Lanmikeman/nativegallery
1
0
Fork 0
mirror of https://github.com/claradex/nativegallery.git synced 2024-11-15 03:31:10 +03:00
Code Issues Projects Releases Packages Wiki Activity

fix xss

Browse source
This commit is contained in:
themohooks 2024-07-10 13:23:05 +03:00
parent 8b63f67985
commit e01de93290
8 changed files with 240 additions and 229 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
app/Models/Comment.php
View file

@ -17,13 +17,13 @@ class Comment {
<span class="message_date">'.Date::zmdate($this->c['posted_at']).'</span><br>
</div>
<a name="2681468"></a><a name="last"></a>
<div><img src="'.$user->i('photourl').'" width="32" style="border-radius: 3px; margin-right: 5px;"><b><a href="/author/'.$this->c['user_id'].'/" class="message_author">'.$user->i('username').'</a></b> &middot;
<div><img src="'.$user->i('photourl').'" width="32" style="border-radius: 3px; margin-right: 5px;"><b><a href="/author/'.$this->c['user_id'].'/" class="message_author">'.htmlspecialchars($user->i('username')).'</a></b> &middot;
<span class="flag">';
if (json_decode($user->i('content'), true)['aboutrid']['value'] != null) {
echo '<img src="https://kamenphoto.ru/img/r/'.json_decode($user->i('content'), true)['aboutrid']['value'].'.gif">';
}
if (json_decode($user->i('content'), true)['aboutlive']['value'] != null) {
echo ' '.json_decode($user->i('content'), true)['aboutlive']['value'];
echo ' '.htmlspecialchars(json_decode($user->i('content'), true)['aboutlive']['value']);
}
if ((int)Vote::countcommrates($this->c['id'], -1) >= 1) {
$commclass = 'pro';
@ -36,7 +36,7 @@ class Comment {
}
echo '</span></div>
<div class="rank">Фото: '.Photo::fetchAll($this->c['user_id']).'</div>
<div class="message-text">'.$this->c['body'].'</div>
<div class="message-text">'.htmlspecialchars($this->c['body']).'</div>
<div class="comment-votes-block">
<div class="wvote" wid="'.$this->c['id'].'">
<a href="#" vote="1" class="w-btn s2"><span>+</span></a>

2
views/pages/About.php
View file

@ -36,7 +36,7 @@ use \App\Models\User;
<?php
$admins = DB::query('SELECT * FROM users WHERE admin=1');
foreach ($admins as $a) {
echo '<li><b><a href="/author/'.$a['id'].'/"><img src="'.$a['photourl'].'" width="32" style="border-radius: 3px; margin-right: 5px;">'.$a['username'].'</a></b></li>';
echo '<li><b><a href="/author/'.$a['id'].'/"><img src="'.$a['photourl'].'" width="32" style="border-radius: 3px; margin-right: 5px;">'.htmlspecialchars($a['username']).'</a></b></li>';
}
?>
</ul>

6
views/pages/Main.php
View file

@ -105,7 +105,7 @@ foreach ($photos as $pd) {
foreach ($photos as $p) {
$bck = 'background-image:url("' . $p['photourl'] . '")';
echo ' <div class="prw-grid-item">
<div class="prw-wrapper"><span style="word-spacing:-1px"><b>' . $p['place'] . '</b></span>
<div class="prw-wrapper"><span style="word-spacing:-1px"><b>' . htmlspecialchars($p['place']) . '</b></span>
<div>' . Date::zmdate($p['posted_at']) . '</div>
</div>
'; ?>
@ -128,7 +128,7 @@ foreach ($photos as $pd) {
foreach ($photos as $p) {
$bck = 'background-image:url("' . $p['photourl'] . '")';
echo ' <div class="prw-grid-item">
<div class="prw-wrapper"><span style="word-spacing:-1px"><b>' . $p['place'] . '</b></span>
<div class="prw-wrapper"><span style="word-spacing:-1px"><b>' . htmlspecialchars($p['place']) . '</b></span>
<div>' . Date::zmdate($p['posted_at']) . '</div>
</div>
'; ?>
@ -148,7 +148,7 @@ foreach ($photos as $pd) {
<?php
$online = DB::query('SELECT * FROM users WHERE online>=:time-300 ORDER BY online DESC', array(':time'=>time()));
foreach ($online as $o) {
echo '<a href="/author/'.$o['id'].'/">'.$o['username'].'</a>, ';
echo '<a href="/author/'.$o['id'].'/">'.htmlspecialchars($o['username']).'</a>, ';
}
?>

27
views/pages/Photo.php
View file

@ -40,19 +40,23 @@ if ($photo->i('id') !== null) {
#map_canvas {
width: 600px !important;
}
#photobar {
box-shadow: 0 1px 2px rgba(0, 0, 0, 0.4);
-moz-box-shadow: 0 1px 2px rgba(0, 0, 0, 0.4);
-webkit-box-shadow: 0 1px 2px rgba(0, 0, 0, 0.4);
}
#photobar {
background-color: #000;
}
#photobar {
box-shadow: 0 1px 2px rgba(0, 0, 0, 0.4);
-moz-box-shadow: 0 1px 2px rgba(0, 0, 0, 0.4);
-webkit-box-shadow: 0 1px 2px rgba(0, 0, 0, 0.4);
}
#photobar {
margin: 0 -20px;
position: relative;
@ -160,8 +164,12 @@ if ($photo->i('id') !== null) {
<?php
if (Auth::userid() > 0) { ?>
<div class="vote" pid="<?= $id ?>">
<a href="#" vote="1" class="vote_btn <?php if (Vote::photo(Auth::userid(), $id) === 1) { echo 'voted'; } ?>"><span>Интересная фотография!</span></a>
<a href="#" vote="0" class="vote_btn <?php if (Vote::photo(Auth::userid(), $id) === 0) { echo 'voted'; } ?>"><span>Мне не&nbsp;нравится</span></a>
<a href="#" vote="1" class="vote_btn <?php if (Vote::photo(Auth::userid(), $id) === 1) {
echo 'voted';
} ?>"><span>Интересная фотография!</span></a>
<a href="#" vote="0" class="vote_btn <?php if (Vote::photo(Auth::userid(), $id) === 0) {
echo 'voted';
} ?>"><span>Мне не&nbsp;нравится</span></a>
</div>
<?php } ?>
<div id="votes" class="votes">
@ -171,7 +179,7 @@ if ($photo->i('id') !== null) {
foreach ($votespos as $ps) {
$uservote = new User($ps['user_id']);
echo ' <tr>
<td><a href="/author/' . $ps['user_id'] . '/">' . $uservote->i('username') . '</a></td>
<td><a href="/author/' . $ps['user_id'] . '/">' . htmlspecialchars($uservote->i('username')) . '</a></td>
<td class="vv">+1</td>
</tr>';
}
@ -184,7 +192,7 @@ if ($photo->i('id') !== null) {
foreach ($votespos as $ps) {
$uservote = new User($ps['user_id']);
echo ' <tr>
<td><a href="/author/' . $ps['user_id'] . '/">' . $uservote->i('username') . '</a></td>
<td><a href="/author/' . $ps['user_id'] . '/">' . htmlspecialchars($uservote->i('username')) . '</a></td>
<td class="vv">-1</td>
</tr>';
}
@ -249,7 +257,8 @@ if ($photo->i('id') !== null) {
<table class="linetable" id="exif">
<tr class="upl-map">
<div id="map_frame" class="s11 p20" style="display:inline-block; padding:3px">
<div id="map_canvas"></div></div>
<div id="map_canvas"></div>
</div>
<script>
// Координаты выбранной точки
const selectedPoint = {
@ -271,7 +280,6 @@ const marker = L.marker([selectedPoint.lat, selectedPoint.lng]).addTo(map);
// Установка всплывающего окна на маркере
marker.bindPopup("<b>Выбранная точка</b>").openPopup();
</script>
</tr>
@ -309,7 +317,9 @@ marker.bindPopup("<b>Выбранная точка</b>").openPopup();
</div>
</div>
</td>
</tr></tbody></table>
</tr>
</tbody>
</table>
<?php } else { ?>
<center>
<h1>Изображение не найдено</h1>
@ -319,7 +329,8 @@ marker.bindPopup("<b>Выбранная точка</b>").openPopup();
</div>
</center>
<?php } ?>
<table width="100%" style="margin-top: 30px;"><tbody>
<table width="100%" style="margin-top: 30px;">
<tbody>
<tr>
<?php include($_SERVER['DOCUMENT_ROOT'] . '/views/components/Footer.php'); ?>
</tr>

32
views/pages/Profile/Index.php
View file

@ -23,7 +23,7 @@ $userprofile = new User(explode('/', $_SERVER['REQUEST_URI'])[2]);
<td class="main">
<?php
if ($userprofile->i('id') === explode('/', $_SERVER['REQUEST_URI'])[2]) { ?>
<h1><?= $userprofile->i('username') ?><?php if ($userprofile->i('admin') === 1) { echo '<img width="32" src="/static/img/star.png">'; } ?></h1>
<h1><?= htmlspecialchars($userprofile->i('username')) ?><?php if ($userprofile->i('admin') === 1) { echo '<img width="32" src="/static/img/star.png">'; } ?></h1>
<?php
if ($userprofile->i('id') === Auth::userid()) { ?>
@ -44,21 +44,21 @@ $userprofile = new User(explode('/', $_SERVER['REQUEST_URI'])[2]);
if ($userprofile->content('location') !== null) { ?>
<tr>
<td class="sm" style="padding:3px 10px 3px 0">Откуда:</td>
<td><?= $userprofile->content('location') ?></td>
<td><?= htmlspecialchars($userprofile->content('location')) ?></td>
</tr>
<?php } ?>
<?php
if (json_decode($userprofile->i('content'), true)['aboutlive']['value'] != null) { ?>
<tr>
<td class="sm" style="padding:3px 10px 3px 0">Откуда:</td>
<td><?= json_decode($userprofile->i('content'), true)['aboutlive']['value'] ?></td>
<td><?= htmlspecialchars(json_decode($userprofile->i('content'), true)['aboutlive']['value']) ?></td>
</tr>
<?php } ?>
<?php
if (json_decode($userprofile->i('content'), true)['aboutbirthday']['value'] != null) { ?>
<tr>
<td class="sm" style="padding:3px 10px 3px 0">День рождения:</td>
<td><?= json_decode($userprofile->i('content'), true)['aboutbirthday']['value'] ?></td>
<td><?= htmlspecialchars(json_decode($userprofile->i('content'), true)['aboutbirthday']['value']) ?></td>
</tr>
<?php } ?>
</col></table>
@ -69,63 +69,63 @@ $userprofile = new User(explode('/', $_SERVER['REQUEST_URI'])[2]);
if (json_decode($userprofile->i('content'), true)['aboutlangs']['value'] != null) { ?>
<tr>
<td class="sm" style="padding:3px 10px 3px 0">Владение языками:</td>
<td><?= json_decode($userprofile->i('content'), true)['aboutlangs']['value'] ?></td>
<td><?= htmlspecialchars(json_decode($userprofile->i('content'), true)['aboutlangs']['value']) ?></td>
</tr>
<?php } ?>
<?php
if (json_decode($userprofile->i('content'), true)['abouttelegram']['value'] != null) { ?>
<tr>
<td class="sm" style="padding:3px 10px 3px 0">Telegram:</td>
<td><?= json_decode($userprofile->i('content'), true)['abouttelegram']['value'] ?></td>
<td><?= htmlspecialchars(json_decode($userprofile->i('content'), true)['abouttelegram']['value']) ?></td>
</tr>
<?php } ?>
<?php
if (json_decode($userprofile->i('content'), true)['aboutvk']['value'] != null) { ?>
<tr>
<td class="sm" style="padding:3px 10px 3px 0">ВКонтакте:</td>
<td><?= json_decode($userprofile->i('content'), true)['aboutvk']['value'] ?></td>
<td><?= htmlspecialchars(json_decode($userprofile->i('content'), true)['aboutvk']['value']) ?></td>
</tr>
<?php } ?>
<?php
if (json_decode($userprofile->i('content'), true)['abouttwitter']['value'] != null) { ?>
<tr>
<td class="sm" style="padding:3px 10px 3px 0">Twitter/X:</td>
<td><?= json_decode($userprofile->i('content'), true)['abouttwitter']['value'] ?></td>
<td><?= htmlspecialchars(json_decode($userprofile->i('content'), true)['abouttwitter']['value']) ?></td>
</tr>
<?php } ?>
<?php
if (json_decode($userprofile->i('content'), true)['aboutyoutube']['value'] != null) { ?>
<tr>
<td class="sm" style="padding:3px 10px 3px 0">Twitter/X:</td>
<td><?= json_decode($userprofile->i('content'), true)['aboutyoutube']['value'] ?></td>
<td><?= htmlspecialchars(json_decode($userprofile->i('content'), true)['aboutyoutube']['value']) ?></td>
</tr>
<?php } ?>
<?php
if (json_decode($userprofile->i('content'), true)['aboutemail']['value'] != null) { ?>
<tr>
<td class="sm" style="padding:3px 10px 3px 0">Почта:</td>
<td><?= json_decode($userprofile->i('content'), true)['aboutemail']['value'] ?></td>
<td><?= htmlspecialchars(json_decode($userprofile->i('content'), true)['aboutemail']['value']) ?></td>
</tr>
<?php } ?>
<?php
if (json_decode($userprofile->i('content'), true)['aboutinstagram']['value'] != null) { ?>
<tr>
<td class="sm" style="padding:3px 10px 3px 0">Instagram:</td>
<td><?= json_decode($userprofile->i('content'), true)['aboutinstagram']['value'] ?></td>
<td><?= htmlspecialchars(json_decode($userprofile->i('content'), true)['aboutinstagram']['value']) ?></td>
</tr>
<?php } ?>
<?php
if (json_decode($userprofile->i('content'), true)['abouttransphoto']['value'] != null) { ?>
<tr>
<td class="sm" style="padding:3px 10px 3px 0">TransPhoto:</td>
<td><?= json_decode($userprofile->i('content'), true)['abouttransphoto']['value'] ?></td>
<td><?= htmlspecialchars(json_decode($userprofile->i('content'), true)['abouttransphoto']['value']) ?></td>
</tr>
<?php } ?>
<?php
if (json_decode($userprofile->i('content'), true)['aboutwebsite']['value'] != null) { ?>
<tr>
<td class="sm" style="padding:3px 10px 3px 0">Личный сайт:</td>
<td><?= json_decode($userprofile->i('content'), true)['aboutwebsite']['value'] ?></td>
<td><?= htmlspecialchars(json_decode($userprofile->i('content'), true)['aboutwebsite']['value']) ?></td>
</tr>
<?php } ?>
</table>
@ -136,21 +136,21 @@ $userprofile = new User(explode('/', $_SERVER['REQUEST_URI'])[2]);
if (json_decode($userprofile->i('content'), true)['aboutfavs_trains']['value'] != null) { ?>
<tr>
<td class="sm" style="padding:3px 10px 3px 0">Любимые модели поездов:</td>
<td><?= json_decode($userprofile->i('content'), true)['aboutfavs_trains']['value'] ?></td>
<td><?= htmlspecialchars(json_decode($userprofile->i('content'), true)['aboutfavs_trains']['value']) ?></td>
</tr>
<?php } ?>
<?php
if (json_decode($userprofile->i('content'), true)['aboutfavs_countries']['value'] != null) { ?>
<tr>
<td class="sm" style="padding:3px 10px 3px 0">Любимые страны:</td>
<td><?= json_decode($userprofile->i('content'), true)['aboutfavs_countries']['value'] ?></td>
<td><?= htmlspecialchars(json_decode($userprofile->i('content'), true)['aboutfavs_countries']['value']) ?></td>
</tr>
<?php } ?>
<?php
if (json_decode($userprofile->i('content'), true)['aboutfavs_cities']['value'] != null) { ?>
<tr>
<td class="sm" style="padding:3px 10px 3px 0">Любимые города:</td>
<td><?= json_decode($userprofile->i('content'), true)['aboutfavs_cities']['value'] ?></td>
<td><?= htmlspecialchars(json_decode($userprofile->i('content'), true)['aboutfavs_cities']['value']) ?></td>
</tr>
<?php } ?>
</table>

4
views/pages/Profile/LK/History.php
View file

@ -56,8 +56,8 @@ use \App\Models\User;
</a>
</td>
<td class="d">
<p><span style="word-spacing:-1px"><b>'.$p['place'].'</b></span></p>
<p class="sm"><b>'.Date::zmdate($p['posted_at']).'</b><br>Автор: <a href="/author/'.$p['user_id'].'/">'.$author->i('username').'</a></p>
<p><span style="word-spacing:-1px"><b>'.htmlspecialchars($p['place']).'</b></span></p>
<p class="sm"><b>'.Date::zmdate($p['posted_at']).'</b><br>Автор: <a href="/author/'.$p['user_id'].'/">'.htmlspecialchars($author->i('username')).'</a></p>
</td>
<td class="c" style="padding:10px">

2
views/pages/Profile/LK/Index.php
View file

@ -20,7 +20,7 @@ $user = new User(Auth::userid());
<tr>
<td class="main">
<h1>Общая информация</h1>
<h4>Здравствуйте, <a href="/author/<?=Auth::userid()?>/"><?=$user->i('username')?></a>!</h4>
<h4>Здравствуйте, <a href="/author/<?=Auth::userid()?>/"><?=htmlspecialchars($user->i('username'))?></a>!</h4>
<p>
Количество ваших фотографий на сайте: <b><?=DB::query('SELECT COUNT(*) FROM photos WHERE user_id=:uid', array(':uid'=>Auth::userid()))[0]['COUNT(*)']?></b></p>
<p>

6
views/pages/Search.php
View file

@ -32,9 +32,9 @@ use App\Services\{Router, Auth, DB, Date};
</a></td>
<td class="pb_descr">
<p><b class="pw-place">'.$p['place'].'</b></p>
<span class="pw-descr">'.$p['postbody'].'</span>
<p class="sm"><b>'.Date::zmdate($p['timeupload']).'</b><br>Автор: <a href="/author/'.$p['user_id'].'/">'.$p['username'].'</a></p>
<p><b class="pw-place">'.htmlspecialchars($p['place']).'</b></p>
<span class="pw-descr">'.htmlspecialchars($p['postbody']).'</span>
<p class="sm"><b>'.Date::zmdate($p['timeupload']).'</b><br>Автор: <a href="/author/'.$p['user_id'].'/">'.htmlspecialchars($p['username']).'</a></p>
</td>
</tr>
</tbody>