fix suggest xss + nfo view style default

2026-04-21 18:37:31 +08:00 · 2022-09-27 22:06:05 +08:00
parent 3ea23d337b
commit 10588537b1
11 changed files with 40 additions and 12 deletions
@@ -19,8 +19,6 @@ class Torrent extends NexusModel
        'times_completed', 'approval_status', 'banned', 'visible', 'pos_state_until',
    ];

-    private static $globalPromotionState;
-
    const VISIBLE_YES = 'yes';
    const VISIBLE_NO = 'no';

@@ -156,6 +154,14 @@ class Torrent extends NexusModel
        ],
    ];

+    const NFO_VIEW_STYLE_DOS = 'magic';
+    const NFO_VIEW_STYLE_WINDOWS = 'latin-1';
+
+    public static array $nfoViewStyles = [
+        self::NFO_VIEW_STYLE_DOS => ['text' => 'DOS-vy'],
+        self::NFO_VIEW_STYLE_WINDOWS => ['text' => 'Windows-vy'],
+    ];
+
    public function getPickInfoAttribute()
    {
        $info = self::$pickTypes[$this->picktype] ?? null;
@@ -1,6 +1,6 @@
 <?php
 defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.7.28');
-defined('RELEASE_DATE') || define('RELEASE_DATE', '2022-09-26');
+defined('RELEASE_DATE') || define('RELEASE_DATE', '2022-09-27');
 defined('IN_TRACKER') || define('IN_TRACKER', false);
 defined('PROJECTNAME') || define("PROJECTNAME","NexusPHP");
 defined('NEXUSPHPURL') || define("NEXUSPHPURL","https://nexusphp.org");
@@ -3908,7 +3908,11 @@ function validusername($username)
 // Some Swedish Latin-1 letters collide with popular DOS glyphs. If these
 // characters are between ASCII-characters (a-zA-Z and more) they are
 // treated like the Swedish letters, otherwise like the DOS glyphs.
-function code($ibm_437, $swedishmagic = false) {
+function code($ibm_437, $view) {
+    $swedishmagic = false;
+    if ($view == "magic") {
+        $swedishmagic = true;
+    }
 $table437 = array("\200", "\201", "\202", "\203", "\204", "\205", "\206", "\207",
 "\210", "\211", "\212", "\213", "\214", "\215", "\216", "\217", "\220",
 "\221", "\222", "\223", "\224", "\225", "\226", "\227", "\230", "\231",
@@ -790,6 +790,7 @@ $lang_settings = array
    'text_zero_bonus_tag_note' => '。带此标签的种子为零魔种子',
    'row_upload_deny_approval_deny_count' => '拒绝发布审核不通过数',
    'text_upload_deny_approval_deny_count_note' => "当审核不通过的种子数大于等于此数值时，不允许发布。设置为 '0' 不使用此规则",
+    'row_nfo_view_style_default' => 'NFO 默认查看样式',
 );

 ?>
@@ -790,6 +790,7 @@ $lang_settings = array
    'text_zero_bonus_tag_note' => '。帶此標簽的種子為零魔種子',
    'row_upload_deny_approval_deny_count' => '拒絕發布審核不通過數',
    'text_upload_deny_approval_deny_count_note' => "當審核不通過的種子數大於等於此數值時，不允許發布。設置為 '0' 不使用此規則",
+    'row_nfo_view_style_default' => 'NFO 默認查看樣式',
 );

 ?>
@@ -790,6 +790,7 @@ $lang_settings = array
    'text_zero_bonus_tag_note' => '. Torrents with this tag are zero bonus torrents',
    'row_upload_deny_approval_deny_count' => 'Refuse to upload approval deny count',
    'text_upload_deny_approval_deny_count_note' => "When the number of torrents approval deny is greater than or equal to this value, publishing is not allowed. Set to '0' to not use this rule",
+    'row_nfo_view_style_default' => 'NFO view style default',
 );

 ?>
@@ -347,6 +347,7 @@ return array (
      'claim_reach_standard_uploaded' => \App\Models\Claim::STANDARD_UPLOADED_TIMES,
      'approval_status_icon_enabled' => 'no',
      'approval_status_none_visible' => 'yes',
+      'nfo_view_style_default' => \App\Models\Torrent::NFO_VIEW_STYLE_DOS,
  ),
  'attachment' =>
  array (
@@ -300,10 +300,10 @@ JS;

 		if (user_can('viewnfo') && $CURUSER['shownfo'] != 'no' && $row["nfosz"] > 0){
 			if (!$nfo = $Cache->get_value('nfo_block_torrent_id_'.$id)){
-				$nfo = code($row["nfo"], $view == "magic");
+				$nfo = code($row["nfo"], get_setting('torrent.nfo_view_style_default'));
 				$Cache->cache_value('nfo_block_torrent_id_'.$id, $nfo, 604800);
 			}
-			tr("<a href=\"javascript: klappe_news('nfo')\"><img class=\"plus\" src=\"pic/trans.gif\" alt=\"Show/Hide\" id=\"picnfo\" title=\"".$lang_details['title_show_or_hide']."\" /> ".$lang_details['text_nfo']."</a><br /><a href=\"viewnfo.php?id=".$row['id']."\" class=\"sublink\">". $lang_details['text_view_nfo']. "</a>", "<div id='knfo' style=\"display: none;\"><pre style=\"font-size:10pt; font-family: 'Courier New', monospace;\">".$nfo."</pre></div>\n", 1);
+			tr("<a href=\"javascript: klappe_news('nfo')\"><img class=\"plus\" src=\"pic/trans.gif\" alt=\"Show/Hide\" id=\"picnfo\" title=\"".$lang_details['title_show_or_hide']."\" /> ".$lang_details['text_nfo']."</a><br /><a href=\"viewnfo.php?id=".$row['id']."\" class=\"sublink\">". $lang_details['text_view_nfo']. "</a>", "<div id='knfo' style=\"display: none;\"><pre style=\"font-size:10pt; font-family: 'Courier New', monospace;white-space: break-spaces\">".$nfo."</pre></div>\n", 1);
 		}

 	if ($imdb_id && $showextinfo['imdb'] == 'yes' && $CURUSER['showimdb'] != 'no')
@@ -156,7 +156,8 @@ elseif($action == 'savesettings_torrent') 	// save account
        'twoupbecome','twoupfreebecome', 'twouphalfleechbecome','normalbecome','uploaderdouble','deldeadtorrent', 'randomthirtypercentdown',
        'thirtypercentleechbecome', 'expirethirtypercentleech', 'sticky_first_level_background_color', 'sticky_second_level_background_color',
        'download_support_passkey', 'claim_enabled', 'claim_torrent_ttl', 'claim_torrent_user_counts_up_limit', 'claim_user_torrent_counts_up_limit', 'claim_remove_deduct_user_bonus',
-        'claim_give_up_deduct_user_bonus', 'claim_bonus_multiplier', 'claim_reach_standard_seed_time', 'claim_reach_standard_uploaded', 'approval_status_icon_enabled', 'approval_status_none_visible'
+        'claim_give_up_deduct_user_bonus', 'claim_bonus_multiplier', 'claim_reach_standard_seed_time', 'claim_reach_standard_uploaded', 'approval_status_icon_enabled', 'approval_status_none_visible',
+        'nfo_view_style_default',
    );
 	$validConfig = apply_filter('setting_valid_config', $validConfig);
 	GetVar($validConfig);
@@ -710,6 +711,17 @@ elseif ($action == 'torrentsettings')
    yesorno($lang_settings['row_download_support_passkey'], 'download_support_passkey', $TORRENT["download_support_passkey"], $lang_settings['text_download_support_passkey_note']);
    yesorno($lang_settings['row_approval_status_icon_enabled'], 'approval_status_icon_enabled', $TORRENT["approval_status_icon_enabled"], $lang_settings['text_approval_status_icon_enabled_note']);
    yesorno($lang_settings['row_approval_status_none_visible'], 'approval_status_none_visible', $TORRENT["approval_status_none_visible"], $lang_settings['text_approval_status_none_visible_note']);
+
+    $nfoViewStyleRadio = '';
+    $name = 'nfo_view_style_default';
+    foreach (\App\Models\Torrent::$nfoViewStyles as $style => $info) {
+        $nfoViewStyleRadio .= sprintf(
+            '<label><input type="radio" name="%s" value="%s"%s>%s</label>',
+            $name, $style, $TORRENT[$name] == $style ? ' checked' : '', $info['text']
+        );
+    }
+    tr($lang_settings['row_' . $name], $nfoViewStyleRadio, 1);
+
    yesorno($lang_settings['row_promotion_rules'], 'prorules', $TORRENT["prorules"], $lang_settings['text_promotion_rules_note']);
 	tr($lang_settings['row_random_promotion'], $lang_settings['text_random_promotion_note_one']."<ul><li><input type='text' style=\"width: 50px\" name=randomhalfleech value='".(isset($TORRENT["randomhalfleech"]) ? $TORRENT["randomhalfleech"] : 5 )."'>".$lang_settings['text_halfleech_chance_becoming']."</li><li><input type='text' style=\"width: 50px\" name=randomfree value='".(isset($TORRENT["randomfree"]) ? $TORRENT["randomfree"] : 2 )."'>".$lang_settings['text_free_chance_becoming']."</li><li><input type='text' style=\"width: 50px\" name=randomtwoup value='".(isset($TORRENT["randomtwoup"]) ? $TORRENT["randomtwoup"] : 2 )."'>".$lang_settings['text_twoup_chance_becoming']."</li><li><input type='text' style=\"width: 50px\" name=randomtwoupfree value='".(isset($TORRENT["randomtwoupfree"]) ? $TORRENT["randomtwoupfree"] : 1 )."'>".$lang_settings['text_freetwoup_chance_becoming']."</li><li><input type='text' style=\"width: 50px\" name=randomtwouphalfdown value='".(isset($TORRENT["randomtwouphalfdown"]) ? $TORRENT["randomtwouphalfdown"] : 0 )."'>".$lang_settings['text_twouphalfleech_chance_becoming']."</li><li><input type='text' style=\"width: 50px\" name=randomthirtypercentdown value='".(isset($TORRENT["randomthirtypercentdown"]) ? $TORRENT["randomthirtypercentdown"] : 0 )."'>".$lang_settings['text_thirtypercentleech_chance_becoming']."</li></ul>".$lang_settings['text_random_promotion_note_two'], 1);
 	tr($lang_settings['row_large_torrent_promotion'], $lang_settings['text_torrent_larger_than']."<input type='text' style=\"width: 50px\" name=largesize value='".(isset($TORRENT["largesize"]) ? $TORRENT["largesize"] : 20 )."'>".$lang_settings['text_gb_promoted_to']."<select name=largepro>".promotion_selection((isset($TORRENT['largepro']) ? $TORRENT['largepro'] : 2), 1)."</select>".$lang_settings['text_by_system_upon_uploading']."<br />".$lang_settings['text_large_torrent_promotion_note'], 1);
@@ -1129,7 +1129,7 @@ if (!$Cache->get_page()){
 	$hotsearch = "";
 	while ($searchrow = mysql_fetch_assoc($searchres))
 	{
-		$hotsearch .= "<a href=\"".htmlspecialchars("?search=" . rawurlencode($searchrow["keywords"]) . "&notnewword=1")."\"><u>" . $searchrow["keywords"] . "</u></a>&nbsp;&nbsp;";
+		$hotsearch .= "<a href=\"".htmlspecialchars("?search=" . rawurlencode($searchrow["keywords"]) . "&notnewword=1")."\"><u>" . htmlspecialchars($searchrow["keywords"]) . "</u></a>&nbsp;&nbsp;";
 		$hotcount += mb_strlen($searchrow["keywords"],"UTF-8");
 		if ($hotcount > 60)
 			break;
@@ -27,12 +27,14 @@ if ($view == "latin-1" || $view == "fonthack") {
 // Do not convert from ibm-437, read bytes as is.
 // NOTICE: TBSource specifies Latin-1 encoding in include/bittorrent.php:
 // stdhead()
-$nfo = htmlspecialchars(($a["nfo"]));
+//$nfo = htmlspecialchars(($a["nfo"]));
+$nfo = code($a["nfo"], $view);
 }
 else {
 // Convert from ibm-437 to html unicode entities.
 // take special care of Swedish letters if in magic view.
-$nfo = code($a["nfo"], $view == "magic");
+//$nfo = code($a["nfo"], $view == "magic");
+$nfo = code($a["nfo"], $view);
 }

 stdhead($lang_viewnfo['head_view_nfo']);
@@ -65,14 +67,14 @@ if ($view == "fonthack") {
 // Please notice: MS LineDraw's glyphs are included in the Courier New font
 // as of Courier New version 2.0, but uses the correct mappings instead.
 // http://support.microsoft.com/kb/q179422/
-print("<pre style=\"font-size:10pt; font-family: 'MS LineDraw', 'Terminal', monospace;\">");
+print("<pre style=\"font-size:10pt; font-family: 'MS LineDraw', 'Terminal', monospace;white-space: break-spaces\">");
 }
 else {
 // IE6.0 need to know which font to use, Mozilla can figure it out in its own
 // (windows firefox at least)
 // Anything else than 'Courier New' looks pretty broken.
 // 'Lucida Console', 'FixedSys'
-print("<pre style=\"font-size:10pt; font-family: 'Courier New', monospace;\">");
+print("<pre style=\"font-size:10pt; font-family: 'Courier New', monospace;white-space: break-spaces\">");
 }
 // Writes the (eventually modified) nfo data to output, first formating urls.
 print(format_urls($nfo));