lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-03 14:10:57 +08:00
Code Issues Packages Projects Releases Wiki Activity

format_comment() add filter_src()

Browse Source
This commit is contained in:
xiaomlove
2025-10-17 22:00:39 +07:00
parent 08dbf79ec9
commit 39f85fd001
3 changed files with 55 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/constants.php
View File

@@ -1,6 +1,6 @@
<?php
defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.9.10');
defined('RELEASE_DATE') || define('RELEASE_DATE', '2025-10-16');
defined('RELEASE_DATE') || define('RELEASE_DATE', '2025-10-17');
defined('IN_TRACKER') || define('IN_TRACKER', false);
defined('PROJECTNAME') || define("PROJECTNAME","NexusPHP");
defined('NEXUSPHPURL') || define("NEXUSPHPURL","https://nexusphp.org");

30
include/functions.php
View File

@@ -223,6 +223,10 @@ function formatAdUrl($adid, $url, $content, $newWindow=true)
return formatUrl("adredir.php?id=".$adid."&amp;url=".rawurlencode($url), $newWindow, $content);
}
function formatUrl($url, $newWindow = false, $text = '', $linkClass = '') {
$src = filter_src($url);
if (empty($src)) {
return "";
}
if (!$text) {
$text = $url;
}
@@ -234,16 +238,18 @@ function formatCode($text) {
}
function formatImg($src, $enableImageResizer, $image_max_width, $image_max_height, $imgId = "") {
if (is_danger_url($src)) {
$msg = "[DANGER_URL]: $src";
do_log($msg, "alert");
write_log($msg, "mod");
$src = filter_src($src);
if (empty($src)) {
return "";
}
return addTempCode("<img style=\"max-width: 100%\" id=\"$imgId\" alt=\"image\" src=\"$src\"" .($enableImageResizer ? " onload=\"Scale(this,$image_max_width,$image_max_height);\" onclick=\"Preview(this);\"" : "") . " />");
}
function formatFlash($src, $width, $height) {
$src = filter_src($src);
if (empty($src)) {
return "";
}
if (!$width) {
$width = 500;
}
@@ -253,6 +259,10 @@ function formatFlash($src, $width, $height) {
return addTempCode("<object width=\"$width\" height=\"$height\"><param name=\"movie\" value=\"$src\" /><embed src=\"$src\" width=\"$width\" height=\"$height\" type=\"application/x-shockwave-flash\"></embed></object>");
}
function formatFlv($src, $width, $height) {
$src = filter_src($src);
if (empty($src)) {
return "";
}
if (!$width) {
$width = 320;
}
@@ -263,6 +273,10 @@ function formatFlv($src, $width, $height) {
}
function formatYoutube($src, $width = '', $height = ''): string
{
$src = filter_src($src);
if (empty($src)) {
return "";
}
if (!$width) {
$width = 560;
}
@@ -283,6 +297,10 @@ function formatYoutube($src, $width = '', $height = ''): string
}
function formatVideo($src, $width, $height) {
$src = filter_src($src);
if (empty($src)) {
return "";
}
if (!$width) {
$width = 560;
}
@@ -293,6 +311,10 @@ function formatVideo($src, $width, $height) {
}
function formatAudio($src) {
$src = filter_src($src);
if (empty($src)) {
return "";
}
return addTempCode("<audio controls><source src=\"$src\" /><a href=\"$src\">$src</a></audio>");
}

29
include/globalfunctions.php
View File

@@ -1368,9 +1368,36 @@ function has_role_work_seeding($uid)
return $result;
}
function filter_src($src)
{
$path = parse_url($src, PHP_URL_PATH);
if (empty($path)) {
return $src;
}
$guessScriptFilename = sprintf("%s/%s", $_SERVER['DOCUMENT_ROOT'], trim($path, '/'));
if (!file_exists($guessScriptFilename)) {
return $src;
}
//log danger, deny directly
if (is_danger_url($src)) {
$msg = "[DANGER_URL]: $src";
do_log($msg, "alert");
write_log($msg, "mod");
return "";
}
//only allow these
$allowScriptPattern = "/(forums|details|offers)\.php/i";
$match = preg_match($allowScriptPattern, $src);
if ($match <= 0) {
do_log("[NOT_ALLOW_SRC]: $src");
return "";
}
return $src;
}
function is_danger_url($url): bool
{
$dangerScriptsPattern = "/(logout|login|ajax|announce|scrape|adduser|modtask|take.*)\.php/i";
$dangerScriptsPattern = "/(logout|login|ajax|announce|scrape|adduser|modtask|docleanup|freeleech|take.*)\.php/i";
$match = preg_match($dangerScriptsPattern, $url);
if ($match > 0) {
return true;