From 5ca959fa688255a8de61f89fe2751eb4d24a6912 Mon Sep 17 00:00:00 2001
From: Florian Schaal <florian@schaal-24.de>
Date: Tue, 22 Mar 2016 09:22:07 -0400
Subject: [PATCH] fixed typo

---
 interface/web/admin/language_edit.php |   37 ++++++++++++++++++++++++-------------
 1 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/interface/web/admin/language_edit.php b/interface/web/admin/language_edit.php
index ce9f30c..c94a5eb 100644
--- a/interface/web/admin/language_edit.php
+++ b/interface/web/admin/language_edit.php
@@ -27,14 +27,16 @@
 EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
-require_once('../../lib/config.inc.php');
-require_once('../../lib/app.inc.php');
+require_once '../../lib/config.inc.php';
+require_once '../../lib/app.inc.php';
 
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
+$app->auth->check_security_permissions('admin_allow_langedit');
 
 //* This is only allowed for administrators
 if(!$app->auth->is_admin()) die('only allowed for administrators.');
+if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
 
 $app->uses('tpl');
 
@@ -53,30 +55,34 @@
 
 //* Save data
 if(isset($_POST['records']) && is_array($_POST['records'])) {
+	
+	//* CSRF Check
+	$app->auth->csrf_token_check();
+	
 	$file_content = "<?php\n";
 	foreach($_POST['records'] as $key => $val) {
 		$val = stripslashes($val);
-		$val = str_replace("'",'',$val);
-		$val = str_replace('"','',$val);
-		$file_content .= '$wb['."'$key'".'] = '."'$val';\n";
+		$val = preg_replace('/(^|[^\\\\])((\\\\\\\\)*)"/', '$1$2\\"', $val);
+		$val = str_replace('$', '', $val);
+		$file_content .= '$wb['."'$key'".'] = "'.$val.'";'."\n";
 		$msg = 'File saved.';
 	}
 	$file_content .= "?>\n";
 	if($module == 'global') {
-		file_put_contents(ISPC_LIB_PATH."/lang/$lang_file" ,$file_content);
+		file_put_contents(ISPC_LIB_PATH."/lang/$lang_file" , $file_content);
 	} else {
-		file_put_contents(ISPC_WEB_PATH."/$module/lib/lang/$lang_file" ,$file_content);
+		file_put_contents(ISPC_WEB_PATH."/$module/lib/lang/$lang_file" , $file_content);
 	}
 }
 
 
-$app->tpl->setVar(array('module' => $module,'lang_file' => $lang_file, 'lang' => $lang, 'msg' => $msg));
+$app->tpl->setVar(array('module' => $module, 'lang_file' => $lang_file, 'lang' => $lang, 'msg' => $msg));
 
 if($module == 'global') {
-	include(ISPC_LIB_PATH."/lang/$lang_file");
+	include ISPC_LIB_PATH."/lang/$lang_file";
 	$file_path = ISPC_LIB_PATH."/lang/$lang_file";
 } else {
-	include(ISPC_WEB_PATH."/$module/lib/lang/$lang_file");
+	include ISPC_WEB_PATH."/$module/lib/lang/$lang_file";
 	$file_path = ISPC_WEB_PATH."/$module/lib/lang/$lang_file";
 }
 $app->tpl->setVar("file_path", $file_path);
@@ -84,17 +90,22 @@
 $keyword_list = array();
 if(isset($wb) && is_array($wb)) {
 	foreach($wb as $key => $val) {
-		$keyword_list[] = array('key' => $key, 'val' => $val);
+		$keyword_list[] = array('key' => $key, 'val' => htmlentities($val, ENT_COMPAT | ENT_HTML401, 'UTF-8'));
 	}
 
 	$app->tpl->setLoop('records', $keyword_list);
 	unset($wb);
 }
 
+//* SET csrf token
+$csrf_token = $app->auth->csrf_token_get('language_edit');
+$app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
+$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
 
-//* load language file 
+
+//* load language file
 $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_edit.lng';
-include($lng_file);
+include $lng_file;
 $app->tpl->setVar($wb);
 
 $app->tpl_defaults();

--
Gitblit v1.9.1