diff --git a/workflow/engine/methods/processes/processes_Ajax.php b/workflow/engine/methods/processes/processes_Ajax.php index fe1915d84..775f310e8 100755 --- a/workflow/engine/methods/processes/processes_Ajax.php +++ b/workflow/engine/methods/processes/processes_Ajax.php @@ -526,26 +526,10 @@ try { $content = stripslashes($_REQUEST['fcontent']); $content = str_replace("@amp@", "&", $content); $content = base64_decode($content); - $fields = array('!--', '--', '!DOCTYPE', 'a', 'abbr', 'acronym', 'address', 'applet', 'area', - 'article', 'aside', 'audio', 'b', 'base', 'basefont', 'bdi', 'bdo', 'big', - 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', - 'code', 'col', 'colgroup', 'command', 'datalist', 'dd', 'del', 'details', 'dfn', - 'dialog', 'dir', 'div', 'dl', 'dt', 'em', 'embed', 'fieldset', 'figcaption', - 'figure', 'font', 'footer', 'form', 'frame', 'frameset', 'h1', 'h2', 'h3', 'h4', - 'h5', 'h6', 'head', 'header', 'hr', 'html', 'i', 'iframe', 'img', 'input', 'ins', - 'kbd', 'keygen', 'label', 'legend', 'li', 'link', 'map', 'mark', 'menu', 'meta', - 'meter', 'nav', 'noframes', 'noscript', 'object', 'ol', 'optgroup', 'option', - 'output', 'p', 'param', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', - 'script', 'section', 'select', 'small', 'source', 'span', 'strike', 'strong', 'style', - 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', - 'time', 'title', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr'); - $content = G::sanitizeInput($content, $fields, array(), 0, 1, 0); fwrite($fp, $content); fclose($fp); echo 'saved: ' . $sDirectory; } - - break; case 'events': $oProcessMap->eventsList($oData->pro_uid, $oData->type); diff --git a/workflow/engine/methods/processes/processes_UploadFiles.php b/workflow/engine/methods/processes/processes_UploadFiles.php index e40f0981b..abcf6004f 100755 --- a/workflow/engine/methods/processes/processes_UploadFiles.php +++ b/workflow/engine/methods/processes/processes_UploadFiles.php @@ -1,4 +1,5 @@ -userCanAccess('PM_FACTORY') == 1) { G::LoadClass('processes'); $app = new Processes(); @@ -7,7 +8,7 @@ if ( $RBAC->userCanAccess('PM_FACTORY') == 1) { die; } switch ($_POST['form']['MAIN_DIRECTORY']) { - case 'mailTemplates': + case 'mailTemplates': $sDirectory = PATH_DATA_MAILTEMPLATES . $_POST['form']['PRO_UID'] . PATH_SEP . ($_POST['form']['CURRENT_DIRECTORY'] != '' ? $_POST['form']['CURRENT_DIRECTORY'] . PATH_SEP : ''); break; case 'public': @@ -20,24 +21,6 @@ if ( $RBAC->userCanAccess('PM_FACTORY') == 1) { for ($i = 1; $i <= 5; $i ++) { if ($_FILES['form']['tmp_name']['FILENAME' . (string) $i] != '') { G::uploadFile( $_FILES['form']['tmp_name']['FILENAME' . (string) $i], $sDirectory, $_FILES['form']['name']['FILENAME' . (string) $i] ); - $fp = fopen($sDirectory, $_FILES['form']['name']['FILENAME' . (string) $i] , 'rw'); - $content = fread($fp, filesize($sDirectory, $_FILES['form']['name']['FILENAME' . (string) $i] )); - $fields = array('!--', '--', '!DOCTYPE', 'a', 'abbr', 'acronym', 'address', 'applet', 'area', - 'article', 'aside', 'audio', 'b', 'base', 'basefont', 'bdi', 'bdo', 'big', - 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', - 'code', 'col', 'colgroup', 'command', 'datalist', 'dd', 'del', 'details', 'dfn', - 'dialog', 'dir', 'div', 'dl', 'dt', 'em', 'embed', 'fieldset', 'figcaption', - 'figure', 'font', 'footer', 'form', 'frame', 'frameset', 'h1', 'h2', 'h3', 'h4', - 'h5', 'h6', 'head', 'header', 'hr', 'html', 'i', 'iframe', 'img', 'input', 'ins', - 'kbd', 'keygen', 'label', 'legend', 'li', 'link', 'map', 'mark', 'menu', 'meta', - 'meter', 'nav', 'noframes', 'noscript', 'object', 'ol', 'optgroup', 'option', - 'output', 'p', 'param', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', - 'script', 'section', 'select', 'small', 'source', 'span', 'strike', 'strong', 'style', - 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', - 'time', 'title', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr'); - $content = G::sanitizeInput($content, $fields, array(), 0, 1, 0); - fwrite( $fp, $content ); - fclose($fp); } } } diff --git a/workflow/engine/methods/processes/processes_doUpload.php b/workflow/engine/methods/processes/processes_doUpload.php index 7653c726f..06bc75d7c 100755 --- a/workflow/engine/methods/processes/processes_doUpload.php +++ b/workflow/engine/methods/processes/processes_doUpload.php @@ -2,11 +2,16 @@ sleep( 1 ); global $RBAC; if ( $RBAC->userCanAccess('PM_FACTORY') == 1) { - if (isset( $_SESSION['processes_upload'] )) { $form = $_SESSION['processes_upload']; + G::LoadClass('processes'); + $app = new Processes(); + if (!$app->processExists($form['PRO_UID'])) { + echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED'); + die; + } switch ($form['MAIN_DIRECTORY']) { - case 'mailTemplates': + case 'mailTemplates': $sDirectory = PATH_DATA_MAILTEMPLATES . $form['PRO_UID'] . PATH_SEP . ($form['CURRENT_DIRECTORY'] != '' ? $form['CURRENT_DIRECTORY'] . PATH_SEP : ''); break; case 'public': @@ -16,35 +21,10 @@ if ( $RBAC->userCanAccess('PM_FACTORY') == 1) { die(); break; } - G::LoadClass('processes'); - $app = new Processes(); - if (!$app->processExists($form['PRO_UID'])) { - echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED'); - die; - } - } if ($_FILES['form']['error'] == "0") { G::uploadFile( $_FILES['form']['tmp_name'], $sDirectory, $_FILES['form']['name'] ); - $fp = fopen($sDirectory . $_FILES['form']['name'], 'rw'); - $content = fread($fp, filesize($sDirectory . $_FILES['form']['name'])); - $fields = array('!--', '--', '!DOCTYPE', 'a', 'abbr', 'acronym', 'address', 'applet', 'area', - 'article', 'aside', 'audio', 'b', 'base', 'basefont', 'bdi', 'bdo', 'big', - 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', - 'code', 'col', 'colgroup', 'command', 'datalist', 'dd', 'del', 'details', 'dfn', - 'dialog', 'dir', 'div', 'dl', 'dt', 'em', 'embed', 'fieldset', 'figcaption', - 'figure', 'font', 'footer', 'form', 'frame', 'frameset', 'h1', 'h2', 'h3', 'h4', - 'h5', 'h6', 'head', 'header', 'hr', 'html', 'i', 'iframe', 'img', 'input', 'ins', - 'kbd', 'keygen', 'label', 'legend', 'li', 'link', 'map', 'mark', 'menu', 'meta', - 'meter', 'nav', 'noframes', 'noscript', 'object', 'ol', 'optgroup', 'option', - 'output', 'p', 'param', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', - 'script', 'section', 'select', 'small', 'source', 'span', 'strike', 'strong', 'style', - 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', - 'time', 'title', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr'); - $content = G::sanitizeInput($content, $fields, array(), 0, 1, 0); - fwrite( $fp, $content ); - fclose($fp); $msg = "Uploaded (" . (round( (filesize( $sDirectory . $_FILES['form']['name'] ) / 1024) * 10 ) / 10) . " kb)"; $result = 1; //echo $sDirectory.$_FILES['form']['name'];