387 $template->footer(true); |
387 $template->footer(true); |
388 |
388 |
389 $db->close(); |
389 $db->close(); |
390 exit(0); |
390 exit(0); |
391 |
391 |
|
392 } |
|
393 |
|
394 /** |
|
395 * Generates a confirmation form if a CSRF check fails. Will terminate execution. |
|
396 */ |
|
397 |
|
398 function csrf_confirm_form() |
|
399 { |
|
400 global $db, $session, $paths, $template, $plugins; // Common objects |
|
401 global $lang; |
|
402 |
|
403 // If the token was overridden with the correct one, the user confirmed the action using this form. Continue exec. |
|
404 if ( isset($_POST['cstok']) || isset($_GET ['cstok']) ) |
|
405 { |
|
406 // using the if() check makes sure that the token isn't in a cookie, since $_REQUEST includes $_COOKIE. |
|
407 $token_check =& $_REQUEST['cstok']; |
|
408 if ( $token_check === $session->csrf_token ) |
|
409 { |
|
410 // overridden token matches, continue exec |
|
411 return true; |
|
412 } |
|
413 } |
|
414 |
|
415 $template->tpl_strings['PAGE_NAME'] = htmlspecialchars($lang->get('user_csrf_confirm_title')); |
|
416 $template->header(); |
|
417 |
|
418 // initial info |
|
419 echo '<p>' . $lang->get('user_csrf_confirm_body') . '</p>'; |
|
420 |
|
421 // start form |
|
422 $form_method = ( empty($_POST) ) ? 'get' : 'post'; |
|
423 echo '<form action="' . htmlspecialchars($_SERVER['REQUEST_URI']) . '" method="' . $form_method . '" enctype="multipart/form-data">'; |
|
424 |
|
425 echo '<fieldset enano:expand="closed">'; |
|
426 echo '<legend>' . $lang->get('user_csrf_confirm_btn_viewrequest') . '</legend><div>'; |
|
427 |
|
428 if ( empty($_POST) ) |
|
429 { |
|
430 // GET request |
|
431 echo csrf_confirm_get_recursive(); |
|
432 } |
|
433 else |
|
434 { |
|
435 // POST request |
|
436 echo csrf_confirm_post_recursive(); |
|
437 } |
|
438 echo '</div></fieldset>'; |
|
439 // insert the right CSRF token |
|
440 echo '<input type="hidden" name="cstok" value="' . $session->csrf_token . '" />'; |
|
441 echo '<p><input type="submit" value="' . $lang->get('user_csrf_confirm_btn_continue') . '" /></p>'; |
|
442 echo '</form>'; |
|
443 |
|
444 $template->footer(); |
|
445 |
|
446 exit; |
|
447 } |
|
448 |
|
449 function csrf_confirm_get_recursive($_inner = false, $pfx = false, $data = false) |
|
450 { |
|
451 // make posted arrays work right |
|
452 if ( !$data ) |
|
453 ( $_inner == 'post' ) ? $data =& $_POST : $data =& $_GET; |
|
454 foreach ( $data as $key => $value ) |
|
455 { |
|
456 $pfx_this = ( empty($pfx) ) ? $key : "{$pfx}[{$key}]"; |
|
457 if ( is_array($value) ) |
|
458 { |
|
459 csrf_confirm_get_recursive(true, $pfx_this, $value); |
|
460 } |
|
461 else if ( empty($value) ) |
|
462 { |
|
463 echo htmlspecialchars($pfx_this . " = <nil>") . "<br />\n"; |
|
464 echo '<input type="hidden" name="' . htmlspecialchars($pfx_this) . '" value="" />'; |
|
465 } |
|
466 else |
|
467 { |
|
468 echo htmlspecialchars($pfx_this . " = " . $value) . "<br />\n"; |
|
469 echo '<input type="hidden" name="' . htmlspecialchars($pfx_this) . '" value="' . htmlspecialchars($value) . '" />'; |
|
470 } |
|
471 } |
|
472 } |
|
473 |
|
474 function csrf_confirm_post_recursive() |
|
475 { |
|
476 csrf_confirm_get_recursive('post'); |
392 } |
477 } |
393 |
478 |
394 // Removed wikiFormat() from here, replaced with RenderMan::render |
479 // Removed wikiFormat() from here, replaced with RenderMan::render |
395 |
480 |
396 /** |
481 /** |
2892 $html = str_replace($matches[0][$i], "{DONT_STRIP_ME_NAKED:$seed:$i}", $html); |
2977 $html = str_replace($matches[0][$i], "{DONT_STRIP_ME_NAKED:$seed:$i}", $html); |
2893 } |
2978 } |
2894 |
2979 |
2895 // Optimize (but don't obfuscate) Javascript |
2980 // Optimize (but don't obfuscate) Javascript |
2896 preg_match_all('/<script([ ]+.*?)?>(.*?)(\]\]>)?<\/script>/is', $html, $jscript); |
2981 preg_match_all('/<script([ ]+.*?)?>(.*?)(\]\]>)?<\/script>/is', $html, $jscript); |
|
2982 require_once(ENANO_ROOT . '/includes/js-compressor.php'); |
|
2983 $jsc = new JavascriptCompressor(); |
2897 |
2984 |
2898 // list of Javascript reserved words - from about.com |
2985 // list of Javascript reserved words - from about.com |
2899 $reserved_words = array('abstract', 'as', 'boolean', 'break', 'byte', 'case', 'catch', 'char', 'class', 'continue', 'const', 'debugger', 'default', 'delete', 'do', |
2986 $reserved_words = array('abstract', 'as', 'boolean', 'break', 'byte', 'case', 'catch', 'char', 'class', 'continue', 'const', 'debugger', 'default', 'delete', 'do', |
2900 'double', 'else', 'enum', 'export', 'extends', 'false', 'final', 'finally', 'float', 'for', 'function', 'goto', 'if', 'implements', 'import', |
2987 'double', 'else', 'enum', 'export', 'extends', 'false', 'final', 'finally', 'float', 'for', 'function', 'goto', 'if', 'implements', 'import', |
2901 'in', 'instanceof', 'int', 'interface', 'is', 'long', 'namespace', 'native', 'new', 'null', 'package', 'private', 'protected', 'public', |
2988 'in', 'instanceof', 'int', 'interface', 'is', 'long', 'namespace', 'native', 'new', 'null', 'package', 'private', 'protected', 'public', |
2908 { |
2995 { |
2909 $js =& $jscript[2][$i]; |
2996 $js =& $jscript[2][$i]; |
2910 |
2997 |
2911 // echo('<pre>' . "-----------------------------------------------------------------------------\n" . htmlspecialchars($js) . '</pre>'); |
2998 // echo('<pre>' . "-----------------------------------------------------------------------------\n" . htmlspecialchars($js) . '</pre>'); |
2912 |
2999 |
2913 // for line optimization, explode it |
3000 $js = $jsc->getClean($js); |
2914 $particles = explode("\n", $js); |
|
2915 |
|
2916 foreach ( $particles as $j => $atom ) |
|
2917 { |
|
2918 // Remove comments |
|
2919 $atom = preg_replace('#\/\/(.+)#i', '', $atom); |
|
2920 |
|
2921 $atom = trim($atom); |
|
2922 if ( empty($atom) ) |
|
2923 unset($particles[$j]); |
|
2924 else |
|
2925 $particles[$j] = $atom; |
|
2926 } |
|
2927 |
|
2928 $js = implode("\n", $particles); |
|
2929 |
|
2930 $js = preg_replace('#/\*(.*?)\*/#s', '', $js); |
|
2931 |
|
2932 // find all semicolons and then linebreaks, and replace with a single semicolon |
|
2933 $js = str_replace(";\n", ';', $js); |
|
2934 |
|
2935 // starting braces |
|
2936 $js = preg_replace('/\{([\s]+)/m', '{', $js); |
|
2937 $js = str_replace(")\n{", '){', $js); |
|
2938 |
|
2939 // ending braces (tricky) |
|
2940 $js = preg_replace('/\}([^;])/m', '};\\1', $js); |
|
2941 |
|
2942 // other rules |
|
2943 $js = str_replace("};\n", "};", $js); |
|
2944 $js = str_replace(",\n", ',', $js); |
|
2945 $js = str_replace("[\n", '[', $js); |
|
2946 $js = str_replace("]\n", ']', $js); |
|
2947 $js = str_replace("\n}", '}', $js); |
|
2948 |
|
2949 // newlines immediately before reserved words |
|
2950 $js = preg_replace("/(\)|;)\n$reserved_words/is", '\\1\\2', $js); |
|
2951 |
|
2952 // fix for firefox issue |
|
2953 $js = preg_replace('/\};([\s]*)(else|\))/i', '}\\2', $js); |
|
2954 |
3001 |
2955 $replacement = "<script{$jscript[1][$i]}>/* <![CDATA[ */ $js /* ]]> */</script>"; |
3002 $replacement = "<script{$jscript[1][$i]}>/* <![CDATA[ */ $js /* ]]> */</script>"; |
2956 // apply changes |
3003 // apply changes |
2957 $html = str_replace($jscript[0][$i], $replacement, $html); |
3004 $html = str_replace($jscript[0][$i], $replacement, $html); |
|
3005 |
2958 } |
3006 } |
2959 |
3007 |
2960 // Re-insert untouchable tags |
3008 // Re-insert untouchable tags |
2961 for ($i = 0;$i < sizeof($matches[1]); $i++) |
3009 for ($i = 0;$i < sizeof($matches[1]); $i++) |
2962 { |
3010 { |