mirror of
https://github.com/givanz/VvvebJs.git
synced 2025-03-14 09:58:20 +00:00
198 lines
5.1 KiB
PHP
Vendored
198 lines
5.1 KiB
PHP
Vendored
<?php
|
|
/*
|
|
Copyright 2017 Ziadin Givan
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
|
|
https://github.com/givanz/VvvebJs
|
|
*/
|
|
|
|
define('MAX_FILE_LIMIT', 1024 * 1024 * 2);//2 Megabytes max html file size
|
|
define('ALLOW_PHP', false);//check if saved html contains php tag and don't save if not allowed
|
|
define('ALLOWED_OEMBED_DOMAINS', [
|
|
'https://www.youtube.com/',
|
|
'https://www.vimeo.com/',
|
|
'https://www.x.com/',
|
|
'https://x.com/',
|
|
'https://publish.twitter.com/',
|
|
'https://www.twitter.com/',
|
|
'https://www.reddit.com/',
|
|
]);//load urls only from allowed websites for oembed
|
|
|
|
function sanitizeFileName($file, $allowedExtension = 'html') {
|
|
$basename = basename($file);
|
|
$disallow = ['.htaccess', 'passwd'];
|
|
if (in_array($basename, $disallow)) {
|
|
showError('Filename not allowed!');
|
|
return '';
|
|
}
|
|
|
|
//sanitize, remove double dot .. and remove get parameters if any
|
|
$file = preg_replace('@\?.*$@' , '', preg_replace('@\.{2,}@' , '', preg_replace('@[^\/\\a-zA-Z0-9\-\._]@', '', $file)));
|
|
|
|
if ($file) {
|
|
$file = __DIR__ . DIRECTORY_SEPARATOR . $file;
|
|
} else {
|
|
return '';
|
|
}
|
|
|
|
//allow only .html extension
|
|
if ($allowedExtension) {
|
|
$file = preg_replace('/\.[^.]+$/', '', $file) . ".$allowedExtension";
|
|
}
|
|
return $file;
|
|
}
|
|
|
|
function showError($error) {
|
|
header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error', true, 500);
|
|
die($error);
|
|
}
|
|
|
|
function validOembedUrl($url) {
|
|
foreach (ALLOWED_OEMBED_DOMAINS as $domain) {
|
|
if (strpos($url, $domain) === 0) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
$html = '';
|
|
$file = '';
|
|
$action = '';
|
|
|
|
if (isset($_POST['startTemplateUrl']) && !empty($_POST['startTemplateUrl'])) {
|
|
$startTemplateUrl = sanitizeFileName($_POST['startTemplateUrl']);
|
|
$html = '';
|
|
if ($startTemplateUrl) {
|
|
$html = file_get_contents($startTemplateUrl);
|
|
}
|
|
} else if (isset($_POST['html'])){
|
|
$html = substr($_POST['html'], 0, MAX_FILE_LIMIT);
|
|
if (!ALLOW_PHP) {
|
|
//if (strpos($html, '<?php') !== false) {
|
|
if (preg_match('@<\?php|<\? |<\?=|<\s*script\s*language\s*=\s*"\s*php\s*"\s*>@', $html)) {
|
|
showError('PHP not allowed!');
|
|
}
|
|
}
|
|
}
|
|
|
|
if (isset($_POST['file'])) {
|
|
$file = sanitizeFileName($_POST['file']);
|
|
}
|
|
|
|
if (isset($_GET['action'])) {
|
|
$action = htmlspecialchars(strip_tags($_GET['action']));
|
|
}
|
|
|
|
if ($action) {
|
|
//file manager actions, delete and rename
|
|
switch ($action) {
|
|
case 'rename':
|
|
$newfile = sanitizeFileName($_POST['newfile']);
|
|
if ($file && $newfile) {
|
|
if (rename($file, $newfile)) {
|
|
echo "File '$file' renamed to '$newfile'";
|
|
} else {
|
|
showError("Error renaming file '$file' renamed to '$newfile'");
|
|
}
|
|
}
|
|
break;
|
|
case 'delete':
|
|
if ($file) {
|
|
if (unlink($file)) {
|
|
echo "File '$file' deleted";
|
|
} else {
|
|
showError("Error deleting file '$file'");
|
|
}
|
|
}
|
|
break;
|
|
case 'saveReusable':
|
|
//block or section
|
|
$type = $_POST['type'] ?? false;
|
|
$name = $_POST['name'] ?? false;
|
|
$html = $_POST['html'] ?? false;
|
|
|
|
if ($type && $name && $html) {
|
|
|
|
$file = sanitizeFileName("$type/$name");
|
|
if ($file) {
|
|
$dir = dirname($file);
|
|
if (!is_dir($dir)) {
|
|
echo "$dir folder does not exist\n";
|
|
if (mkdir($dir, 0777, true)) {
|
|
echo "$dir folder was created\n";
|
|
} else {
|
|
showError("Error creating folder '$dir'\n");
|
|
}
|
|
}
|
|
|
|
if (file_put_contents($file, $html)) {
|
|
echo "File saved '$file'";
|
|
} else {
|
|
showError("Error saving file '$file'\nPossible causes are missing write permission or incorrect file path!");
|
|
}
|
|
} else {
|
|
showError('Invalid filename!');
|
|
}
|
|
} else {
|
|
showError("Missing reusable element data!\n");
|
|
}
|
|
break;
|
|
case 'oembedProxy':
|
|
$url = $_GET['url'] ?? '';
|
|
if (validOembedUrl($url)) {
|
|
$options = array(
|
|
'http'=>array(
|
|
'method'=>"GET",
|
|
'header'=> 'User-Agent: ' . $_SERVER['HTTP_USER_AGENT'] . "\r\n"
|
|
)
|
|
);
|
|
$context = stream_context_create($options);
|
|
header('Content-Type: application/json');
|
|
echo file_get_contents($url, false, $context );
|
|
} else {
|
|
showError('Invalid url!');
|
|
}
|
|
break;
|
|
default:
|
|
showError("Invalid action '$action'!");
|
|
}
|
|
} else {
|
|
//save page
|
|
if ($html) {
|
|
if ($file) {
|
|
$dir = dirname($file);
|
|
if (!is_dir($dir)) {
|
|
echo "$dir folder does not exist\n";
|
|
if (mkdir($dir, 0777, true)) {
|
|
echo "$dir folder was created\n";
|
|
} else {
|
|
showError("Error creating folder '$dir'\n");
|
|
}
|
|
}
|
|
|
|
if (file_put_contents($file, $html)) {
|
|
echo "File saved '$file'";
|
|
} else {
|
|
showError("Error saving file '$file'\nPossible causes are missing write permission or incorrect file path!");
|
|
}
|
|
} else {
|
|
showError('Filename is empty!');
|
|
}
|
|
} else {
|
|
showError('Html content is empty!');
|
|
}
|
|
}
|