Merge branch 'master' of github.com:gnuboard/g5

2017-12-06 19:02:52 +09:00
parent 8d3ee4903a 6bf57bd4c6
commit bb9e24d06f
155 changed files with 31784 additions and 31294 deletions
--- a/adm/mail_select_list.php
+++ b/adm/mail_select_list.php
@ -106,7 +106,7 @@ include_once('./admin.head.php');
    <?php } ?>
    </tbody>
    </table>
-    <textarea name="ma_list" style="display:none"><?=$ma_list?></textarea>
+    <textarea name="ma_list" style="display:none"><?php echo $ma_list?></textarea>
 </div>

 <div class="btn_confirm01 btn_confirm">
--- a/adm/visit_search.php
+++ b/adm/visit_search.php
@ -15,7 +15,7 @@ $listall = '<a href="'.$_SERVER['SCRIPT_NAME'].'">처음</a>'; //페이지 처

 <div class="local_sch local_sch01">
    <form name="fvisit" method="get" onsubmit="return fvisit_submit(this);">
-    <?=$listall?>
+    <?php echo $listall?>
    <label for="sch_sort" class="sound_only">검색분류</label>
    <select name="sfl" id="sch_sort" class="search_sort">
        <option value="vi_ip"<?php echo get_selected($sfl, 'vi_ip'); ?>>IP</option>
--- a/common.php
+++ b/common.php
@ -29,7 +29,8 @@ for ($i=0; $i<$ext_cnt; $i++) {

 function g5_path()
 {
-    $result['path'] = str_replace('\\', '/', dirname(__FILE__));
+    $chroot = substr($_SERVER['SCRIPT_FILENAME'], 0, strpos($_SERVER['SCRIPT_FILENAME'], dirname(__FILE__)));
+    $result['path'] = str_replace('\\', '/', $chroot.dirname(__FILE__));
    $tilde_remove = preg_replace('/^\/\~[^\/]+(.*)$/', '$1', $_SERVER['SCRIPT_NAME']);
    $document_root = str_replace($tilde_remove, '', $_SERVER['SCRIPT_FILENAME']);
    $pattern = '/' . preg_quote($document_root, '/') . '/i';
--- a/g4_import_run.php
+++ b/g4_import_run.php
@ -379,6 +379,41 @@ document.onkeydown = noRefresh ;
            $comma = '';
            $sql_common = '';

+            // 모바일 스킨 디렉토리
+            if( ! isset($row['bo_mobile_skin']) ){
+                $row['bo_mobile_skin'] = 'basic';
+            }
+
+            // 모바일 제목 길이
+            if( ! isset($row['bo_mobile_subject_len']) ){
+                $row['bo_mobile_subject_len'] = '30';
+            }
+            
+            // 모바일 페이지당 목록 수
+            if( ! isset($row['bo_mobile_page_rows']) ){
+                $row['bo_mobile_page_rows'] = '15';
+            }
+
+            // 갤러리 이미지 폭 ( 리스트 )
+            if( ! isset($row['bo_gallery_width']) ){
+                $row['bo_gallery_width'] = '174';
+            }
+
+            // 갤러리 이미지 높이 ( 리스트 )
+            if( ! isset($row['bo_gallery_height']) ){
+                $row['bo_gallery_height'] = '124';
+            }
+
+            // 모바일 갤러리 이미지 폭 ( 리스트 )
+            if( ! isset($row['bo_mobile_gallery_width']) ){
+                $row['bo_mobile_gallery_width'] = '125';
+            }
+
+            // 모바일 갤러리 이미지 높이 ( 리스트 )
+            if( ! isset($row['bo_mobile_gallery_height']) ){
+                $row['bo_mobile_gallery_height'] = '100';
+            }
+
            foreach($row as $key=>$val) {
                if(!in_array($key, $columns))
                    continue;
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@ -2137,6 +2137,10 @@ function check_device($device)
 // 게시판 최신글 캐시 파일 삭제
 function delete_cache_latest($bo_table)
 {
+    if (!preg_match("/^([A-Za-z0-9_]{1,20})$/", $bo_table)) {
+        return;
+    }
+
    $files = glob(G5_DATA_PATH.'/cache/latest-'.$bo_table.'-*');
    if (is_array($files)) {
        foreach ($files as $filename)
--- a/plugin/htmlpurifier/HTMLPurifier.standalone.php
+++ b/plugin/htmlpurifier/HTMLPurifier.standalone.php
--- a/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema.ser
+++ b/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema.ser
--- a/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt
+++ b/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt
@ -0,0 +1,16 @@
+Core.AggressivelyRemoveScript
+TYPE: bool
+VERSION: 4.9.0
+DEFAULT: true
+--DESCRIPTION--
+<p>
+    This directive enables aggressive pre-filter removal of
+    script tags.  This is not necessary for security,
+    but it can help work around a bug in libxml where embedded
+    HTML elements inside script sections cause the parser to
+    choke.  To revert to pre-4.9.0 behavior, set this to false.
+    This directive has no effect if %Core.Trusted is true,
+    %Core.RemoveScriptContents is false, or %Core.HiddenElements
+    does not contain script.
+</p>
+--# vim: et sw=4 sts=4
--- a/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/Core.LegacyEntityDecoder.txt
+++ b/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/Core.LegacyEntityDecoder.txt
@ -0,0 +1,36 @@
+Core.LegacyEntityDecoder
+TYPE: bool
+VERSION: 4.9.0
+DEFAULT: false
+--DESCRIPTION--
+<p>
+    Prior to HTML Purifier 4.9.0, entities were decoded by performing
+    a global search replace for all entities whose decoded versions
+    did not have special meanings under HTML, and replaced them with
+    their decoded versions.  We would match all entities, even if they did
+    not have a trailing semicolon, but only if there weren't any trailing
+    alphanumeric characters.
+</p>
+<table>
+<tr><th>Original</th><th>Text</th><th>Attribute</th></tr>
+<tr><td>&amp;yen;</td><td>&yen;</td><td>&yen;</td></tr>
+<tr><td>&amp;yen</td><td>&yen;</td><td>&yen;</td></tr>
+<tr><td>&amp;yena</td><td>&amp;yena</td><td>&amp;yena</td></tr>
+<tr><td>&amp;yen=</td><td>&yen;=</td><td>&yen;=</td></tr>
+</table>
+<p>
+    In HTML Purifier 4.9.0, we changed the behavior of entity parsing
+    to match entities that had missing trailing semicolons in less
+    cases, to more closely match HTML5 parsing behavior:
+</p>
+<table>
+<tr><th>Original</th><th>Text</th><th>Attribute</th></tr>
+<tr><td>&amp;yen;</td><td>&yen;</td><td>&yen;</td></tr>
+<tr><td>&amp;yen</td><td>&yen;</td><td>&yen;</td></tr>
+<tr><td>&amp;yena</td><td>&yen;a</td><td>&amp;yena</td></tr>
+<tr><td>&amp;yen=</td><td>&yen;=</td><td>&amp;yen=</td></tr>
+</table>
+<p>
+    This flag reverts back to pre-HTML Purifier 4.9.0 behavior.
+</p>
+--# vim: et sw=4 sts=4
--- a/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoopener.txt
+++ b/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoopener.txt
@ -0,0 +1,10 @@
+--# vim: et sw=4 sts=4
+HTML.TargetNoopener
+TYPE: bool
+VERSION: 4.8.0
+DEFAULT: TRUE
+--DESCRIPTION--
+If enabled, noopener rel attributes are added to links which have
+a target attribute associated with them.  This prevents malicious
+destinations from overwriting the original window.
+--# vim: et sw=4 sts=4
--- a/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt
+++ b/plugin/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt
@ -1,5 +1,5 @@
 URI.DefaultScheme
-TYPE: string
+TYPE: string/null
 DEFAULT: 'http'
 --DESCRIPTION--

@ -7,4 +7,9 @@ DEFAULT: 'http'
    Defines through what scheme the output will be served, in order to
    select the proper object validator when no scheme information is present.
 </p>
+
+<p>
+    Starting with HTML Purifier 4.9.0, the default scheme can be null, in
+    which case we reject all URIs which do not have explicit schemes.
+</p>
 --# vim: et sw=4 sts=4
--- a/plugin/htmlpurifier/standalone/HTMLPurifier/Filter/ExtractStyleBlocks.php
+++ b/plugin/htmlpurifier/standalone/HTMLPurifier/Filter/ExtractStyleBlocks.php
@ -95,7 +95,10 @@ class HTMLPurifier_Filter_ExtractStyleBlocks extends HTMLPurifier_Filter
        if ($tidy !== null) {
            $this->_tidy = $tidy;
        }
-        $html = preg_replace_callback('#<style(?:\s.*)?>(.+)</style>#isU', array($this, 'styleCallback'), $html);
+        // NB: this must be NON-greedy because if we have
+        // <style>foo</style>  <style>bar</style>
+        // we must not grab foo</style>  <style>bar
+        $html = preg_replace_callback('#<style(?:\s.*)?>(.*)<\/style>#isU', array($this, 'styleCallback'), $html);
        $style_blocks = $this->_styleMatches;
        $this->_styleMatches = array(); // reset
        $context->register('StyleBlocks', $style_blocks); // $context must not be reused
--- a/plugin/htmlpurifier/standalone/HTMLPurifier/Lexer/PH5P.php
+++ b/plugin/htmlpurifier/standalone/HTMLPurifier/Lexer/PH5P.php
@ -21,7 +21,7 @@ class HTMLPurifier_Lexer_PH5P extends HTMLPurifier_Lexer_DOMLex
    public function tokenizeHTML($html, $config, $context)
    {
        $new_html = $this->normalize($html, $config, $context);
-        $new_html = $this->wrapHTML($new_html, $config, $context);
+        $new_html = $this->wrapHTML($new_html, $config, $context, false /* no div */);
        try {
            $parser = new HTML5($new_html);
            $doc = $parser->save();
@ -34,9 +34,9 @@ class HTMLPurifier_Lexer_PH5P extends HTMLPurifier_Lexer_DOMLex
        $tokens = array();
        $this->tokenizeDOM(
            $doc->getElementsByTagName('html')->item(0)-> // <html>
-                getElementsByTagName('body')->item(0) //   <body>
+                  getElementsByTagName('body')->item(0) //   <body>
            ,
-            $tokens
+            $tokens, $config
        );
        return $tokens;
    }
@ -1515,6 +1515,7 @@ class HTML5
                // Consume the maximum number of characters possible, with the
                // consumed characters case-sensitively matching one of the
                // identifiers in the first column of the entities table.
+
                $e_name = $this->characters('0-9A-Za-z;', $this->char + 1);
                $len = strlen($e_name);

@ -1547,7 +1548,7 @@ class HTML5

        // Return a character token for the character corresponding to the
        // entity name (as given by the second column of the entities table).
-        return html_entity_decode('&' . $entity . ';', ENT_QUOTES, 'UTF-8');
+        return html_entity_decode('&' . rtrim($entity, ';') . ';', ENT_QUOTES, 'UTF-8');
    }

    private function emitToken($token)