From 1fb7d5e7f9d76d40a00755b7642aa10832b80cd4 Mon Sep 17 00:00:00 2001
From: Evgeny Gryaznov <inspirer@users.sourceforge.net>
Date: Sat, 4 Apr 2009 21:17:42 +0000
Subject: [PATCH] fix slashes and form value

git-svn-id: https://webim.svn.sourceforge.net/svnroot/webim/trunk@448 c66351dc-e62f-0410-b875-e3a5c0b9693f
---
 src/messenger/webim/libs/common.php        | 91 ++++++++++++----------
 src/messenger/webim/operator/translate.php |  7 +-
 2 files changed, 51 insertions(+), 47 deletions(-)

diff --git a/src/messenger/webim/libs/common.php b/src/messenger/webim/libs/common.php
index 0cbc6498..21d9652e 100644
--- a/src/messenger/webim/libs/common.php
+++ b/src/messenger/webim/libs/common.php
@@ -238,19 +238,63 @@ function getlocal2($text,$params) {
 /* ajax server actions use utf-8 */
 function getrawparam( $name ) {
 	global $webim_encoding;
-	if( isset($_POST[$name]) )
-		return myiconv("utf-8",$webim_encoding,$_POST[$name]);
+	if( isset($_POST[$name]) ) {
+		$value = myiconv("utf-8",$webim_encoding,$_POST[$name]);
+		if (get_magic_quotes_gpc()) {
+			$value = stripslashes($value);
+		}
+		return $value;
+	}
 	die("no ".$name." parameter");
 }
 
 /* form processors use current Output encoding */
 function getparam( $name ) {
 	global $webim_encoding;
-	if( isset($_POST[$name]) )
-		return myiconv(getoutputenc(), $webim_encoding, $_POST[$name]);
+	if( isset($_POST[$name]) ) {
+		$value = myiconv(getoutputenc(), $webim_encoding, $_POST[$name]);
+		if (get_magic_quotes_gpc()) {
+			$value = stripslashes($value);
+		}
+		return $value;
+	}
 	die("no ".$name." parameter");
 }
 
+function unicode_urldecode($url) {
+    preg_match_all('/%u([[:alnum:]]{4})/', $url, $a);
+
+    foreach ($a[1] as $uniord) {
+        $dec = hexdec($uniord);
+        $utf = '';
+
+        if ($dec < 128) {
+            $utf = chr($dec);
+        } else if ($dec < 2048) {
+            $utf = chr(192 + (($dec - ($dec % 64)) / 64));
+            $utf .= chr(128 + ($dec % 64));
+        } else {
+            $utf = chr(224 + (($dec - ($dec % 4096)) / 4096));
+            $utf .= chr(128 + ((($dec % 4096) - ($dec % 64)) / 64));
+            $utf .= chr(128 + ($dec % 64));
+        }
+        $url = str_replace('%u'.$uniord, $utf, $url);
+    }
+    return urldecode($url);
+}
+
+function getgetparam($name,$default='') {
+	global $webim_encoding;
+	if( !isset($_GET[$name]) || !$_GET[$name] ) {
+		return $default;
+	}
+	$value = myiconv("utf-8", $webim_encoding, unicode_urldecode($_GET[$name]));
+	if (get_magic_quotes_gpc()) {
+		$value = stripslashes($value);
+	}
+	return $value;
+}
+
 function connect() {
 	global $mysqlhost, $mysqllogin, $mysqlpass, $mysqldb, $dbencoding, $force_charset_in_connection;
 	$link = @mysql_connect($mysqlhost,$mysqllogin ,$mysqlpass )
@@ -318,7 +362,7 @@ function escape_with_cdata($text) {
 function form_value($key) {
 	global $page;
 	if( isset($page) && isset($page["form$key"]) )
-		return $page["form$key"];
+		return htmlspecialchars($page["form$key"]);
 	return "";
 }
 
@@ -408,43 +452,6 @@ function is_valid_email($email) {
 	return preg_match("/^[^@]+@[^\.]+(\.[^\.]+)*$/", $email);
 }
 
-function quote_smart($value,$link) {
-	if (get_magic_quotes_gpc()) {
-		$value = stripslashes($value);
-	}
-	return mysql_real_escape_string($value,$link);
-}
-
-function unicode_urldecode($url) {
-    preg_match_all('/%u([[:alnum:]]{4})/', $url, $a);
-
-    foreach ($a[1] as $uniord) {
-        $dec = hexdec($uniord);
-        $utf = '';
-
-        if ($dec < 128) {
-            $utf = chr($dec);
-        } else if ($dec < 2048) {
-            $utf = chr(192 + (($dec - ($dec % 64)) / 64));
-            $utf .= chr(128 + ($dec % 64));
-        } else {
-            $utf = chr(224 + (($dec - ($dec % 4096)) / 4096));
-            $utf .= chr(128 + ((($dec % 4096) - ($dec % 64)) / 64));
-            $utf .= chr(128 + ($dec % 64));
-        }
-        $url = str_replace('%u'.$uniord, $utf, $url);
-    }
-    return urldecode($url);
-}
-
-function getgetparam($name,$default='') {
-	global $webim_encoding;
-	if( !isset($_GET[$name]) || !$_GET[$name] ) {
-		return $default;
-	}
-	return myiconv("utf-8", $webim_encoding, unicode_urldecode($_GET[$name]));
-}
-
 function get_app_location($showhost,$issecure) {
 	global $webimroot;
 	if( $showhost ) {
diff --git a/src/messenger/webim/operator/translate.php b/src/messenger/webim/operator/translate.php
index 28fe2f18..d5ec4777 100644
--- a/src/messenger/webim/operator/translate.php
+++ b/src/messenger/webim/operator/translate.php
@@ -124,9 +124,6 @@ if($stringid) {
 		}
 
 		if(count($errors) == 0) {
-			if (get_magic_quotes_gpc()) {
-				$translation = stripslashes($translation);
-			}
 			save_message($target, $stringid, $translation);
 
 			$page['saved'] = true;
@@ -140,8 +137,8 @@ if($stringid) {
 	$page['saved'] = false;
 	$page['key'] = $stringid;
 	$page['target'] = $target;
-	$page['formoriginal'] = isset($lang1[$stringid]) ? htmlspecialchars($lang1[$stringid]) : "<b><unknown></b>";
-	$page['formtranslation'] = htmlspecialchars($translation);
+	$page['formoriginal'] = isset($lang1[$stringid]) ? $lang1[$stringid] : "<b><unknown></b>";
+	$page['formtranslation'] = $translation;
 	prepare_menu($operator, false);
 	start_html_output();
 	require('../view/translate.php');