api = TRUE; } # user login and control include_once 'auth.inc.php'; // sets global $User if ($Page->restricted) { # access restriction if (!$User->login) { $target = urlencode($Page->link); abort("/login?goto=$target", '303 Eerst inloggen'); } elseif ($check = file_get_contents("{$Page->restricted}/.private") and !$User->admin(trim($check))) { http_response_code(403); $Page->raw('403.inc.html'); } } # prepare page contents header(sprintf('Content-Security-Policy: %s', implode('; ', [ "default-src 'self' 'unsafe-inline' http://cdn.ckeditor.com", # some overrides remain "img-src 'self' data: blob: http://cdn.ckeditor.com", # inline svg (in css) "base-uri 'self'", # only local pages "frame-ancestors 'none'", # prevent malicious embedding ]))); header('Referrer-Policy: no-referrer-when-downgrade'); $Page->place += [ 'user' => $User->login ?: '', 'url' => htmlspecialchars($_SERVER['REQUEST_URI']), ]; if ($Page->editable = $User->admin("edit {$Page->link}")) { include_once 'edit/head.inc.php'; } if (isset($Page->raw) and @$_SERVER['HTTP_ACCEPT'] !== 'application/xml') { $Page->raw = '

'."\n\n".$Page->raw."

\n\n"; } # output dynamic and/or static html include_once 'format.inc.php'; ob_start(); if ($Page->handler and !$Page->index($Page->api)) { # replace contents by code output on false return $Page->raw = ob_get_clean(); } else { # keep article contents if (!isset($Page->body)) { # no resulting output http_response_code(404); @require '404.inc.html'; $Page->raw = ob_get_clean() . $Page->raw; } } if (@$_SERVER['HTTP_ACCEPT'] === 'application/xml') { header('Access-Control-Allow-Origin: *'); } elseif (!$Page->api) { include_once 'page.inc.php'; } print $Page->render();