lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-24 20:17:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix suggest xss + nfo view style default

Browse Source
This commit is contained in:
xiaomlove
2022-09-27 22:06:05 +08:00
parent 3ea23d337b
commit 10588537b1
11 changed files with 40 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
public/details.php
+2 -2
View File
@@ -300,10 +300,10 @@ JS;
if (user_can('viewnfo') && $CURUSER['shownfo'] != 'no' && $row["nfosz"] > 0){
if (!$nfo = $Cache->get_value('nfo_block_torrent_id_'.$id)){
$nfo = code($row["nfo"], $view == "magic");
$nfo = code($row["nfo"], get_setting('torrent.nfo_view_style_default'));
$Cache->cache_value('nfo_block_torrent_id_'.$id, $nfo, 604800);
}
tr("<a href=\"javascript: klappe_news('nfo')\"><img class=\"plus\" src=\"pic/trans.gif\" alt=\"Show/Hide\" id=\"picnfo\" title=\"".$lang_details['title_show_or_hide']."\" /> ".$lang_details['text_nfo']."</a><br /><a href=\"viewnfo.php?id=".$row['id']."\" class=\"sublink\">". $lang_details['text_view_nfo']. "</a>", "<div id='knfo' style=\"display: none;\"><pre style=\"font-size:10pt; font-family: 'Courier New', monospace;\">".$nfo."</pre></div>\n", 1);
tr("<a href=\"javascript: klappe_news('nfo')\"><img class=\"plus\" src=\"pic/trans.gif\" alt=\"Show/Hide\" id=\"picnfo\" title=\"".$lang_details['title_show_or_hide']."\" /> ".$lang_details['text_nfo']."</a><br /><a href=\"viewnfo.php?id=".$row['id']."\" class=\"sublink\">". $lang_details['text_view_nfo']. "</a>", "<div id='knfo' style=\"display: none;\"><pre style=\"font-size:10pt; font-family: 'Courier New', monospace;white-space: break-spaces\">".$nfo."</pre></div>\n", 1);
}
if ($imdb_id && $showextinfo['imdb'] == 'yes' && $CURUSER['showimdb'] != 'no')
public/settings.php
+13 -1
View File
@@ -156,7 +156,8 @@ elseif($action == 'savesettings_torrent') // save account
'twoupbecome','twoupfreebecome', 'twouphalfleechbecome','normalbecome','uploaderdouble','deldeadtorrent', 'randomthirtypercentdown',
'thirtypercentleechbecome', 'expirethirtypercentleech', 'sticky_first_level_background_color', 'sticky_second_level_background_color',
'download_support_passkey', 'claim_enabled', 'claim_torrent_ttl', 'claim_torrent_user_counts_up_limit', 'claim_user_torrent_counts_up_limit', 'claim_remove_deduct_user_bonus',
'claim_give_up_deduct_user_bonus', 'claim_bonus_multiplier', 'claim_reach_standard_seed_time', 'claim_reach_standard_uploaded', 'approval_status_icon_enabled', 'approval_status_none_visible'
'claim_give_up_deduct_user_bonus', 'claim_bonus_multiplier', 'claim_reach_standard_seed_time', 'claim_reach_standard_uploaded', 'approval_status_icon_enabled', 'approval_status_none_visible',
'nfo_view_style_default',
);
$validConfig = apply_filter('setting_valid_config', $validConfig);
GetVar($validConfig);
@@ -710,6 +711,17 @@ elseif ($action == 'torrentsettings')
yesorno($lang_settings['row_download_support_passkey'], 'download_support_passkey', $TORRENT["download_support_passkey"], $lang_settings['text_download_support_passkey_note']);
yesorno($lang_settings['row_approval_status_icon_enabled'], 'approval_status_icon_enabled', $TORRENT["approval_status_icon_enabled"], $lang_settings['text_approval_status_icon_enabled_note']);
yesorno($lang_settings['row_approval_status_none_visible'], 'approval_status_none_visible', $TORRENT["approval_status_none_visible"], $lang_settings['text_approval_status_none_visible_note']);
$nfoViewStyleRadio = '';
$name = 'nfo_view_style_default';
foreach (\App\Models\Torrent::$nfoViewStyles as $style => $info) {
$nfoViewStyleRadio .= sprintf(
'<label><input type="radio" name="%s" value="%s"%s>%s</label>',
$name, $style, $TORRENT[$name] == $style ? ' checked' : '', $info['text']
);
}
tr($lang_settings['row_' . $name], $nfoViewStyleRadio, 1);
yesorno($lang_settings['row_promotion_rules'], 'prorules', $TORRENT["prorules"], $lang_settings['text_promotion_rules_note']);
tr($lang_settings['row_random_promotion'], $lang_settings['text_random_promotion_note_one']."<ul><li><input type='text' style=\"width: 50px\" name=randomhalfleech value='".(isset($TORRENT["randomhalfleech"]) ? $TORRENT["randomhalfleech"] : 5 )."'>".$lang_settings['text_halfleech_chance_becoming']."</li><li><input type='text' style=\"width: 50px\" name=randomfree value='".(isset($TORRENT["randomfree"]) ? $TORRENT["randomfree"] : 2 )."'>".$lang_settings['text_free_chance_becoming']."</li><li><input type='text' style=\"width: 50px\" name=randomtwoup value='".(isset($TORRENT["randomtwoup"]) ? $TORRENT["randomtwoup"] : 2 )."'>".$lang_settings['text_twoup_chance_becoming']."</li><li><input type='text' style=\"width: 50px\" name=randomtwoupfree value='".(isset($TORRENT["randomtwoupfree"]) ? $TORRENT["randomtwoupfree"] : 1 )."'>".$lang_settings['text_freetwoup_chance_becoming']."</li><li><input type='text' style=\"width: 50px\" name=randomtwouphalfdown value='".(isset($TORRENT["randomtwouphalfdown"]) ? $TORRENT["randomtwouphalfdown"] : 0 )."'>".$lang_settings['text_twouphalfleech_chance_becoming']."</li><li><input type='text' style=\"width: 50px\" name=randomthirtypercentdown value='".(isset($TORRENT["randomthirtypercentdown"]) ? $TORRENT["randomthirtypercentdown"] : 0 )."'>".$lang_settings['text_thirtypercentleech_chance_becoming']."</li></ul>".$lang_settings['text_random_promotion_note_two'], 1);
tr($lang_settings['row_large_torrent_promotion'], $lang_settings['text_torrent_larger_than']."<input type='text' style=\"width: 50px\" name=largesize value='".(isset($TORRENT["largesize"]) ? $TORRENT["largesize"] : 20 )."'>".$lang_settings['text_gb_promoted_to']."<select name=largepro>".promotion_selection((isset($TORRENT['largepro']) ? $TORRENT['largepro'] : 2), 1)."</select>".$lang_settings['text_by_system_upon_uploading']."<br />".$lang_settings['text_large_torrent_promotion_note'], 1);
public/torrents.php
+1 -1
View File
@@ -1129,7 +1129,7 @@ if (!$Cache->get_page()){
$hotsearch = "";
while ($searchrow = mysql_fetch_assoc($searchres))
{
$hotsearch .= "<a href=\"".htmlspecialchars("?search=" . rawurlencode($searchrow["keywords"]) . "&notnewword=1")."\"><u>" . $searchrow["keywords"] . "</u></a>&nbsp;&nbsp;";
$hotsearch .= "<a href=\"".htmlspecialchars("?search=" . rawurlencode($searchrow["keywords"]) . "&notnewword=1")."\"><u>" . htmlspecialchars($searchrow["keywords"]) . "</u></a>&nbsp;&nbsp;";
$hotcount += mb_strlen($searchrow["keywords"],"UTF-8");
if ($hotcount > 60)
break;
public/viewnfo.php
+6 -4
View File
@@ -27,12 +27,14 @@ if ($view == "latin-1" || $view == "fonthack") {
// Do not convert from ibm-437, read bytes as is.
// NOTICE: TBSource specifies Latin-1 encoding in include/bittorrent.php:
// stdhead()
$nfo = htmlspecialchars(($a["nfo"]));
//$nfo = htmlspecialchars(($a["nfo"]));
$nfo = code($a["nfo"], $view);
}
else {
// Convert from ibm-437 to html unicode entities.
// take special care of Swedish letters if in magic view.
$nfo = code($a["nfo"], $view == "magic");
//$nfo = code($a["nfo"], $view == "magic");
$nfo = code($a["nfo"], $view);
}
stdhead($lang_viewnfo['head_view_nfo']);
@@ -65,14 +67,14 @@ if ($view == "fonthack") {
// Please notice: MS LineDraw's glyphs are included in the Courier New font
// as of Courier New version 2.0, but uses the correct mappings instead.
// http://support.microsoft.com/kb/q179422/
print("<pre style=\"font-size:10pt; font-family: 'MS LineDraw', 'Terminal', monospace;\">");
print("<pre style=\"font-size:10pt; font-family: 'MS LineDraw', 'Terminal', monospace;white-space: break-spaces\">");
}
else {
// IE6.0 need to know which font to use, Mozilla can figure it out in its own
// (windows firefox at least)
// Anything else than 'Courier New' looks pretty broken.
// 'Lucida Console', 'FixedSys'
print("<pre style=\"font-size:10pt; font-family: 'Courier New', monospace;\">");
print("<pre style=\"font-size:10pt; font-family: 'Courier New', monospace;white-space: break-spaces\">");
}
// Writes the (eventually modified) nfo data to output, first formating urls.
print(format_urls($nfo));