From 9cff69d330760c133d2b22c96da7a89e319b2362 Mon Sep 17 00:00:00 2001
From: deva <deva>
Date: Sun, 28 Feb 2010 13:06:39 +0000
Subject: Better control of xml enconding... still a lot of testing to do
 though.

---
 utils/admin.php                |   2 +-
 utils/convert.php              |   7 +-
 utils/forms.php                |  37 +++++-----
 utils/modules/events.php       |   9 ++-
 utils/modules/news.php         |  13 ++--
 utils/modules/newsletter.php   |  28 ++++----
 utils/modules/pressrelease.php | 155 +++++++++++++++++++++++++++++++++++++----
 7 files changed, 194 insertions(+), 57 deletions(-)

diff --git a/utils/admin.php b/utils/admin.php
index f967c76..c8c96cf 100644
--- a/utils/admin.php
+++ b/utils/admin.php
@@ -1,6 +1,6 @@
 <?php /* -*- Mode: php; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ ?>
 <div class="admin" id="admin">
-  <span class="windowtitle header">Admin</span>
+  <span class="header windowtitle">Admin</span>
   <div class="button close"><a href="?page=">X</a></div>
 <?php
 global $loggedin;
diff --git a/utils/convert.php b/utils/convert.php
index 4471e8f..70fab51 100644
--- a/utils/convert.php
+++ b/utils/convert.php
@@ -1,5 +1,10 @@
 <?php
 
+function xmlenc($message)
+{
+	return htmlspecialchars($message, ENT_QUOTES, "UTF-8");
+}
+
 function convert($message)
 {
 	$message = stripslashes($message);
@@ -14,7 +19,7 @@ function convert_array($vs)
 
 	if(sizeof($vs)) {
 		foreach($vs as $k => $v) {
-			$vars[$k] = convert($v);
+			$vars[$k] = stripslashes($v);
 		}
 	}
 
diff --git a/utils/forms.php b/utils/forms.php
index 126d29f..0268315 100644
--- a/utils/forms.php
+++ b/utils/forms.php
@@ -1,4 +1,7 @@
 <?php
+
+include_once($UTIL_DIR."/convert.php");
+
 class LineEdit {
 	public $label, $name, $value;
 		
@@ -12,8 +15,8 @@ class LineEdit {
 	function render($indent = "")
 	{
 		$str  = $indent . "<div class=\"input\">\n";
-		$str .= $indent . "  <div class=\"label\">". $this->label ."</div>\n";
-		$str .= $indent . "  <div class=\"widget\"><input name=\"vars[".$this->name."]\" value=\"".$this->value."\"/></div>\n";
+		$str .= $indent . "  <div class=\"label\">". xmlenc($this->label) ."</div>\n";
+		$str .= $indent . "  <div class=\"widget\"><input name=\"vars[".$this->name."]\" value=\"".xmlenc($this->value)."\"/></div>\n";
 		$str .= $indent . "</div>\n";
 		return $str;
 	}
@@ -32,8 +35,8 @@ class LineEditPwd {
 	function render($indent = "")
 	{
 		$str  = $indent . "<div class=\"input\">\n";
-		$str .= $indent . "  <div class=\"label\">". $this->label ."</div>\n";
-		$str .= $indent . "  <div class=\"widget\"><input name=\"vars[".$this->name."]\" value=\"".$this->value."\" type=\"password\"/></div>\n";
+		$str .= $indent . "  <div class=\"label\">". xmlenc($this->label) ."</div>\n";
+		$str .= $indent . "  <div class=\"widget\"><input name=\"vars[".$this->name."]\" value=\"".xmlenc($this->value)."\" type=\"password\"/></div>\n";
 		$str .= $indent . "</div>\n";
 		return $str;
 	}
@@ -52,7 +55,7 @@ class FileUpload {
 	public function render($indent = "")
 	{
 		$str  = $indent . "<div class=\"input\">\n";
-		$str .= $indent . "  <div class=\"label\">". $this->label . "</div>\n";
+		$str .= $indent . "  <div class=\"label\">". xmlenc($this->label) . "</div>\n";
 		$str .= $indent . "  <div class=\"widget\"><input type=\"file\" name=\"" 
 			. $this->name. "\" accept=\"". $this->accept ."\"/></div>\n";
 		$str .= $indent . "</div>\n";
@@ -92,8 +95,8 @@ class CheckBox {
 	public function render($indent = "")
 	{
 		$str  = $indent . "<div class=\"input\">\n";
-		$str .= $indent . "  <div class=\"label\">". $this->label ."</div>\n";
-		$str .= $indent . "  <div class=\"widget\"><input type=\"checkbox\" name=\"vars[".$this->name."]\" value=\"".$this->value."\"/></div>\n";
+		$str .= $indent . "  <div class=\"label\">". xmlenc($this->label) ."</div>\n";
+		$str .= $indent . "  <div class=\"widget\"><input type=\"checkbox\" name=\"vars[".$this->name."]\" value=\"".xmlenc($this->value)."\"/></div>\n";
 		$str .= $indent . "</div>\n";
 		return $str;
 	}
@@ -113,12 +116,12 @@ class ComboBox {
 	public function render($indent = "")
 	{
 		$str  = $indent . "<div class=\"input\">\n";
-		$str .= $indent . "  <div class=\"label\">".$this->label."</div>\n";
+		$str .= $indent . "  <div class=\"label\">".xmlenc($this->label)."</div>\n";
 		$str .= $indent . "  <div class=\"widget\">\n";
 		$str .= $indent . "    <select name=\"vars[".$this->name."]\">\n";
 		foreach($this->values as $k => $v) {
-			if($v != $this->value) $str .= $indent . "      <option value=\"".$v."\">".$k."</option>\n";
-			else $str .= $indent .  "      <option value=\"".$v."\" selected>".$k."</option>\n";
+			if($v != $this->value) $str .= $indent . "      <option value=\"".xmlenc($v)."\">".xmlenc($k)."</option>\n";
+			else $str .= $indent .  "      <option value=\"".xmlenc($v)."\" selected>".xmlenc($k)."</option>\n";
 		}
 		$str .= $indent . "    </select>\n";
 		$str .= $indent . "  </div>\n";
@@ -139,7 +142,7 @@ class Hidden {
 	{
 		$str = "";
 		foreach($this->values as $key => $value) {
-			$str .= $indent . "<input type=\"hidden\" name=\"vars[".$key."]\" value=\"".$value."\"/>\n";
+			$str .= $indent . "<input type=\"hidden\" name=\"vars[".$key."]\" value=\"".xmlenc($value)."\"/>\n";
 		}
 		return $str;
 	}
@@ -159,8 +162,8 @@ class TextEdit {
 	function render($indent = "")
 	{
 		$str  = $indent . "<div class=\"input\">\n";
-		$str .= $indent . "  <div class=\"label\">". $this->label ."</div>\n";
-    $str .= $indent . "  <div class=\"widget\"><textarea rows=\"".$this->lines."\" class=\"textedit\" name=\"vars[".$this->name."]\">".$this->value."</textarea></div>\n";
+		$str .= $indent . "  <div class=\"label\">". xmlenc($this->label) ."</div>\n";
+    $str .= $indent . "  <div class=\"widget\"><textarea rows=\"".$this->lines."\" class=\"textedit\" name=\"vars[".$this->name."]\">".xmlenc($this->value)."</textarea></div>\n";
 		$str .= $indent . "</div>\n";
 		return $str;
 	}
@@ -189,7 +192,7 @@ class DateTimeEdit {
 		$year = date('Y',$t); 
 
 		$str  = $indent . "<div class=\"input\">\n";
-		$str .= $indent . "	<div class=\"label\">".$this->label."</div>\n";
+		$str .= $indent . "	<div class=\"label\">".xmlenc($this->label)."</div>\n";
 		$str .= $indent . "  <div class=\"widget\">\n";
 		$str .= $indent . "     <input style=\"width: 50px;\" name=\"vars[".$this->name."_year]\" value=\"".$year."\"/>";
 		$str .= "/<input style=\"width: 30px;\" name=\"vars[".$this->name."_month]\" value=\"".$month."\"/>";
@@ -237,7 +240,7 @@ class ImageComboBox {
 		else $numicons = sizeof($this->values);
 
 		$str  = $indent . "<div class=\"input\">\n";
-		$str .= $indent . "  <div class=\"label\">".$this->label."</div>\n";
+		$str .= $indent . "  <div class=\"label\">".xmlenc($this->label)."</div>\n";
 		$str .= $indent . "  <div class=\"widget\">\n";
 		$str .= $indent . "    <script type=\"text/javascript\">\n";
 		$str .= $indent . "    function setSelection(value)\n";
@@ -391,14 +394,14 @@ class MultiList {
 	function render($indent = "")
 	{
 		$str  = $indent . "<div class=\"input\">\n";
-		$str .= $indent . "  <div class=\"label\">". $this->label ."</div>\n";
+		$str .= $indent . "  <div class=\"label\">". xmlenc($this->label) ."</div>\n";
 		$str .= $indent . "  <div class=\"widget\">\n";
 		$str .= $indent . "    <select multiple size=\"8\" id=\"items\" name=\"".$this->name."[]\">\n";
 		if(sizeof($this->values)) {
 			foreach($this->values as $value => $active) {
 				if($active == true) $sel = " selected=\"true\"";
 				else $sel = "";
-				$str .= $indent . "      <option value=\"".$value."\"".$sel.">".$value."</option>\n";
+				$str .= $indent . "      <option value=\"".xmlenc($value)."\"".$sel.">".xmlenc($value)."</option>\n";
 			}
 		}
 		$str .= $indent . "    </select>\n";
diff --git a/utils/modules/events.php b/utils/modules/events.php
index cf04734..6e1218f 100644
--- a/utils/modules/events.php
+++ b/utils/modules/events.php
@@ -15,11 +15,10 @@ class Event {
 
 	public function write($fp)
 	{
-		fwrite($fp, "  <event title=\"" .
-					 htmlspecialchars($this->title, ENT_QUOTES, "UTF-8") . "\"\n");
-		fwrite($fp, "         time=\"" . $this->time . "\"\n");
-		fwrite($fp, "         flyer=\"" . $this->flyer . "\">");
-		fwrite($fp, htmlspecialchars($this->description, ENT_QUOTES, "UTF-8"));
+		fwrite($fp, "  <event title=\"" .xmlenc($this->title) . "\"\n");
+		fwrite($fp, "         time=\"" . xmlenc($this->time) . "\"\n");
+		fwrite($fp, "         flyer=\"" . xmlenc($this->flyer) . "\">");
+		fwrite($fp, xmlenc($this->description));
 		fwrite($fp, "  </event>\n");
 	}
 
diff --git a/utils/modules/news.php b/utils/modules/news.php
index 29187ea..00f1d4c 100644
--- a/utils/modules/news.php
+++ b/utils/modules/news.php
@@ -50,13 +50,12 @@ class NewsEntry {
 
 	public function write($fp)
 	{
-		fwrite($fp, "  <newsentry title=\"" .
-					 htmlspecialchars($this->title, ENT_QUOTES, "UTF-8") . "\"\n");
-		fwrite($fp, "             time=\"" . $this->time . "\"\n");
-		fwrite($fp, "             category=\"" . $this->category . "\"\n");
-		fwrite($fp, "             userid=\"" . $this->userid . "\"\n");
-		fwrite($fp, "             icon=\"" . $this->icon . "\">");
-		fwrite($fp, htmlspecialchars($this->description, ENT_QUOTES, "UTF-8"));
+		fwrite($fp, "  <newsentry title=\"".xmlenc($this->title)."\"\n");
+		fwrite($fp, "             time=\"" . xmlenc($this->time) . "\"\n");
+		fwrite($fp, "             category=\"" . xmlenc($this->category) . "\"\n");
+		fwrite($fp, "             userid=\"" . xmlenc($this->userid) . "\"\n");
+    fwrite($fp, "             icon=\"" . xmlenc($this->icon) . "\">");
+		fwrite($fp, xmlenc($this->description));
 		fwrite($fp, "  </newsentry>\n");
 	}
 
diff --git a/utils/modules/newsletter.php b/utils/modules/newsletter.php
index 4bba9c6..3ca3f41 100644
--- a/utils/modules/newsletter.php
+++ b/utils/modules/newsletter.php
@@ -3,6 +3,7 @@
 global $UTIL_DIR;
 
 include_once($UTIL_DIR . "/mail.php");
+include_once($UTIL_DIR . "/convert.php");
 
 class Mailinglist extends _Mailinglist {
 	private $file;
@@ -13,15 +14,14 @@ class Mailinglist extends _Mailinglist {
 		$fp = fopen($this->file, "w");
 		fwrite($fp, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
 
-		fwrite($fp, "<mailinglist subj_prefix=\"" . $this->subj_prefix . "\"\n");
-    fwrite($fp, "             sender=\"" . $this->sender . "\"\n");
-    fwrite($fp, "             replyto=\"" . $this->replyto . "\"\n");
-    fwrite($fp, "             unsubscribe_url=\"" . $this->unsubscribe_url . "\">\n");
-    fwrite($fp, "  <footer>" . $this->footer . "</footer>\n");
+		fwrite($fp, "<mailinglist subj_prefix=\"" . xmlenc($this->subj_prefix) . "\"\n");
+    fwrite($fp, "             sender=\"" . xmlenc($this->sender) . "\"\n");
+    fwrite($fp, "             replyto=\"" . xmlenc($this->replyto) . "\"\n");
+    fwrite($fp, "             unsubscribe_url=\"" . xmlenc($this->unsubscribe_url) . "\">\n");
+    fwrite($fp, "  <footer>" .  xmlenc($this->footer) . "</footer>\n");
 		foreach($this->mailinglist as $email) {
-			fwrite($fp, "  <email email=\"" .
-						 htmlspecialchars($email->email, ENT_QUOTES, "UTF-8") . "\"\n");
- 			fwrite($fp, "         timestamp=\"" . $email->timestamp . "\">\n");
+			fwrite($fp, "  <email email=\"" . xmlenc($email->email) . "\"\n");
+ 			fwrite($fp, "         timestamp=\"" . xmlenc($email->timestamp) . "\">\n");
 			fwrite($fp, "  </email>\n");
 		}
 		fwrite($fp, "</mailinglist>\n");
@@ -64,9 +64,11 @@ class Mailinglist extends _Mailinglist {
 		$email = new EMail($emailaddr, time());
 		if($this->add($email)) {
 			$this->write();
-			$str .= "<div class=\"newsletter_message\">The email: " . $emailaddr . " has now been subscribed.</div>";
+			$str .= "<div class=\"newsletter_message\">The email: " .
+        $emailaddr . " has now been subscribed.</div>";
 		} else {
-			$str .= "<div class=\"newsletter_message\">The email: " . $emailaddr . " is already subscribed.</div>";
+			$str .= "<div class=\"newsletter_message\">The email: " .
+        $emailaddr . " is already subscribed.</div>";
 		}
 		return $str;
 	}
@@ -76,9 +78,11 @@ class Mailinglist extends _Mailinglist {
 		$str = "";
 		if($this->remove($emailaddr)) {
 			$this->write();
-			$str .= "<div class=\"newsletter_message\">The email: " . $emailaddr . " has now been unsubscribed.</div>";
+			$str .= "<div class=\"newsletter_message\">The email: " .
+        $emailaddr . " has now been unsubscribed.</div>";
 		} else {
-			$str .= "<div class=\"newsletter_message\">The email: " . $emailaddr . " is not subscribed.</div>";
+			$str .= "<div class=\"newsletter_message\">The email: " .
+        $emailaddr . " is not subscribed.</div>";
 		}
 		return $str;
 	}
diff --git a/utils/modules/pressrelease.php b/utils/modules/pressrelease.php
index 4779ffa..542edd0 100644
--- a/utils/modules/pressrelease.php
+++ b/utils/modules/pressrelease.php
@@ -3,10 +3,11 @@
 global $UTIL_DIR;
 
 include_once($UTIL_DIR . "/mail.php");
+include_once($UTIL_DIR . "/convert.php");
 
 class PEmail extends Email {
   public $url;
-  public $title;
+  public $name;
 };
 
 class PMailinglist extends _Mailinglist {
@@ -17,15 +18,14 @@ class PMailinglist extends _Mailinglist {
 		$fp = fopen($this->file, "w");
 		fwrite($fp, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
 
-		fwrite($fp, "<pressrelease subj_prefix=\"" . $this->subj_prefix . "\"\n");
-    fwrite($fp, "              sender=\"" . $this->sender . "\"\n");
-    fwrite($fp, "              replyto=\"" . $this->replyto . "\">\n");
-    fwrite($fp, "  <footer>" . $this->footer . "</footer>\n");
+		fwrite($fp, "<pressrelease subj_prefix=\"" . xmlenc($this->subj_prefix) . "\"\n");
+    fwrite($fp, "              sender=\"" . xmlenc($this->sender) . "\"\n");
+    fwrite($fp, "              replyto=\"" . xmlenc($this->replyto) . "\">\n");
+    fwrite($fp, "  <footer>" . xmlenc($this->footer) . "</footer>\n");
 		foreach($this->mailinglist as $email) {
-			fwrite($fp, "  <email email=\"" .
-						 htmlspecialchars($email->email, ENT_QUOTES, "UTF-8") . "\"\n");
- 			fwrite($fp, "         url=\"" . $email->url . "\">\n");
- 			fwrite($fp, "         name=\"" . $email->name . "\">\n");
+			fwrite($fp, "  <email email=\"" . xmlenc($email->email) . "\"\n");
+ 			fwrite($fp, "         url=\"" . xmlenc($email->url) . "\"\n");
+ 			fwrite($fp, "         name=\"" . xmlenc($email->name) . "\">\n");
 			fwrite($fp, "  </email>\n");
 		}
 		fwrite($fp, "</pressrelease>\n");
@@ -77,7 +77,11 @@ class PressRelease {
   // Admin config
   public $admin_title = "Press release";
   public $admin_submodules = array("Send" => "send",
-                                   "Config" => "config");
+                                   "Config" => "config",
+                                   "Add receiver" => "add",
+                                   "Edit receiver" => "edit",
+                                   "Delete receiver" => "delete",
+                                   "View receivers" => "view");
 
   public function admin_send($action, $vars)
 	{
@@ -133,16 +137,123 @@ class PressRelease {
 			
     default:
       $form = new Form("update");
-      $form->addWidget(new LineEdit("Subject prefix:", "subj_prefix", $this->mailinglist->subj_prefix));
-      $form->addWidget(new LineEdit("Sender:", "sender", $this->mailinglist->sender));
-      $form->addWidget(new LineEdit("Reply to:", "replyto", $this->mailinglist->replyto));
-      $form->addWidget(new TextEdit("Footer:", "footer", $this->mailinglist->footer));
+      $form->addWidget(new LineEdit("Subject prefix:", "subj_prefix",
+                                    $this->mailinglist->subj_prefix));
+      $form->addWidget(new LineEdit("Sender:", "sender",
+                                    $this->mailinglist->sender));
+      $form->addWidget(new LineEdit("Reply to:", "replyto",
+                                    $this->mailinglist->replyto));
+      $form->addWidget(new TextEdit("Footer:", "footer",
+                                    $this->mailinglist->footer));
       $form->addWidget(new Button("Update"));
       $form->render();
       break;
     }
   }
 
+  public function admin_add($action, $vars)
+  {
+    global $UID, $GLOBALS;
+
+    switch($action) {
+		case "add":
+      $pemail = new PEmail($vars["email"], time());
+      $pemail->url = $vars["url"];
+      $pemail->name = $vars["name"];
+      $this->mailinglist->add($pemail);
+      $this->mailinglist->write();
+      break;
+
+    default:
+			$form = new Form("add");
+			$form->addWidget(new LineEdit("Email:", "email", ""));
+			$form->addWidget(new LineEdit("URL:", "url", ""));
+			$form->addWidget(new LineEdit("Name:", "name", ""));
+      $form->addWidget(new Button("Add"));
+			$form->render();
+      break;
+    }
+  }
+
+  public function admin_edit($action, $vars)
+  {
+    switch($action) {
+		case "write":
+      $email = $this->mailinglist->mailinglist[$vars["editid"]];
+      $email->email = $vars["email"];
+      $email->url = $vars["url"];
+      $email->name = $vars["name"];
+      $this->mailinglist->write();
+      break;
+
+    case "edit":
+      $email = $this->mailinglist->mailinglist[$vars["editid"]];
+
+			$form = new Form("write");
+      $form->addWidget(new Hidden(array("editid" => $email->email)));
+			$form->addWidget(new LineEdit("Email:", "email", $email->email));
+			$form->addWidget(new LineEdit("URL:", "url", $email->url));
+			$form->addWidget(new LineEdit("Name:", "name", $email->name));
+      $form->addWidget(new Button("Edit"));
+			$form->render();
+      break;
+
+    default:
+      $rcvlist = array();
+      foreach($this->mailinglist->mailinglist as $m) {
+        $title = $m->name . " (".$m->email.")";
+        $rcvlist[$title] = $m->email;
+      }
+
+      ksort($rcvlist);
+
+			$form = new Form("edit");
+      $form->addWidget(new ComboBox("Select receiver to edit:", "editid", "", $rcvlist));
+      $form->addWidget(new Button("Edit..."));
+			$form->render();
+      break;
+    }
+  }
+
+  public function admin_delete($action, $vars)
+  {
+    switch($action) {
+		case "delete":
+      $this->mailinglist->remove($vars["delrcv"]);
+      $this->mailinglist->write();
+      break;
+
+    default:
+      $rcvlist = array();
+      foreach($this->mailinglist->mailinglist as $m) {
+        $title = $m->name . " (".$m->email.")";
+        $rcvlist[$title] = $m->email;
+      }
+
+      ksort($rcvlist);
+
+			$form = new Form("delete");
+      $form->addWidget(new ComboBox("Select receiver to delete:", "delrcv", "", $rcvlist));
+      $form->addWidget(new Button("Delete"));
+			$form->render();
+      break;
+    }
+  }
+
+  public function admin_view($action, $vars)
+  {
+    switch($action) {
+    default:
+      echo "<p>There are " . sizeof($this->mailinglist->mailinglist) . " receivers:</p>\n";
+      echo "<ul>\n";
+      foreach($this->mailinglist->mailinglist as $m) {
+        echo "  <li>".xmlenc($m->name)." (<a href=\"".xmlenc($m->url)."\">".$m->url."</a>): ".xmlenc($m->email)."</li>\n";
+      }
+      echo "</ul>\n";
+      break;
+    }
+  }
+
   public function admin($sub, $action, $vars)
   {
     switch($sub) {
@@ -153,6 +264,22 @@ class PressRelease {
     case "config":
 			$this->admin_config($action, $vars);
       break;
+
+    case "add":
+			$this->admin_add($action, $vars);
+      break;
+
+    case "edit":
+			$this->admin_edit($action, $vars);
+      break;
+
+    case "delete":
+			$this->admin_delete($action, $vars);
+      break;
+
+    case "view":
+			$this->admin_view($action, $vars);
+      break;
     }
   }
 
-- 
cgit v1.2.3