X-Git-Url: http://git.shiar.nl/minimedit.git/blobdiff_plain/159ee0f3d812c9681a00c37f6a2bcaf8a1de83bc..83209975037c6fadba1fd0555e37e95c17fe6099:/upload.inc.php diff --git a/upload.inc.php b/upload.inc.php index ed9ee77..e270b76 100644 --- a/upload.inc.php +++ b/upload.inc.php @@ -27,6 +27,9 @@ function userupload($input, $target = NULL, $filename = NULL) $target .= $input['name']; } + if (file_exists($target)) { + throw new Exception("bestandsnaam al aanwezig op $target"); + } if (!@move_uploaded_file($input['tmp_name'], $target)) { throw new Exception("bestand kon niet worden opgeslagen in $target"); } @@ -41,10 +44,26 @@ function userupload($input, $target = NULL, $filename = NULL) function messagehtml($input) { # convert user textarea post to formatted html + global $User; if (empty($input)) { return; } - $html = htmlspecialchars($input); - $html = nl2br($html); - return "
$html
"; + if ($User and $User->admin and preg_match('/\A<[a-z][^>]*>/', $input)) { + return $input; # allow html input as is if privileged + } + $markup = [ + '{<((?:\w+:|/).+?)>}' => '<$1>', # unescape link entities + '{<(?:https?://)?([^>\s|]+)>}' => '<$1 $1>', # unnamed link + '{<([^>\s|]+)[\s|]([^>]+)>}' => '$2', # hyperlink + "/\r\n?/" => "\n", # unix newlines + "/ +\n/" => "$1
\n", # paragraph + "{^(
$1
', # monospace
+ ];
+ return preg_replace(array_keys($markup), array_values($markup), htmlspecialchars($input));
}