Added invalid php function check to designer preview and bg saving

jbroadway · Sep 26, 2016 · ab5303f · ab5303f
1 parent 3389b36
commit ab5303f
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 5 deletions.
diff --git a/apps/designer/handlers/bgsave.php b/apps/designer/handlers/bgsave.php
@@ -25,8 +25,22 @@
 	return;
 }
 
+if (strpos ($_GET['file'], 'layouts/') === 0) {
+	require_once ('apps/designer/lib/Functions.php');
+
+	if (invalid_php_functions ($_POST['body'])) {
+		$this->add_notification (__ ('Invalid PHP functions detected. Please remove to save changes.'));
+
+		$res = new StdClass;
+		$res->success = false;
+		$res->error = 'Invalid PHP functions detected.';
+		echo json_encode ($res);
+		return;
+	}
+}
+
 if (! @file_put_contents ($_GET['file'], $_POST['body'])) {
-	$error = 'Saving file failed';
+	$error = 'Saving file failed.';
 } else {
 	try {
 		@chmod ($_GET['file'], 0666);

diff --git a/apps/designer/handlers/preview.php b/apps/designer/handlers/preview.php
@@ -14,12 +14,20 @@
 if ($_SERVER['REQUEST_METHOD'] == 'GET') {
 	$page->layout = '<h1>{{title}}</h1>{{ body|none }}';
 	if (! empty ($_GET['layout'])) {
-		if (preg_match('/^layouts\/[a-z0-9\/ _-]+\.html$/i', $_GET['layout']) &&
-			file_exists($_GET['layout']) ) {
+		if (preg_match ('/^layouts\/[a-z0-9\/ _-]+\.html$/i', $_GET['layout']) &&
+			file_exists ($_GET['layout']) ) {
 			$page->layout = file_get_contents ($_GET['layout']);
 		}
 	}
 } else {
+	require_once ('apps/designer/lib/Functions.php');
+
+	if (invalid_php_functions ($_POST['layout'])) {
+		$page->layout = false;
+		echo '<p>' . __ ('Invalid PHP functions detected in your layout template. Please remove to re-enable preview.') . '</p>';
+		return;
+	}
+
 	$page->layout = $_POST['layout'];
 }
 

diff --git a/apps/designer/views/add/layout.html b/apps/designer/views/add/layout.html
@@ -4,7 +4,7 @@
 
 <p id="buttons">
 	<span class="notice" id="body-notice">&nbsp; {"You must enter body content."}</span>
-	<span class="notice" id="invalid-php-functions-notice">&nbsp; {"Invalid PHP functions detected."}</span>
+	<span class="notice" id="invalid-php-functions-notice">&nbsp; {"Invalid PHP functions detected. Please remove to save changes."}</span>
 	<input type="submit" value="{"Create Layout"}" class="autosave-clear" />&nbsp;
 	<a href="javascript:history.go(-1)" onclick="return $.cancel_autosave ('{"Are you sure you want to cancel and lose any changes?"}')">{"Cancel"}</a>
 </p>

diff --git a/apps/designer/views/edit/layout.html b/apps/designer/views/edit/layout.html
@@ -4,7 +4,7 @@
 
 <p id="buttons">
 	<span class="notice" id="body-notice">&nbsp; {"You must enter body content."}</span>
-	<span class="notice" id="invalid-php-functions-notice">&nbsp; {"Invalid PHP functions detected."}</span>
+	<span class="notice" id="invalid-php-functions-notice">&nbsp; {"Invalid PHP functions detected. Please remove to save changes."}</span>
 	<span id="bgsave-status"></span>
 	<input type="submit" value="{"Save Layout"}" class="autosave-clear" />&nbsp;
 	<input type="submit" value="{"Save &amp; Keep Editing"}" id="bgsave" />&nbsp;