<?php if (!defined('PmWiki')) exit();
# (pmwiki 0.5x Zet - http://www.cube3d.de)
# changed for pmwiki 2.x p@ddy.ch
# remove slash in SDV(... $ScriptUrl..) SDV(.. $PageUrl )
# (:$Guestbook:)
#
# SECURITY FEATURES added on Nov 5, 2010 by Subhrajit (www.subhrajit.net): Captcha, wikitext/HTML injection prevention
# SECURITY FEATURES added on Sept 5, 2011 by Subhrajit (www.subhrajit.net): Form validation, cross-page content injection
#
// Settings
SDV($GuestbookCaptcha, FALSE);
SDV($GuestbookValidation, FALSE);
// ----------------------------------------
// Encoded content
Markup(
'rawdecode',
'fulltext',
'/\\(:rawdecode:\\)(.*?)\\(:rawdecodeend:\\)/esi',
"'<:block>'.Keep(str_replace(\"\\n\",\"<br/>\",rawurldecode(PSS('$1'))))");
// [%== ... ==%] comment visible only to editor
Markup('blockcommentvisitor','<blockcomment','/\\[%==(.*?)==%\\]/esi',"(!RetrieveAuthPage($pagename, 'edit', false, READPAGE_CURRENT)) ? Keep('') : PSS('$1')");
/*[[$Guestbook]] */
if ($GuestbookLoaded) return;
$GuestbookLoaded=1;
if ($GuestbookCaptcha && (!array_key_exists('action',$_GET) || $_GET['action']!="guestbook"))
{ // Generate new Captcha
$captcha_1 = rand(0,10);
$captcha_2 = rand(0,10);
$_SESSION['guestbook_captcha'] = $captcha_1 + $captcha_2;
SDV($GuestbookCaptchaHTMLFmt, "
<tr><td align=right>Captcha:</td>
<td align=left>
<i>This is for preventing automated spam submissions.</i><br/>
<div style='margin-left:25px;'><b>Math Question <font color='#ff0000'>*</font></b>:
\$captcha_1 + \$captcha_2 = <input type='text' name='captcha' size=2 maxlen=2 /> <br/>
<font size='1'>Please solve this simple math problem and enter the result. E.g. for 1+3, enter 4.</font></div>
</td></tr>");
$GuestbookCaptchaHTML = $GuestbookCaptchaHTMLFmt;
$GuestbookCaptchaHTML = str_replace("\$captcha_1", $captcha_1."", $GuestbookCaptchaHTML);
$GuestbookCaptchaHTML = str_replace("\$captcha_2", $captcha_2."", $GuestbookCaptchaHTML);
}
else
$GuestbookCaptchaHTML = "";
SDV($HandleActions['guestbook'],'HandleGuestbook');
if (!$pagename) $pagename = $_REQUEST['pagename'];
if (!$pagename &&
preg_match('!^'.preg_quote($_SERVER['SCRIPT_NAME'],'!').'/?([^?]*)!',
$_SERVER['REQUEST_URI'],$match))
$pagename = urldecode($match[1]);
if (preg_match('/[\\x80-\\xbf]/',$pagename))
$pagename=utf8_decode($pagename);
$pagename = preg_replace('![^[:alnum:]\\x80-\\xff]+$!','',$pagename);
$name = FmtPageName('$FullName',$pagename);
if (empty($_GET['guestbook_from']))
$defaultGuestbookAbout = "";
else
$defaultGuestbookAbout = "Page \"".$_GET['guestbook_from']."\"";
SDV($GuestbookTextBoxMaxlength, 255);
SDV($GuestbookTextAreaMaxlength, 1000);
if ($GuestbookValidation)
SDV($GuestbookValidateFormJavascript, "
<script language='javascript' type='text/javascript'>
function validateGuestbookForm() {
var theform = document.forms['guestbookform'];
var totalcontent = theform['message'].value + ' ' + theform['name'].value + ' ' + theform['about'].value + ' ';
var m = totalcontent.match(/(ht|f)?tps?:\\/\\/[\\w-]+\\.[\\w-]+/gi);
if (m) { alert('The message contains URL: \\n' + m.join(' ; ') +
'\\n\\nPlease include URL in the hidden \\'Contact\\' field only.'); return false; }
var m = totalcontent.match(/[\\w-]+\\.[\\w-]+\\.[\\w-]+/gi);
if (m) { alert('The message contains URL: \\n' + m.join(' ; ') +
'\\n\\nPlease include URL in the hidden \\'Contact\\' field only.'); return false; }
return true;
}
</script>
");
else
SDV($GuestbookValidateFormJavascript, "<script language='javascript' type='text/javascript'> function validateGuestbookForm() { return true; } </script>");
SDV($GuestbookTagFmt, "
<form name='guestbookform' action='".$_SERVER['SCRIPT_NAME']."?n=".$pagename."&action=guestbook' method='post' onsubmit='return validateGuestbookForm();'>
<input type='hidden' name='pagename' value='".$pagename."'>
<table>
<tr><td align=right>Name:</td>
<td align=left>
<input type='text' name='name' value='' size='40' maxlength='".$GuestbookTextBoxMaxlength."' />
<span style='font-size: 8pt; color:#888888'>(Please include your affiliation.)</span>
</td></tr>
<tr><td align=right>Contact:</td>
<td align=left>
<input type='text' name='contact' value='' size='40' maxlength='".$GuestbookTextBoxMaxlength."' />
<span style='font-size: 8pt; color:#888888'>(Hidden from public.)</span>
<div style='margin:0 0 10px 20px; font-size: 8pt; color:#888888'>(optional. The contact information you provide won't be displayed in this guestbook. Only if you want to leave a way for me to get back to you, type in your email-id or web-site address.)</div>
</td></tr>
<tr><td align=right>About:</td>
<td align=left>
<input type='text' name='about' value='".$defaultGuestbookAbout."' size='40' maxlength='".$GuestbookTextBoxMaxlength."' />
</td></tr>
<tr><td align=right>Message:</td>
<td align=left>
<script language='javascript' type='text/javascript'>
function limitText(limitField, limitCount, limitNum) {
if (limitField.value.length > limitNum) {
limitField.value = limitField.value.substring(0, limitNum);
} else {
limitCount.innerHTML = '' + (limitNum - limitField.value.length);
}
}
</script>
<textarea id='limitedtextarea' name='message' cols=40 rows=5 onKeyDown=\"limitText(this, document.getElementById('countdown'), ".$GuestbookTextAreaMaxlength.");\" onKeyUp=\"limitText(this, document.getElementById('countdown'), ".$GuestbookTextAreaMaxlength.");\"></textarea>
<div style='margin:0 0 10px 20px; font-size: 8pt; color:#888888'>(Number of characters remaining: <span id='countdown' name='countdown'>".$GuestbookTextAreaMaxlength."</span>. Please do not include any URL in the message body.)</div>
</td></tr>".
$GuestbookCaptchaHTML.
"<tr><td> </td>
<td> <br/><input class='button' type='submit' value='OK' /> <input class='button' type='reset'>
<i>(Please press the OK button only ONCE.)</i></form></td></tr>
</table><CENTER> </CENTER><BR /><HR>");
// =================================================================
function HandleGuestbook($pagename){
global $GuestbookCaptcha, $TimeFmt, $Now, $_POST, $_SESSION, $GuestbookTextBoxMaxlength, $GuestbookTextAreaMaxlength;
// Test captcha
if ( ($GuestbookCaptcha && $_POST['captcha']."" != $_SESSION['guestbook_captcha']."") ||
strlen($_POST["name"])>$GuestbookTextBoxMaxlength || strlen($_POST["contact"])>$GuestbookTextBoxMaxlength ||
strlen($_POST["about"])>$GuestbookTextBoxMaxlength || strlen($_POST["message"])>$GuestbookTextAreaMaxlength )
Redirect($pagename);
else
{
$default = "----";
$rcpage = ReadPage($pagename,"");
$pos = strpos($rcpage['text'],"(:\$Guestbook:)");
if ($pos === FALSE) return;
$len = strlen("(:\$Guestbook:)");
$before = substr($rcpage['text'],0,$pos+$len);
$after = substr($rcpage['text'],$pos+$len);
$rcpage['text'] = $before.
"\n\n%color=#777777%Posted on ''".strftime($TimeFmt,$Now).
"'' by (:rawdecode:)".rawurlencode(strip_tags(htmlspecialchars(StripCSlashes($_POST["name"]))))."(:rawdecodeend:)%%[[<<]]".
(($_POST["contact"])?"[%== %color=#666688%(:rawdecode:)".rawurlencode(strip_tags(htmlspecialchars(StripCSlashes($_POST["contact"]))))."(:rawdecodeend:)%%[[<<]] ==%]":"").
(($_POST["about"])?"%color=#887766%About: (:rawdecode:)".rawurlencode(strip_tags(htmlspecialchars(StripCSlashes($_POST["about"]))))."(:rawdecodeend:)%%[[<<]]":"").
"(:rawdecode:)".str_replace('%20',' ',rawurlencode(strip_tags(htmlspecialchars(StripCSlashes($_POST['message'])))))."(:rawdecodeend:)".
"\n\n----".$homepage. "". $HTTP_GET_VARS["homepage"].
$after;
WritePage($pagename,$rcpage);
Redirect($pagename);
}
}
Markup('{$Guestbook}', '>{$var}','/\\(:\\$Guestbook:\\)/',Keep($GuestbookValidateFormJavascript.$GuestbookTagFmt));
?>