparams = array('catid' => intval($catid)); //<sato(na)0.5j /> | |
1040 | + if ($subcatid) $linkparams['subcatid'] = intval($subcatid); //<sato(na)0.5j /> | |
1009 | 1041 | if ($lc = $this->getOption('locale')) { |
1010 | 1042 | setlocale(LC_TIME,$lc); |
1011 | 1043 | } |
@@ -1020,7 +1052,7 @@ function orderKey(key, sequence) { | ||
1020 | 1052 | if ($catid) { |
1021 | 1053 | $query .= ' LEFT JOIN '.sql_table('plug_multiple_categories').' as p ON i.inumber=p.item_id'; |
1022 | 1054 | } |
1023 | - $query .= ' WHERE i.iblog=' . $b->getID() | |
1055 | + $query .= ' WHERE i.iblog=' . intval($b->getID()) //<sato(na)0.5j /> | |
1024 | 1056 | . ' and i.itime <=' . mysqldate($b->getCorrectTime()) // don't show future items! |
1025 | 1057 | . ' and i.idraft=0'; // don't show draft items |
1026 | 1058 |