X-Git-Url: https://git.harvie.cz/?a=blobdiff_plain;ds=sidebyside;f=index.php;h=479e75cf9ff0a43010091226ff8cc217e4510d97;hb=a8bbdc31576415bf9b1d1100785f8ad4f53a37e4;hp=b37ab51d93f729142d5a1274cd1d818aa6ef1587;hpb=6f7943a08cc115d137c5777408259009433ea8ca;p=mirrors%2FSokoMan.git diff --git a/index.php b/index.php index b37ab51..479e75c 100755 --- a/index.php +++ b/index.php @@ -159,7 +159,7 @@ class Sklad_HTML extends HTML { //TODO: Split into few more methods $home = URL_HOME; $script = $_SERVER['SCRIPT_NAME']; $search = htmlspecialchars(@trim($_GET['q'])); - $message = strip_tags(@trim($_GET['message']),''); + $message = strip_tags(@trim($_GET['message']),'
'); $instance = INSTANCE_ID != '' ? '/'.INSTANCE_ID : ''; $user_id = htmlspecialchars($user['id']); $user_gid = htmlspecialchars($user['gid']); @@ -296,7 +296,11 @@ EOF; $relations = array( //TODO: Autodetect??? 'model' => array( 'model_id' => array(array('item',$where_url)), - 'model_barcode' => array(array('store','assistant/%d?barcode=%v')) + 'model_barcode' => array(array('store','assistant/%d?barcode=%v')), + 'model_name' => array(array('google','http://google.com/search?q=%v',true)) + ), + 'item' => array( + 'item_serial' => array(array('dispose','assistant/%d?serial=%v'),array('sell','assistant/%d?serial=%v')) ), 'category' => array('category_id' => array(array('item',$where_url))), 'producer' => array('producer_id' => array(array('item',$where_url))), @@ -310,10 +314,10 @@ EOF; foreach($relations[$class][$column] as $destination) { $destination_url = str_replace( array('%d','%c','%v'), - array($destination[0],$column,$value), + array(urlencode($destination[0]),urlencode($column),urlencode($value)), $destination[1] ); - @$table[$id][$class.$suffix_relations] .= $this->link($destination[0], $destination_url).','; + @$table[$id][$class.$suffix_relations] .= $this->link($destination[0], $destination_url, !isset($destination[2])).','; } } } @@ -791,15 +795,16 @@ class Sklad_UI { new HTTP_Auth('SkladovejSystem', true, array($this->db->auth,'check_auth')); } - function post_redirect_get($location, $message='', $error=false) { - $url_args = $message != '' ? '?message='.urlencode(T($message)) : ''; + function post_redirect_get($location, $message='', $error=false, $translate=true) { + $messaget = $translate ? T($message) : $message; + $url_args = $messaget != '' ? '?message='.urlencode($messaget) : ''; $location = $this->html->internal_url($location).$url_args; header('Location: '.$location); if($error) trigger_error($message); $location=htmlspecialchars($location); die( "". - T($message)."
Location: $location" + $messaget."
Location: $location" ); } @@ -815,6 +820,15 @@ class Sklad_UI { return $out; } + function check_input_validity($field, $value='', $ruleset=0) { + $rules = array(0 => array( + 'model_barcode' => '/./', + 'item_serial' => '/./' + )); + if(isset($rules[$ruleset][$field]) && !preg_match($rules[$ruleset][$field], trim($value))) return false; + return true; + } + function process_http_request_post($action=false, $class=false, $id=false, $force_redirect=false) { if($_SERVER['REQUEST_METHOD'] != 'POST') return; //echo('
'); //DEBUG (maybe todo remove), HEADERS ALREADY SENT!!!!
@@ -829,7 +843,14 @@ class Sklad_UI {
 			$values=array();
 			foreach($_POST['values'] as $table => $columns) {
 				foreach($columns as $column => $ids) {
-					foreach($ids as $id => $val) $values[$table][$id][$column] = $val;
+					foreach($ids as $id => $val) {
+						$values[$table][$id][$column] = trim($val);
+						if(!$this->check_input_validity($column,$val)) {
+							$message = "Spatny vstup: $column [$id] = \"$val\"; ". //XSS
+								$this->html->link('GO BACK', 'javascript:history.back()', false, false);
+			        $this->post_redirect_get('', $message, false, false);
+						}
+					}
 				}
 			}
 			//die(print_r($values));