relative+cleaned paths

diff --git a/admin/xmldb/actions/delete_sentence/delete_sentence.class.php b/admin/xmldb/actions/delete_sentence/delete_sentence.class.php
index 1b3035cea786df76f577c1603efeaab74431a858..5b73f5defe65d66d8c341223e2ff14fe76e102db 100644 (file)
--- a/admin/xmldb/actions/delete_sentence/delete_sentence.class.php
+++ b/admin/xmldb/actions/delete_sentence/delete_sentence.class.php
@@ -63,10 +63,10 @@ class delete_sentence extends XMLDBAction {
     /// Do the job, setting result as needed
 
     /// Get the dir containing the file
-        $dirpath = required_param('dir', PARAM_CLEAN);
-        $dirpath = stripslashes_safe($dirpath);
+        $dirpath = required_param('dir', PARAM_PATH);
+        $dirpath = $CFG->dirroot . stripslashes_safe($dirpath);
         $statementparam = required_param('statement', PARAM_CLEAN);
-        $sentenceparam = required_param('sentence', PARAM_CLEAN);
+        $sentenceparam = required_param('sentence', PARAM_INT);
 
         $confirmed = optional_param('confirmed', false, PARAM_BOOL);
 
@@ -77,11 +77,11 @@ class delete_sentence extends XMLDBAction {
             $o.= '    <p align="center">' . $this->str['confirmdeletesentence'] . '</p>';
             $o.= '    <table align="center" cellpadding="20"><tr><td>';
             $o.= '      <div class="singlebutton">';
-            $o.= '        <form action="index.php?action=delete_sentence&amp;confirmed=yes&amp;postaction=edit_statement&amp;sentence=' . $sentenceparam . '&amp;statement=' . urlencode($statementparam) . '&amp;dir=' . urlencode($dirpath) . '" method="post">';
+            $o.= '        <form action="index.php?action=delete_sentence&amp;confirmed=yes&amp;postaction=edit_statement&amp;sentence=' . $sentenceparam . '&amp;statement=' . urlencode($statementparam) . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '" method="post">';
             $o.= '          <input type="submit" value="'. $this->str['yes'] .'" /></form></div>';
             $o.= '      </td><td>';
             $o.= '      <div class="singlebutton">';
-            $o.= '        <form action="index.php?action=edit_statement&amp;statement=' . urlencode($statementparam) . '&amp;dir=' . urlencode($dirpath) . '" method="post">';
+            $o.= '        <form action="index.php?action=edit_statement&amp;statement=' . urlencode($statementparam) . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '" method="post">';
             $o.= '          <input type="submit" value="'. $this->str['no'] .'" /></form></div>';
             $o.= '      </td></tr>';
             $o.= '    </table>';

diff --git a/admin/xmldb/actions/edit_sentence/edit_sentence.class.php b/admin/xmldb/actions/edit_sentence/edit_sentence.class.php
index b3e04c9987c5fb1d79aee2af1492f555c33f8a63..5e7ca302c8a5eaa369f0a254509c3bdad75b3afe 100644 (file)
--- a/admin/xmldb/actions/edit_sentence/edit_sentence.class.php
+++ b/admin/xmldb/actions/edit_sentence/edit_sentence.class.php
@@ -63,8 +63,8 @@ class edit_sentence extends XMLDBAction {
 
     /// Do the job, setting result as needed
     /// Get the dir containing the file
-        $dirpath = required_param('dir', PARAM_CLEAN);
-        $dirpath = stripslashes_safe($dirpath);
+        $dirpath = required_param('dir', PARAM_PATH);
+        $dirpath = $CFG->dirroot . stripslashes_safe($dirpath);
 
     /// Get the correct dirs
         if (!empty($XMLDB->dbdirs)) {
@@ -115,7 +115,7 @@ class edit_sentence extends XMLDBAction {
 
         /// Add the main form
             $o = '<form name="form" id="form" action="index.php" method="post">';
-            $o.= '    <input type="hidden" name ="dir" value="' . $dirpath . '" />';
+            $o.= '    <input type="hidden" name ="dir" value="' . str_replace($CFG->dirroot, '', $dirpath) . '" />';
             $o.= '    <input type="hidden" name ="statement" value="' . $statementparam .'" />';
             $o.= '    <input type="hidden" name ="sentence" value="' . $sentenceparam .'" />';
             $o.= '    <input type="hidden" name ="action" value="edit_sentence_save" />';
@@ -134,7 +134,7 @@ class edit_sentence extends XMLDBAction {
         /// Calculate the buttons
             $b = ' <p align="center" class="buttons">';
         /// The back to edit statement button
-            $b .= '&nbsp;<a href="index.php?action=edit_statement&amp;statement=' . urlencode($statementparam) . '&amp;dir=' . urlencode($dirpath) . '">[' . $this->str['back'] . ']</a>';
+            $b .= '&nbsp;<a href="index.php?action=edit_statement&amp;statement=' . urlencode($statementparam) . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)) . '">[' . $this->str['back'] . ']</a>';
             $b .= '</p>';
             $o .= $b;
     

diff --git a/admin/xmldb/actions/edit_sentence_save/edit_sentence_save.class.php b/admin/xmldb/actions/edit_sentence_save/edit_sentence_save.class.php
index 83d9f254398c5889c77ddba2c8b62bb6f3b5416a..c9990ed9c1198aed3555b8852a37c57f1eef66b4 100644 (file)
--- a/admin/xmldb/actions/edit_sentence_save/edit_sentence_save.class.php
+++ b/admin/xmldb/actions/edit_sentence_save/edit_sentence_save.class.php
@@ -66,11 +66,11 @@ class edit_sentence_save extends XMLDBAction {
     /// Do the job, setting result as needed
 
     /// Get parameters
-        $dirpath = required_param('dir', PARAM_CLEAN);
-        $dirpath = stripslashes_safe($dirpath);
+        $dirpath = required_param('dir', PARAM_PATH);
+        $dirpath = $CFG->dirroot . stripslashes_safe($dirpath);
 
         $statementparam = strtolower(required_param('statement', PARAM_CLEAN));
-        $sentenceparam = strtolower(required_param('sentence', PARAM_CLEAN));
+        $sentenceparam = strtolower(required_param('sentence', PARAM_ALPHANUM));
 
         $fields = required_param('fields', PARAM_CLEAN);
         $fields = trim(stripslashes_safe($fields));
@@ -125,7 +125,7 @@ class edit_sentence_save extends XMLDBAction {
                          "<a href=\"../index.php\">" . $this->str['administration'] . "</a> -> <a href=\"index.php\">XMLDB</a>");
             notice ('<p>' .implode(', ', $errors) . '</p>
                      <p>' . s($sentence),
-                    'index.php?action=edit_sentence&amp;sentence=' .$sentenceparam . '&amp;statement=' . urlencode($statementparam) . '&amp;dir=' . urlencode($dirpath));
+                    'index.php?action=edit_sentence&amp;sentence=' .$sentenceparam . '&amp;statement=' . urlencode($statementparam) . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath)));
             die; /// re-die :-P
         }
 

diff --git a/admin/xmldb/actions/edit_statement_save/edit_statement_save.class.php b/admin/xmldb/actions/edit_statement_save/edit_statement_save.class.php
index db4be9ee90b703a697fd0a0e6c29b558bc5dc22d..56016a1aa7047ed721403817a129768667d7c706 100644 (file)
--- a/admin/xmldb/actions/edit_statement_save/edit_statement_save.class.php
+++ b/admin/xmldb/actions/edit_statement_save/edit_statement_save.class.php
@@ -63,8 +63,8 @@ class edit_statement_save extends XMLDBAction {
     /// Do the job, setting result as needed
 
     /// Get parameters
-        $dirpath = required_param('dir', PARAM_CLEAN);
-        $dirpath = stripslashes_safe($dirpath);
+        $dirpath = required_param('dir', PARAM_PATH);
+        $dirpath = $CFG->dirroot . stripslashes_safe($dirpath);
 
         $statementparam = strtolower(required_param('statement', PARAM_CLEAN));
         $name = trim(strtolower(required_param('name', PARAM_CLEAN)));

diff --git a/admin/xmldb/actions/new_sentence/new_sentence.class.php b/admin/xmldb/actions/new_sentence/new_sentence.class.php
index 739cf4377816056baa02cca66beec95e0eaf7ce2..305b34c667e042742490d08e25eb0534f1a8016d 100644 (file)
--- a/admin/xmldb/actions/new_sentence/new_sentence.class.php
+++ b/admin/xmldb/actions/new_sentence/new_sentence.class.php
@@ -63,8 +63,8 @@ class new_sentence extends XMLDBAction {
 
     /// Do the job, setting result as needed
     /// Get the dir containing the file
-        $dirpath = required_param('dir', PARAM_CLEAN);
-        $dirpath = stripslashes_safe($dirpath);
+        $dirpath = required_param('dir', PARAM_PATH);
+        $dirpath = $CFG->dirroot . stripslashes_safe($dirpath);
 
     /// Get the correct dirs
         if (!empty($XMLDB->dbdirs)) {

diff --git a/admin/xmldb/actions/unload_xml_file/unload_xml_file.class.php b/admin/xmldb/actions/unload_xml_file/unload_xml_file.class.php
index 65568802fbd984b2e56a0c061f723aad742420b1..c04cdd4369468b4e3c3f5421ec0f9bb746adab49 100644 (file)
--- a/admin/xmldb/actions/unload_xml_file/unload_xml_file.class.php
+++ b/admin/xmldb/actions/unload_xml_file/unload_xml_file.class.php
@@ -62,8 +62,8 @@ class unload_xml_file extends XMLDBAction {
     /// Do the job, setting result as needed
 
     /// Get the dir containing the file
-        $dirpath = required_param('dir', PARAM_CLEAN);
-        $dirpath = stripslashes_safe($dirpath);
+        $dirpath = required_param('dir', PARAM_PATH);
+        $dirpath = $CFG->dirroot . stripslashes_safe($dirpath);
 
         /// Get the original dir and delete some elements
         if (!empty($XMLDB->dbdirs)) {