zcy
/
svgedit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Delete old insecure server-save PHP in favor of a new php-savefile extension which requires addition by user of a configuration page "savefile_config.php" in order to work (and where the user should do their own validation). Add this config file and "saved.svg" (the default name when no filename is supplied) to SVN ignore list. 

git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2658 eee81c28-f429-11dd-99c0-75d572ba1ddd
master
Brett Zamir 2014-01-31 12:58:16 +00:00
parent 515de36d65
commit 7fc5c51d66
5 changed files with 41 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
editor/extensions/ext-php_savefile.js Normal file
View File

@ -0,0 +1,24 @@
/*globals $, svgCanvas, svgEditor*/
/*jslint regexp:true*/
svgEditor.addExtension("php_savefile", {
callback: function() {
'use strict';
function getFileNameFromTitle () {
var title = svgCanvas.getDocumentTitle();
return $.trim(title); // .replace(/[^a-z0-9\.\_\-]+/gi, '_'); // We could do this more stringent client-side filtering, but we need to do on the server anyways
}
var save_svg_action = 'extensions/savefile.php';
svgEditor.setCustomHandlers({
save: function(win, data) {
var svg = "<?xml version=\"1.0\"?>\n" + data,
filename = getFileNameFromTitle();
$.post(save_svg_action, {output_svg: svg, filename: filename});
}
});
}
});
this.saveHandler = function(svg) {'use strict';
$.post("svg-editor-save.php", {svg_data: svg});
};

17
editor/extensions/savefile.php Normal file
View File

@ -0,0 +1,17 @@
<?php
// You must first create a file "savefile_config.php" in this extensions directory and do whatever
// checking of user credentials, etc. that you wish; otherwise anyone will be able to post SVG
// files to your server which may cause disk space or possibly security problems
require('savefile_config.php');
if (!isset($_POST['output_svg'])) {
print "You must supply output_svg";
exit;
}
$svg = $_POST['output_svg'];
$filename = (isset($_POST['filename']) && !empty($_POST['filename']) ? preg_replace('@[\\\\/:*?"<>|]@', '_', urldecode($_POST['filename'])) : 'saved') . '.svg'; // These characters are indicated as prohibited by Windows
$output_svg = urldecode($svg);
$file = $filename;
$fh = fopen($file, 'w') or die("Can't open file");
fwrite($fh, $output_svg);
fclose($fh);
?>

8
extras/server-save/README.txt
View File

@ -1,8 +0,0 @@
Usage:
1) copy file svg-editor-save.php into the directory
2) edit the end of the svgcanvas.js and change this.saveHandler method
into the method described in svg-editor-save.js
3) now the drawings will be saved into the file named saved.svg

4
extras/server-save/svg-editor-save.js
View File

@ -1,4 +0,0 @@
/*globals $*/
this.saveHandler = function(svg) {'use strict';
$.post("svg-editor-save.php", {svg_data: svg});
};

8
extras/server-save/svg-editor-save.php
View File

@ -1,8 +0,0 @@
<?php
$svg = $_REQUEST['svg_data'];
$svg_data = urldecode($svg);
$file = 'saved.svg';
$fh = fopen($file, 'w') or die("Can't open file");
fwrite($fh, $svg_data);
fclose($fh);
?>