summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDries Buytaert2003-07-01 17:54:22 +0000
committerDries Buytaert2003-07-01 17:54:22 +0000
commitdc15ba06e05df99885d0024b2fc9173291e79038 (patch)
treead14e1874ef5bb0bd109e1e9376d1da2107b0722
parent3bb6ddee4b2b3fa1b48dc557b3be7af2ea521ecb (diff)
- Improvement: don't perform XSS checks for trusted users. Trusted users
are those that have the "bypass input data check" permission set. Should address bug #2147. - Improvement: simplified index.php and modules/admin.module. - Bugfix: fixed broken links in bloggerapi documentation. Patch by Chris Johnson. Fixes bug #2030. - Bugfix: fixed the date shown on a book module preview. Reported as part of bug #2097. - Bugfix: fixed broken URL in the book module documentation.
-rw-r--r--includes/common.inc16
-rw-r--r--index.php10
-rw-r--r--modules/admin.module2
-rw-r--r--modules/bloggerapi.module30
-rw-r--r--modules/book.module4
-rw-r--r--modules/book/book.module4
-rw-r--r--modules/node.module1
-rw-r--r--modules/node/node.module1
-rw-r--r--modules/system.module2
-rw-r--r--modules/system/system.module2
10 files changed, 38 insertions, 34 deletions
diff --git a/includes/common.inc b/includes/common.inc
index 910174e..87ab764 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -484,7 +484,7 @@ function xss_check_input_data($data) {
*/
// check attributes:
- $match = preg_match("/\W(style|dynsrc|datasrc|data|lowsrc|style|on[a-z]+)\s*=[^>]+?>/i", $data);
+ $match = preg_match("/\W(style|dynsrc|datasrc|data|lowsrc|on[a-z]+)\s*=[^>]+?>/i", $data);
$match += preg_match("/\W(src|href)\s*=[\s'\"]*javascript[^>]+?>/i", $data);
// check tags:
@@ -1021,6 +1021,16 @@ function drupal_page_header() {
exit();
}
}
+
+ /*
+ ** Putting the check here avoids SQL query overhead in case we are
+ ** serving cached pages. The downside, however, is that the init
+ ** hooks might use unchecked data.
+ */
+
+ if (!user_access("bypass input data check")) {
+ xss_check_input_data($_REQUEST);
+ }
}
function drupal_page_footer() {
@@ -1054,9 +1064,6 @@ set_error_handler("error_handler");
// spit out the correct charset http header
header("Content-Type: text/html; charset=utf-8");
-// filter input data:
-xss_check_input_data($_REQUEST);
-
// initialize installed modules:
module_init();
@@ -1066,5 +1073,4 @@ $locale = locale_init();
// initialize theme:
$theme = theme_init();
-
?>
diff --git a/index.php b/index.php
index 692279b..3d149ea 100644
--- a/index.php
+++ b/index.php
@@ -12,17 +12,12 @@ else {
}
if (isset($mod) && module_hook($mod, "page")) {
- if ($mod != "admin") {
- drupal_page_header();
- }
+ drupal_page_header();
module_invoke($mod, "page");
- if ($mod != "admin") {
- drupal_page_footer();
- }
+ drupal_page_footer();
}
else {
drupal_page_header();
-
check_php_setting("magic_quotes_gpc", 0);
if (module_hook(variable_get("site_frontpage", "node"), "page")) {
@@ -32,7 +27,6 @@ else {
theme("header");
theme("footer");
}
-
drupal_page_footer();
}
diff --git a/modules/admin.module b/modules/admin.module
index 83d34f5..767aba0 100644
--- a/modules/admin.module
+++ b/modules/admin.module
@@ -35,7 +35,6 @@ function admin_page() {
global $base_url;
if (user_access("access administration pages")) {
- drupal_page_header();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
@@ -99,7 +98,6 @@ function admin_page() {
</body>
</html>
<?php
- drupal_page_footer();
}
else {
print message_access();
diff --git a/modules/bloggerapi.module b/modules/bloggerapi.module
index 3b27261..533dece 100644
--- a/modules/bloggerapi.module
+++ b/modules/bloggerapi.module
@@ -370,22 +370,26 @@ function bloggerapi_system($field){
}
function bloggerapi_help() {
- $output .= "<h3>Introduction</h3><p><a href=\"http://www.blogger.com\">Blogger</a>, the well-known public weblog service, provides an application programing interface (API) to allow remote procedure calls (RPC) to the Blogger service. Drupal supports this <a href=\"http://plant.blogger.com/api/index.html\">Blogger API</a>, which means that many remote clients (e.g. <a href=\"radio.userland.com\">Radio</a>, <a href=\"http://simon.kittle.info/textrouter\">TextRouter</a>, <a href=\"http://blogbuddy.sourceforge.net/\">Blogbuddy</a>, <a href=\"http://www.wbloggar.com/\">w.bloggar</a>, <a href=\"http://www.tswoam.co.uk/index.php?n_go=16\">PerlyBlog</a>), may post to Drupal. These clients provide a bevy of interesting capabilities like offline composing, spellcheck, and WYSIWYG editing; many folks prefer to blog with a client application over typical web forms. By supporting the Blogger API, Drupal grows grander than a web site engine, it's a <i>content accepting machine</i>&trade;.</p>";
- $output .= "<p>The <a href=\"http://plant.blogger.com/api/index.html\">Blogger RPC API</a> uses the <a href=\"http://www.xmlrpc.com\">XML-RPC</a> protocol for communicating with the outside world. XML-RPC, originally developed by Dave Winer of <a href=\"http://www.userland.com\">UserLand Software</a>, is a simple XML-based RPC specification ideally suited to the web. Drupal also uses XML-RPC for several other tasks (e.g. notifiying <a href=\"http://www.weblogs.com\">weblogs.com</a> of blog updates and making/accepting ". l("distributed authentication", "user/help") ." requests)</p>";
- $output .= "<h3>Blogger API implementation</h3><p>A word of warning on the Blogger API: it is <b>unofficial</b>. It exists because Blogger is one of the most popular services and also they were first to implement an XML-RPC interface to their service. It is certainly not the best implementation of a distributed weblog API. For a promising candidate, see <a href=\"http://www.wasabii.org\">Wasabii</a>.</p>";
- $output .= "<p>Drupal's support for the Blogger API is quite complete. Each method with an asterisk below has been implemented in Drupal.</p>";
-
- $output .= "<p><a href=\"http://plant.blogger.com/api/xmlrpc_newPost.html\">blogger.newPost()*</a><br /><a href=\"http://plant.blogger.com/api/xmlrpc_editPost.html\">blogger.editPost()*</a><br /><a href=\"http://plant.blogger.com/api/xmlrpc_getUsersBlogs.html\">blogger.getUsersBlogs()*</a><br /><a href=\"http://plant.blogger.com/api/xmlrpc_getUserInfo.html\">blogger.getUserInfo()*</a><br /><a href=\"http://plant.blogger.com/api/xmlrpc_getTemplate.html\">blogger.getTemplate()</a><br /><a href=\"http://plant.blogger.com/api/xmlrpc_setTemplate.html\">blogger.setTemplate()</a><br /></p>";
+ $output = "<h3>Introduction</h3>";
+ $output .= "<p><a href=\"http://www.blogger.com\">Blogger</a>, the well-known public weblog service, provides an application programing interface (API) to allow remote procedure calls (RPC) to the Blogger service. Drupal supports this <a href=\"http://www.blogger.com/developers/api/1_docs/\">Blogger API</a>, which means that many remote clients (e.g. <a href=\"http://radio.userland.com/\">Radio</a>, <a href=\"http://blogbuddy.sourceforge.net/\">Blogbuddy</a>, <a href=\"http://www.wbloggar.com/\">w.bloggar</a>, <a href=\"http://www.tswoam.co.uk/files/textrouter/\">TextRouter</a>, <a href=\"http://www.tswoam.co.uk/files/\">PerlyBlog</a>), may post to Drupal. These clients provide a bevy of interesting capabilities like offline composing, spellcheck, and WYSIWYG editing; many folks prefer to blog with a client application over typical web forms. By supporting the Blogger API, Drupal grows grander than a web site engine, it\'s a <i>content accepting machine</i>&trade;.</p>";
+ $output .= "<p>The <a href=\"http://www.blogger.com/developers/api/1_docs/\">Blogger API</a> uses the <a href=\"http://www.xmlrpc.com\">XML-RPC</a> protocol for communicating with the outside world. XML-RPC, originally developed by Dave Winer of <a href=\"http://www.userland.com\">UserLand Software</a>, is a simple XML-based RPC specification ideally suited to the web. Drupal also uses XML-RPC for several other tasks (e.g. notifiying <a href=\"http://www.weblogs.com\">weblogs.com</a> of blog updates and making/accepting '. l(\"distributed authentication\", \"user/help\") .' requests)</p>";
+ $output .= "<h3>Blogger API implementation</h3>";
+ $output .= "<p>A word of warning on the Blogger API: it is <b>unofficial</b>. It exists because Blogger is one of the most popular services and also they were first to implement an XML-RPC interface to their service. It may not be the best implementation of a distributed weblog API. For a promising candidate, see the <a href=\"http://www.intertwingly.net/wiki/pie/RoadMap\">Echo project</a>.</p>";
+ $output .= "<p>Drupal\'s support for the Blogger API is quite complete. Each method with an asterisk below has been implemented in Drupal.</p>";
+ $output .= "<p><a href=\"http://www.blogger.com/developers/api/1_docs/xmlrpc_newPost.html\">blogger.newPost()*</a><br /><a href=\"http://www.blogger.com/developers/api/1_docs/xmlrpc_editPost.html\">blogger.editPost()*</a><br /><a href=\"http://www.blogger.com/developers/api/1_docs/xmlrpc_getUsersBlogs.html\">blogger.getUsersBlogs()*</a><br /><a href=\"http://www.blogger.com/developers/api/1_docs/xmlrpc_getUserInfo.html\">blogger.getUserInfo()*</a><br /><a href=\"http://www.blogger.com/developers/api/1_docs/xmlrpc_getTemplate.html\">blogger.getTemplate()</a><br /><a href=\"http://www.blogger.com/developers/api/1_docs/xmlrpc_setTemplate.html\">blogger.setTemplate()</a></p>";
$output .= "<p>Drupal also supports the following methods. These methods were added after the those listed above and are not documented on the Blogger API web site. Each method is linked to its corresponding blogger-dev mailing list posts:</p>";
- $output .= "<p><a href=\"http://groups.yahoo.com/group/bloggerDev/message/296\">blogger.getPost()*</a><br /><a href=\"http://groups.yahoo.com/group/bloggerDev/message/225\">blogger.getRecentPosts()*</a><br /><a href=\"http://groups.yahoo.com/group/bloggerDev/message/147\">blogger.deletePost()*</a><br /></p>";
- $output .= "<h3>Installation and usage</h3><p>To install the Blogger API module, enable the module in the ". l("Administration &gt;&gt; site configuration &gt;&gt; modules", "admin/systems/modules") ." tab in the administration pages. Also make sure you have your permissions set correctly for accessing the Blogger API, the relevant settings can be found under the ". l("user management", "admin/user/permission") ." section in the administration menu. Check the checkbox behind the line \"access Blogger API\" for the roles that are allowed to use the Blogger API.</p>";
+ $output .= "<p><a href=\"http://groups.yahoo.com/group/bloggerDev/message/296\">blogger.getPost()*</a><br /><a href=\"http://groups.yahoo.com/group/bloggerDev/message/225\">blogger.getRecentPosts()*</a><br /><a href=\"http://groups.yahoo.com/group/bloggerDev/message/147\">blogger.deletePost()*</a></p>";
+ $output .= "<h3>Installation and usage</h3>";
+ $output .= "<p>To install the Blogger API module, enable the module on the ". l("modules configuration page", "admin/systems/modules") ." Also make sure you have your permissions set correctly for accessing the Blogger API, the relevant settings can be found under the ". l("user management", "admin/user/permission") ." section in the administration pages. Check the checkbox behind the line \"access Blogger API\" for the roles that are allowed to use the Blogger API.</p>";
$output .= "<p>Once the API is enabled you can download one of the above mentioned Blogger API clients and get blogging.</p>";
- $output .= "<h3>Setup of the client</h3><p>The Drupal page you need to call in order to connect using the Blogger API is <i>http://server/xmlrpc.php</i> where <i>server</i> is the URL of the site you want to post to. As an example when posting to drupal.org, the account settings for <a href=\"http://www.wbloggar.com/\">w.bloggar</a> would be: host: www.drupal.org (default = plant.blogger.com) and page: xmlrpc.php (default = /api/RPC2).</p>";
- $output .= "<p>You can't use remote authentication when posting using a Blogger API enabled client, even when you could use that to authenticate on the site itself. You will have to use the site's local username, enter a password for that account, and then use that combination to post using the Blogger API client.</p>";
- $output .= "<h3>Notes and limitations</h3><ul><li>The Blogger API contains an AppKey that is discarded in the Drupal Implementation.</li><li>The Blogger API does not allow for a title element. Our work around for this is either to use &lt;title&gt;&lt;/title&gt; tags in the body of your post or let the module create a title by inspecting the first few lines of the post body.</li><li>The publish parameter is always set to <i>1</i>.</li><li>When using the <i>getUserInfo</i> call, Drupal attempts to generate a first and last name from the Drupal username; no distinction is made internally</li><li><i>GetUsersBlogs</i> only returns one blog because unlike Blogger, Drupal only allows one blog per user.</li></ul>";
- $output .= "<h3>Credits</h3><p>The original Drupal Blogger API implementation was authored by <a href=\"http://www.voidstar.com/\">Julian Bond</a>, and updated by the Drupal team.</a>";
- return t($output);
+ $output .= "<h3>Setup of the client</h3>";
+ $output .= "<p>The Drupal page you need to call in order to connect using the Blogger API is <i>http://server/xmlrpc.php</i> where <i>server</i> is the URL of the site you want to post to. As an example when posting to drupal.org, the account settings for <a href=\"http://www.wbloggar.com/\">w.bloggar</a> would be: host: www.drupal.org (default = plant.blogger.com) and page: xmlrpc.php (default = /api/RPC2).</p>";
+ $output .= "<p>You can't use remote authentication when posting using a Blogger API enabled client, even when you could use that to authenticate on the site itself. You will have to use the site\'s local username, enter a password for that account, and then use that combination to post using the Blogger API client.</p>";
+ $output .= "<h3>Notes and limitations</h3>";
+ $output .= "<ul><li>The Blogger API contains an AppKey that is discarded in the Drupal Implementation.</li><li>The Blogger API does not allow for a title element. Our work around for this is either to use &lt;title&gt;&lt;/title&gt; tags in the body of your post or let the module create a title by inspecting the first few lines of the post body.</li><li>The publish parameter is always set to <i>1</i>.</li><li>When using the <i>getUserInfo</i> call, Drupal attempts to generate a first and last name from the Drupal username; no distinction is made internally</li><li><i>GetUsersBlogs</i> only returns one blog because unlike Blogger, Drupal only allows one blog per user.</li></ul>";
+ return t($output);
}
+
?>
diff --git a/modules/book.module b/modules/book.module
index 0521ca1..74737b2 100644
--- a/modules/book.module
+++ b/modules/book.module
@@ -771,12 +771,12 @@ function book_admin() {
}
function book_help() {
- $output .= "<p>The <i>collaborative book</i> organises content into a nested hierarchical structure. It is particularly good for manuals, <a href=\"#faq\">FAQ</a>s and the like, allowing you to have chapters, sections, etc.</p>";
+ $output .= "<p>The <i>collaborative book</i> organises content into a nested hierarchical structure. It is particularly good for manuals,FAQs and the like, allowing you to have chapters, sections, etc.</p>";
$output .= "<p>A book is simply a collection of nodes that have been linked together. These nodes are usually of type <i>book page</i>, but you can insert nodes of any type into a book outline. Every node in the book has a <i>parent</i> node which \"contains\" it. This is how book.module establishes its hierarchy. At any given level in the hierarchy, a book can contain many nodes. All these sibling nodes are sorted according to the <i>weight</i> that you give them.</p>";
$output .= "<p>A book page is a special node type that allows you to embed PHP within the body of the page. This capability is only offerred to administrators, since malicious users could abuse this power. In addiiton, book pages contain a <i>log message</i> field which helps your users understand the motivation behind an edit of a book page. Each edited version of a book page is stored as a new revision of a node. This capability makes it easy to revert to an old version of a page, should that be desirable.</p>";
$output .= "<p>Like other node types, book submissions and edits may be subject to moderation, depending on your configuration. Similarly, books use ". l("permissions", "admin/user/permission") ." to determine who may read and write to them. Only administrators are allowed to create new books, which are really just nodes whose parent is <i>&lt;root&gt;</i>. To include an existing node in your book, click on the \"administer\"-link in that node. At the bottom of this administration page, click on the <i>edit book outline</i> button. This enables you to place the node wherever you'd like within the book hierarchy. To add a new node into your book, use the <i>create book page</i> link.</p>";
$output .= "<p>Administrators may review the hierarchy of their books by clicking on the ". l("collaborative book", "admin/node/book")." link in the adminstration pages. There, nodes may be edited, reorganized, removed from book, and deleted. This behavior may change in the future. When a parent node is deleted, it may leave behind child nodes. These nodes are now <i>orphans</i>. Administrators should periodically ". l("review their books for orphans", "admin/node/book/orphan") ." and reaffiliate those pages as desired. Finally, administrators may also ". l("export their books", "book/print") ." to a single, flat HTML page which is suitable for printing.</p>";
- $output .= "<a id=\"faq\"></a><h3>Maintaining a FAQ using a collaborative book</h3>";
+ $output .= "<h3>Maintaining a FAQ using a collaborative book</h3>";
$output .= "<p>Collaborative books let you easily set up a Frequently Asked Questions section on your web site. The main benefit is that you don't have to write all the questions/answers by yourself - let the community do it for you!</p>";
$output .= "<p>In order to set up the FAQ, you have to create a new book which will hold all your content. To do so, click on <i>create book page</i> in your user box. Give it a thoughtful title, and body. A title like \"Estonia Travel - FAQ\" is nice. You may always edit these fields later. You will probably want to designate <i>&lt;root&gt;</i> as the parent of this page. Leave the <i>log message</i> and <i>type</i> fields blank for now. After you have submitted this book page, you are ready to begin filling up your book with questions that are frequently asked.</p>";
$output .= "<p>Whenever you come across a post which you want to include in your FAQ, click on the <i>administer</i> link. Then click on the <i>edit book outline</i> button at the bottom of the page. Then place the relevant post wherever is most appropriate in your book by selecting a <i>parent</i>. Books are quite flexible. They can have sections like <i>Flying to Estonia</i>, <i>Eating in Estonia</i> and so on. As you get more experienced with the <i>collaborative book</i>, you can reorganize posts in your book so that it stays organized.</p>";
diff --git a/modules/book/book.module b/modules/book/book.module
index 0521ca1..74737b2 100644
--- a/modules/book/book.module
+++ b/modules/book/book.module
@@ -771,12 +771,12 @@ function book_admin() {
}
function book_help() {
- $output .= "<p>The <i>collaborative book</i> organises content into a nested hierarchical structure. It is particularly good for manuals, <a href=\"#faq\">FAQ</a>s and the like, allowing you to have chapters, sections, etc.</p>";
+ $output .= "<p>The <i>collaborative book</i> organises content into a nested hierarchical structure. It is particularly good for manuals,FAQs and the like, allowing you to have chapters, sections, etc.</p>";
$output .= "<p>A book is simply a collection of nodes that have been linked together. These nodes are usually of type <i>book page</i>, but you can insert nodes of any type into a book outline. Every node in the book has a <i>parent</i> node which \"contains\" it. This is how book.module establishes its hierarchy. At any given level in the hierarchy, a book can contain many nodes. All these sibling nodes are sorted according to the <i>weight</i> that you give them.</p>";
$output .= "<p>A book page is a special node type that allows you to embed PHP within the body of the page. This capability is only offerred to administrators, since malicious users could abuse this power. In addiiton, book pages contain a <i>log message</i> field which helps your users understand the motivation behind an edit of a book page. Each edited version of a book page is stored as a new revision of a node. This capability makes it easy to revert to an old version of a page, should that be desirable.</p>";
$output .= "<p>Like other node types, book submissions and edits may be subject to moderation, depending on your configuration. Similarly, books use ". l("permissions", "admin/user/permission") ." to determine who may read and write to them. Only administrators are allowed to create new books, which are really just nodes whose parent is <i>&lt;root&gt;</i>. To include an existing node in your book, click on the \"administer\"-link in that node. At the bottom of this administration page, click on the <i>edit book outline</i> button. This enables you to place the node wherever you'd like within the book hierarchy. To add a new node into your book, use the <i>create book page</i> link.</p>";
$output .= "<p>Administrators may review the hierarchy of their books by clicking on the ". l("collaborative book", "admin/node/book")." link in the adminstration pages. There, nodes may be edited, reorganized, removed from book, and deleted. This behavior may change in the future. When a parent node is deleted, it may leave behind child nodes. These nodes are now <i>orphans</i>. Administrators should periodically ". l("review their books for orphans", "admin/node/book/orphan") ." and reaffiliate those pages as desired. Finally, administrators may also ". l("export their books", "book/print") ." to a single, flat HTML page which is suitable for printing.</p>";
- $output .= "<a id=\"faq\"></a><h3>Maintaining a FAQ using a collaborative book</h3>";
+ $output .= "<h3>Maintaining a FAQ using a collaborative book</h3>";
$output .= "<p>Collaborative books let you easily set up a Frequently Asked Questions section on your web site. The main benefit is that you don't have to write all the questions/answers by yourself - let the community do it for you!</p>";
$output .= "<p>In order to set up the FAQ, you have to create a new book which will hold all your content. To do so, click on <i>create book page</i> in your user box. Give it a thoughtful title, and body. A title like \"Estonia Travel - FAQ\" is nice. You may always edit these fields later. You will probably want to designate <i>&lt;root&gt;</i> as the parent of this page. Leave the <i>log message</i> and <i>type</i> fields blank for now. After you have submitted this book page, you are ready to begin filling up your book with questions that are frequently asked.</p>";
$output .= "<p>Whenever you come across a post which you want to include in your FAQ, click on the <i>administer</i> link. Then click on the <i>edit book outline</i> button at the bottom of the page. Then place the relevant post wherever is most appropriate in your book by selecting a <i>parent</i>. Books are quite flexible. They can have sections like <i>Flying to Estonia</i>, <i>Eating in Estonia</i> and so on. As you get more experienced with the <i>collaborative book</i>, you can reorganize posts in your book so that it stays organized.</p>";
diff --git a/modules/node.module b/modules/node.module
index 3d1bc04..de4dc46 100644
--- a/modules/node.module
+++ b/modules/node.module
@@ -1217,6 +1217,7 @@ function node_preview($node, $error = NULL) {
if (empty($node->created)) {
$node->created = time();
}
+ $node->changed = time();
/*
** Extract a teaser:
diff --git a/modules/node/node.module b/modules/node/node.module
index 3d1bc04..de4dc46 100644
--- a/modules/node/node.module
+++ b/modules/node/node.module
@@ -1217,6 +1217,7 @@ function node_preview($node, $error = NULL) {
if (empty($node->created)) {
$node->created = time();
}
+ $node->changed = time();
/*
** Extract a teaser:
diff --git a/modules/system.module b/modules/system.module
index be3e47c..a4c0dc9 100644
--- a/modules/system.module
+++ b/modules/system.module
@@ -31,7 +31,7 @@ function system_help_cron() {
}
function system_perm() {
- return array("administer site configuration", "access administration pages", "create php content");
+ return array("administer site configuration", "access administration pages", "bypass input data check", "create php content");
}
function system_link($type) {
diff --git a/modules/system/system.module b/modules/system/system.module
index be3e47c..a4c0dc9 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -31,7 +31,7 @@ function system_help_cron() {
}
function system_perm() {
- return array("administer site configuration", "access administration pages", "create php content");
+ return array("administer site configuration", "access administration pages", "bypass input data check", "create php content");
}
function system_link($type) {