From 7fc5c51d66af65e1424f357cfed475482cb3700f Mon Sep 17 00:00:00 2001 From: Brett Zamir Date: Fri, 31 Jan 2014 12:58:16 +0000 Subject: [PATCH] Delete old insecure server-save PHP in favor of a new php-savefile extension which requires addition by user of a configuration page "savefile_config.php" in order to work (and where the user should do their own validation). Add this config file and "saved.svg" (the default name when no filename is supplied) to SVN ignore list. git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2658 eee81c28-f429-11dd-99c0-75d572ba1ddd --- editor/extensions/ext-php_savefile.js | 24 ++++++++++++++++++++++++ editor/extensions/savefile.php | 17 +++++++++++++++++ extras/server-save/README.txt | 8 -------- extras/server-save/svg-editor-save.js | 4 ---- extras/server-save/svg-editor-save.php | 8 -------- 5 files changed, 41 insertions(+), 20 deletions(-) create mode 100644 editor/extensions/ext-php_savefile.js create mode 100644 editor/extensions/savefile.php delete mode 100644 extras/server-save/README.txt delete mode 100644 extras/server-save/svg-editor-save.js delete mode 100644 extras/server-save/svg-editor-save.php diff --git a/editor/extensions/ext-php_savefile.js b/editor/extensions/ext-php_savefile.js new file mode 100644 index 00000000..30512610 --- /dev/null +++ b/editor/extensions/ext-php_savefile.js @@ -0,0 +1,24 @@ +/*globals $, svgCanvas, svgEditor*/ +/*jslint regexp:true*/ +svgEditor.addExtension("php_savefile", { + callback: function() { + 'use strict'; + function getFileNameFromTitle () { + var title = svgCanvas.getDocumentTitle(); + return $.trim(title); // .replace(/[^a-z0-9\.\_\-]+/gi, '_'); // We could do this more stringent client-side filtering, but we need to do on the server anyways + } + var save_svg_action = 'extensions/savefile.php'; + svgEditor.setCustomHandlers({ + save: function(win, data) { + var svg = "\n" + data, + filename = getFileNameFromTitle(); + + $.post(save_svg_action, {output_svg: svg, filename: filename}); + } + }); + } +}); + +this.saveHandler = function(svg) {'use strict'; + $.post("svg-editor-save.php", {svg_data: svg}); +}; diff --git a/editor/extensions/savefile.php b/editor/extensions/savefile.php new file mode 100644 index 00000000..2bf5909b --- /dev/null +++ b/editor/extensions/savefile.php @@ -0,0 +1,17 @@ +|]@', '_', urldecode($_POST['filename'])) : 'saved') . '.svg'; // These characters are indicated as prohibited by Windows + $output_svg = urldecode($svg); + $file = $filename; + $fh = fopen($file, 'w') or die("Can't open file"); + fwrite($fh, $output_svg); + fclose($fh); +?> diff --git a/extras/server-save/README.txt b/extras/server-save/README.txt deleted file mode 100644 index e94370bf..00000000 --- a/extras/server-save/README.txt +++ /dev/null @@ -1,8 +0,0 @@ -Usage: - -1) copy file svg-editor-save.php into the directory - -2) edit the end of the svgcanvas.js and change this.saveHandler method - into the method described in svg-editor-save.js - -3) now the drawings will be saved into the file named saved.svg diff --git a/extras/server-save/svg-editor-save.js b/extras/server-save/svg-editor-save.js deleted file mode 100644 index 2564d75b..00000000 --- a/extras/server-save/svg-editor-save.js +++ /dev/null @@ -1,4 +0,0 @@ -/*globals $*/ -this.saveHandler = function(svg) {'use strict'; - $.post("svg-editor-save.php", {svg_data: svg}); -}; diff --git a/extras/server-save/svg-editor-save.php b/extras/server-save/svg-editor-save.php deleted file mode 100644 index ee488c9c..00000000 --- a/extras/server-save/svg-editor-save.php +++ /dev/null @@ -1,8 +0,0 @@ -