OSDN > Find Software > Communications > Nucleus日本語版 > SCM > git > nucleus-plugins > Commit

Nucleus日本語版
Fork
nucleus-next
nucleus-jp-ancient
nucleus-plugins

R/O
HTTP
SSH
HTTPS

nucleus-plugins: Commit

Nucleus CMS日本語版用プラグインのうち、日本語版開発者がサポートしているもの

Commit MetaInfo

Revision	9467719a2b6b2359f139912ec8d3eac75971ab3f (tree)
Time	2006-10-02 16:30:33
Author	shizuki <shizuki@1ca2...>
Commiter	shizuki

Log Message

Security fix

git-svn-id: https://svn.sourceforge.jp/svnroot/nucleus-jp/plugin@395 1ca29b6e-896d-4ea0-84a5-967f57386b96

Change Summary

modified: trunk/NP_Dtree/NP_Dtree.php (diff)
modified: trunk/NP_Dtree/dtree/dtree.php (diff)
modified: trunk/NP_Dtree/dtree/dtreedata.php (diff)

Incremental Difference

--- a/trunk/NP_Dtree/NP_Dtree.php

+++ b/trunk/NP_Dtree/NP_Dtree.php

		@@ -1,29 +1,41 @@
1	1	<?
2		-// plugin needs to work on Nucleus versions <=2.0 as well
3		-if (!function_exists('sql_table')){
4		- function sql_table($name) {
5		- return 'nucleus_' . $name;
6		- }
7		-}
	2	+/**
	3	+ *
	4	+ * 0.93 sec fix
	5	+ * subcategory link bug fix
	6	+ *
	7	+ */
8	8
	9	+class NP_Dtree extends NucleusPlugin
	10	+{
9	11
10		-class NP_Dtree extends NucleusPlugin {
11		- function getName() {
	12	+ function getName()
	13	+ {
12	14	return 'Navigation Tree';
13	15	}
14		- function getAuthor() {
15		- return 'nakahara21';
	16	+
	17	+ function getAuthor()
	18	+ {
	19	+ return 'nakahara21 + shizuki';
16	20	}
17		- function getURL() {
	21	+
	22	+ function getURL()
	23	+ {
18	24	return 'http://nakahara21.com/';
19	25	}
20		- function getVersion() {
21		- return '0.92';
	26	+
	27	+ function getVersion()
	28	+ {
	29	+ return '0.93';
22	30	}
23		- function getDescription() {
	31	+
	32	+ function getDescription()
	33	+ {
24	34	return 'Show Navigation Tree. Usage: <%Dtree()%>';
25	35	}
26		- function supportsFeature($what) {
	36	+
	37	+ function supportsFeature($what)
	38	+ {
27	39	switch($what){
28	40	case 'SqlTablePrefix':
29	41	return 1;

		@@ -32,33 +44,52 @@ class NP_Dtree extends NucleusPlugin {
32	44	}
33	45	}
34	46
35		- function doSkinVar($skinType, $itemid=0) {
	47	+ function doSkinVar($skinType, $itemid=0)
	48	+ {
36	49	global $blogid, $catid, $subcatid;
	50	+ if (is_numeric($blogid)) {
	51	+ $blogid = intval($blogid);
	52	+ } else {
	53	+ $id = getBlogIDFromName($blogid);
	54	+ $blogid = intval($id);
	55	+ }
	56	+ $itemid = intval($itemid);
	57	+ $catid = intval($catid);
	58	+ $subcatid = intval($subcatid);
37	59
38		- $randomID = 'tree'.uniqid(rand());
	60	+ $randomID = 'tree' . uniqid(rand());
39	61
40		- echo '<script type="text/javascript" src="'.$this->getAdminURL().'dtree.php"></script>';
	62	+ echo '<script type="text/javascript" src="' .
	63	+ htmlspecialchars($this->getAdminURL()) . 'dtree.php"></script>';
41	64
42		- if($skinType == 'template'){
43		- echo '<script type="text/javascript" src="' . $this->getAdminURL() . 'dtreedata.php?o='.$randomID.'a&bid=' . $blogid . '&id='.$itemid.'"></script>';
44		- echo '<a href="javascript: '.$randomID.'a.openAll();">open all</a> \| <a href="javascript: '.$randomID.'a.closeAll();">close all</a>';
	65	+ if ($skinType == 'template') {
	66	+ echo '<script type="text/javascript" src="' .
	67	+ htmlspecialchars($this->getAdminURL()) . 'dtreedata.php?o=' .
	68	+ $randomID.'a&bid=' . $blogid . '&id=' . $itemid . '"></script>';
	69	+ echo '<a href="javascript: ' . $randomID . 'a.openAll();">open all</a>' .
	70	+ ' \| <a href="javascript: ' . $randomID . 'a.closeAll();">close all</a>';
45	71	return;
46	72	}
47	73
48	74	$eq = '';
49		- if($catid)
50		- $eq .= '&cid='.$catid;
51		- if($subcatid)
52		- $eq .= '&sid='.$subcatid;
	75	+ if (!empty($catid)) {
	76	+ } $eq .= '&cid=' . $catid;
	77	+ if (!empty($subcatid)) {
	78	+ $eq .= '&sid=' . $subcatid;
	79	+ }
53	80
54		- echo '<script type="text/javascript" src="' . $this->getAdminURL() . 'dtreedata.php?o='.$randomID.'d&bid=' . $blogid . $eq . '"></script>';
55		- echo '<a href="javascript: '.$randomID.'d.openAll();">open all</a> \| <a href="javascript: '.$randomID.'d.closeAll();">close all</a>';
	81	+ echo '<script type="text/javascript" src="' .
	82	+ htmlspecialchars($this->getAdminURL()) . 'dtreedata.php?o=' . $randomID . 'd&bid=' .
	83	+ $blogid . $eq . '"></script>';
	84	+ echo '<a href="javascript: '.$randomID.'d.openAll();">open all</a>' .
	85	+ ' \| <a href="javascript: ' . $randomID . 'd.closeAll();">close all</a>';
56	86
57	87	}
58	88
59		- function doTemplateVar(&$item) {
60		- $this->doSkinVar('template', $item->itemid);
61		- }
	89	+ function doTemplateVar(&$item)
	90	+ {
	91	+ $this->doSkinVar('template', $item->itemid);
	92	+ }
62	93
63	94	}
64	95	?>
		\ No newline at end of file

--- a/trunk/NP_Dtree/dtree/dtree.php

+++ b/trunk/NP_Dtree/dtree/dtree.php

		@@ -25,7 +25,7 @@ function Node(id, pid, name, url, title, target, icon, iconOpen, open) {
25	25
26	26	// Tree object
27	27	function dTree(objName) {
28		- this.config = { target : null, folderLinks : true, useSelection : false, useCookies : false, useLines : true, useIcons : true, useStatusText : false, closeSameLevel : false, inOrder : false }
	28	+ this.config = { target : null, folderLinks : true, useSelection : false, useCookies : false, useLines : true, useIcons : true, useStatusText : false, closeSameLevel : false, inOrder : false }
29	29	this.icon = {
30	30	root : imgpath + 'img/base.gif', folder : imgpath + 'img/folder.gif', folderOpen : imgpath + 'img/folderopen.gif', // node : imgpath + 'img/page.gif', node : imgpath + 'img/folder.gif', empty : imgpath + 'img/empty.gif', line : imgpath + 'img/line.gif', join : imgpath + 'img/join.gif', joinBottom : imgpath + 'img/joinbottom.gif', plus : imgpath + 'img/plus.gif', plusBottom : imgpath + 'img/plusbottom.gif', minus : imgpath + 'img/minus.gif', minusBottom : imgpath + 'img/minusbottom.gif', nlPlus : imgpath + 'img/nolines_plus.gif', nlMinus : imgpath + 'img/nolines_minus.gif'
31	31	};

--- a/trunk/NP_Dtree/dtree/dtreedata.php

+++ b/trunk/NP_Dtree/dtree/dtreedata.php

		@@ -1,16 +1,34 @@
1	1	<?php
2		- $strRel = '../../../';
3		- include($strRel . 'config.php');
	2	+// $strRel = '../../../';
	3	+// include($strRel . 'config.php');
4	4
5	5	$usePathInfo = ($CONF['URLMode'] == 'pathinfo');
6	6
7		- if ($usePathInfo)
8		- include($strRel . 'fancyurls.config.php');
	7	+ if ($usePathInfo) {
	8	+ if (empty($CONF['ItemKey'])) {
	9	+ $CONF['ItemKey'] = 'item';
	10	+ }
	11	+ if (empty($CONF['ArchiveKey'])) {
	12	+ $CONF['ArchiveKey'] = 'archive';
	13	+ }
	14	+ if (empty($CONF['ArchivesKey'])) {
	15	+ $CONF['ArchivesKey'] = 'archives';
	16	+ }
	17	+ if (empty($CONF['MemberKey'])) {
	18	+ $CONF['MemberKey'] = 'member';
	19	+ }
	20	+ if (empty($CONF['BlogKey'])) {
	21	+ $CONF['BlogKey'] = 'blog';
	22	+ }
	23	+ if (empty($CONF['CategoryKey'])) {
	24	+ $CONF['CategoryKey'] = 'category';
	25	+ }
	26	+ }
9	27
10		- $CategoryKey = ($usePathInfo)? $CONF['CategoryKey']: 'catid';
	28	+ $CategoryKey = ($usePathInfo) ? $CONF['CategoryKey'] : 'catid';
11	29
12	30	$objectId = requestVar('o');
13		- $blogid = requestVar('bid');
	31	+ $blogid = intval(requestVar('bid'));
14	32	$blogname = getBlogNameFromID($blogid);
15	33
16	34	$b =& $manager->getBlog($blogid);

		@@ -31,8 +49,10 @@
31	49	}
32	50	}
33	51	}
34		- if ($usePathInfo){
35		- if(substr($blogurl, -1) == '/') $blogurl = substr($blogurl,0,-1);
	52	+ if ($usePathInfo) {
	53	+ if (substr($blogurl, -1) == '/') {
	54	+ $blogurl = substr($blogurl, 0, -1);
	55	+ }
36	56	}
37	57
38	58	$CONF['BlogURL'] = $blogurl;

		@@ -42,105 +62,110 @@
42	62	$CONF['ArchiveListURL'] = $blogurl;
43	63	$CONF['SearchURL'] = $blogurl;
44	64
45		- echo $objectId." = new dTree('".$objectId."');\n";
	65	+ echo $objectId . " = new dTree('" . htmlspecialchars($objectId) . "');\n";
46	66
47		- echo $objectId.".add(0,-1,'".$blogname."');\n";
	67	+ echo $objectId . ".add(0,-1,'" . htmlspecialchars($blogname) . "');\n";
48	68
49		- $res = sql_query("SELECT * FROM ".sql_table('category')." WHERE cblog= ".$blogid);
	69	+ $res = sql_query("SELECT * FROM " . sql_table('category') . " WHERE cblog = " . $blogid);
50	70	$n = 1;
51		- while($o = mysql_fetch_object($res)){
52		- $catid = $o->catid;
	71	+ while ($o = mysql_fetch_object($res)) {
	72	+ $catid = intval($o->catid);
53	73	$nodeArray[cat][$catid] = $n;
54	74	// $url = createBlogidLink($blogid, array('catid'=>$catid));
55	75	$url = createCategoryLink($catid);
56	76	// $url = createBlogidLink($blogid, array("$CategoryKey"=>$catid));
57		- echo $objectId.".add(".$n.",0,'".$o->cname."','".$url."');\n";
	77	+ echo $objectId . ".add(" . $n . ",0,'" . htmlspecialchars($o->cname) . "','" . htmlspecialchars($url) . "');\n";
58	78	$catFilter[] = $catid;
59	79	$n++;
60	80	}
61	81
62	82	global $manager;
63		- if (!$manager->pluginInstalled('NP_MultipleCategories')){
64		- echo 'document.write('.$objectId.');';
65		- if($itemid = requestVar('id')){
66		- $catid = quickQuery('SELECT icat as result FROM '.sql_table('item').' WHERE inumber='.intval($itemid));
67		- $nodeId = 's'.$objectId.$nodeArray[cat][$catid];
68		- echo "document.getElementById('".$nodeId."').className = 'selectedNode';";
	83	+ if (!$manager->pluginInstalled('NP_MultipleCategories')) {
	84	+ $mPlugin =& $manager->getPlugin('NP_MultipleCategories');
	85	+ $subrequest = $mPlugin->getRequestName();
	86	+ echo 'document.write(' . $objectId . ');';
	87	+ if ($itemid = intval(requestVar('id'))) {
	88	+ $catid = quickQuery('SELECT icat as result FROM ' . sql_table('item') . ' WHERE inumber = ' . $itemid);
	89	+ $nodeId = 's' . $objectId . $nodeArray[cat][$catid];
	90	+ echo "document.getElementById('" . htmlspecialchars($nodeId) . "').className = 'selectedNode';";
69	91	}
70	92	return;
71	93	}
72	94
73		- if($catFilter[1]){
74		- $catFilter = @join(',',$catFilter);
75		- $catFilter = ' IN ('.$catFilter.')';
76		- }else{
77		- $catFilter = '='.$catFilter;
	95	+ if ($catFilter[1]) {
	96	+ $catFilter = @join(',', $catFilter);
	97	+ $catFilter = ' IN (' . $catFilter . ')';
	98	+ } else {
	99	+ $catFilter = '=' . $catFilter;
78	100	}
79	101
80		- $query = "SELECT * FROM ".sql_table('plug_multiple_categories_sub')." WHERE catid".$catFilter;
	102	+ $query = "SELECT * FROM " . sql_table('plug_multiple_categories_sub') . " WHERE catid" . $catFilter;
81	103	$res = sql_query($query);
82		- while($o = mysql_fetch_object($res)){
83		- $scatid = $o->scatid;
	104	+ while ($o = mysql_fetch_object($res)) {
	105	+ $scatid = intval($o->scatid);
84	106	$nodeArray[subcat][$scatid] = $n;
85	107	$n++;
86	108	}
87		- $query = "SELECT * FROM ".sql_table('plug_multiple_categories_sub')." WHERE catid".$catFilter;
	109	+ $query = "SELECT * FROM " . sql_table('plug_multiple_categories_sub') . " WHERE catid" . $catFilter;
88	110	$res = sql_query($query);
89		- while($u = mysql_fetch_object($res)){
90		- $scatid = $u->scatid;
	111	+ while ($u = mysql_fetch_object($res)) {
	112	+ $scatid = intval($u->scatid);
91	113	// $url = createBlogidLink($blogid, array('catid'=>$u->catid, 'subcatid'=>$scatid));
92		- $url = createCategoryLink($u->catid, array('subcatid'=>$scatid));
	114	+ $url = createCategoryLink($u->catid, array($subrequest => $scatid));
93	115	// $url = createBlogidLink($blogid, array("$CategoryKey"=>$u->catid, 'subcatid'=>$scatid));
94		- $pnode = ($u->parentid)? $nodeArray[subcat][$u->parentid]: $nodeArray[cat][$u->catid];
95		- echo $objectId.".add(".$nodeArray[subcat][$u->scatid].",".$pnode.",'".$u->sname."','".$url."');\n";
	116	+ $pnode = ($u->parentid) ? $nodeArray[subcat][$u->parentid] : $nodeArray[cat][$u->catid];
	117	+ echo $objectId . ".add(" . $nodeArray[subcat][$u->scatid] . "," . $pnode . ",'" . htmlspecialchars($u->sname) . "','" . $url . "');\n";
96	118	}
97	119
98	120	echo "document.write(".$objectId.");\n";
99	121
100	122
101		- if(requestVar('sid')){
102		- $cid = requestVar('sid');
103		- $nodeId = 's'.$objectId.$nodeArray[subcat][$sid];
104		- echo "document.getElementById('".$nodeId."').className = 'urlselected';\n";
105		- echo $objectId.".openTo(".$nodeArray[subcat][$sid].", true);\n";
106		- }elseif(requestVar('cid')){
107		- $cid = requestVar('cid');
108		- $nodeId = 's'.$objectId.$nodeArray[cat][$cid];
109		- echo "document.getElementById('".$nodeId."').className = 'urlselected';\n";
110		- echo $objectId.".openTo(".$nodeArray[cat][$cid].", true);\n";
	123	+ if (requestVar('sid')) {
	124	+ $sid = intval(requestVar('sid'));
	125	+ $nodeId = 's' . $objectId . $nodeArray[subcat][$sid];
	126	+ echo "document.getElementById('" . $nodeId . "').className = 'urlselected';\n";
	127	+ echo $objectId . ".openTo(" . $nodeArray[subcat][$sid] . ", true);\n";
	128	+ } elseif(requestVar('cid')) {
	129	+ $cid = intval(requestVar('cid'));
	130	+ $nodeId = 's' . $objectId . $nodeArray[cat][$cid];
	131	+ echo "document.getElementById('" . $nodeId . "').className = 'urlselected';\n";
	132	+ echo $objectId . ".openTo(" . $nodeArray[cat][$cid] . ", true);\n";
111	133	}
112	134
113	135
114	136
115		- if($itemid = requestVar('id')){
116		- $catid = quickQuery('SELECT icat as result FROM '.sql_table('item').' WHERE inumber='.intval($itemid));
117		- $nodeId = 's'.$objectId.$nodeArray[cat][$catid];
118		- echo "document.getElementById('".$nodeId."').className = 'selectedNode';\n";
	137	+ if ($itemid = requestVar('id')) {
	138	+ $catid = quickQuery('SELECT icat as result FROM ' . sql_table('item') . ' WHERE inumber = ' . intval($itemid));
	139	+ $nodeId = 's' . $objectId.$nodeArray[cat][$catid];
	140	+ echo "document.getElementById('" . $nodeId . "').className = 'selectedNode';\n";
119	141
120	142	//multi catid
121		- if($catids = quickQuery('SELECT categories as result FROM '.sql_table('plug_multiple_categories').' WHERE item_id='.intval($itemid))){
122		- $catids = explode(',',$catids);
123		- for($i=0;$i<count($catids);$i++){
124		- $catidTemp = $catids[$i];
125		- if($catidTemp != $catid){
126		- $nodeId = 's'.$objectId.$nodeArray[cat][$catidTemp];
127		- echo "document.getElementById('".$nodeId."').className = 'selectedCatNode';\n";
	143	+ $que = 'SELECT categories as result FROM %s WHERE item_id = %d';
	144	+ $catids = quickQuery(sprintf($que, sql_table('plug_multiple_categories'), intval($itemid)));
	145	+ if ($catids) {
	146	+ $catids = explode(',', $catids);
	147	+ for ($i=0;$i<count($catids);$i++) {
	148	+ $catidTemp = intval($catids[$i]);
	149	+ if ($catidTemp != $catid) {
	150	+ $nodeId = 's' . $objectId . $nodeArray[cat][$catidTemp];
	151	+ echo "document.getElementById('" . $nodeId . "').className = 'selectedCatNode';\n";
128	152	}
129	153	}
130	154	}
131	155
132	156	//(multi) subcatid
133		- if($scatids = quickQuery('SELECT subcategories as result FROM '.sql_table('plug_multiple_categories').' WHERE item_id='.intval($itemid))){
134		- $scatids = explode(',',$scatids);
135		- for($i=0;$i<count($scatids);$i++){
136		- $scatid = $scatids[$i];
137		- $nodeId = 's'.$objectId.$nodeArray[subcat][$scatid];
138		- echo "document.getElementById('".$nodeId."').className = 'selectedScatNode';\n";
139		- echo $objectId.".openTo(".$nodeArray[subcat][$scatid].", true);\n";
	157	+ $que = 'SELECT subcategories as result FROM %s WHERE item_id = %d';
	158	+ $scatids = quickQuery(sprintf($que, sql_table('plug_multiple_categories'), intval($itemid)));
	159	+ if ($scatids) {
	160	+ $scatids = explode(',', $scatids);
	161	+ for ($i=0;$i<count($scatids);$i++) {
	162	+ $scatid = intval($scatids[$i]);
	163	+ $nodeId = 's' . $objectId . $nodeArray[subcat][$scatid];
	164	+ echo "document.getElementById('" . $nodeId . "').className = 'selectedScatNode';\n";
	165	+ echo $objectId . ".openTo(" . $nodeArray[subcat][$scatid] . ", true);\n";
140	166	}
141	167	}
142	168	}
143	169
144	170
145		-?>
146		-
	171	+?>
		\ No newline at end of file

Show on old repository browser