SA-CONTRIB-2009-052: remove multiple XSS vulnerabilities
[project/print.git] / print.admin.inc
1 <?php
2 // $Id$
3
4 /**
5 * @file
6 * Contains the administrative functions of the PF module.
7 *
8 * This file is included by the core PF module, and includes the
9 * settings form.
10 *
11 * @ingroup print
12 */
13
14 /**
15 * Menu callback for the Printer-friendly pages module settings form.
16 *
17 * @ingroup forms
18 */
19 function print_main_settings() {
20 $form['settings'] = array(
21 '#type' => 'fieldset',
22 '#title' => t('Common Settings'),
23 );
24
25 $form['settings']['print_css'] = array(
26 '#type' => 'textfield',
27 '#title' => t('Stylesheet URL'),
28 '#default_value' => variable_get('print_css', PRINT_CSS_DEFAULT),
29 '#size' => 60,
30 '#maxlength' => 250,
31 '#description' => t('The URL to your custom print cascading stylesheet, if any. When none is specified, the default module CSS file is used.') .'<br />'.
32 t('Macros: %b (base path: "%base"), %t (path to theme: "%theme")', array('%base' => base_path(), '%theme' => path_to_theme())) .'<br />'.
33 t('Requires the <em>administer site configuration</em> permission.'),
34 '#disabled' => !user_access('administer site configuration'),
35 );
36
37 $form['settings']['print_urls'] = array(
38 '#type' => 'checkbox',
39 '#title' => t('Printer-friendly URLs list'),
40 '#default_value' => variable_get('print_urls', PRINT_URLS_DEFAULT),
41 '#description' => t('If set, a list of the destination URLs for the page links will be displayed at the bottom of the page.') .'<br />'.
42 t('Note that you can enable/disable the URL list for each content type individually from the !url.', array('!url' => l(t('Content Types page'), 'admin/content/types'))),
43 );
44
45 $form['settings']['print_comments'] = array(
46 '#type' => 'checkbox',
47 '#title' => t('Include comments in printer-friendly version'),
48 '#default_value' => variable_get('print_comments', PRINT_COMMENTS_DEFAULT),
49 '#description' => t('When this option is active, user comments are also included in the printer-friendly version. Requires the comment module.'),
50 );
51
52 $form['settings']['print_newwindow'] = array(
53 '#type' => 'radios',
54 '#title' => t('New window method'),
55 '#options' => array(t('Use HTML target (does not validate as XHTML Strict)'), t('Use Javascript (requires browser support)')),
56 '#default_value' => variable_get('print_newwindow', PRINT_NEWWINDOW_DEFAULT),
57 '#description' => t('Choose the method used to open pages in a new window/tab.'),
58 );
59
60 $form['settings']['logo'] = array(
61 '#type' => 'fieldset',
62 '#title' => t('Logo options'),
63 '#collapsible' => TRUE,
64 '#collapsed' => TRUE,
65 );
66
67 $form['settings']['logo']['print_logo_options'] = array(
68 '#type' => 'radios',
69 '#title' => t('Logo type'),
70 '#options' => array(t('None (Disabled)'), t("Current theme's logo"), t('User-specified')),
71 '#default_value' => variable_get('print_logo_options', PRINT_LOGO_OPTIONS_DEFAULT),
72 '#description' => t("Select the type of logo to display on the printer-friendly version. In case of a user-specified location, insert the path or URL below."),
73 );
74
75 $form['settings']['logo']['print_logo_url'] = array(
76 '#type' => 'textfield',
77 '#title' => t('Logo URL'),
78 '#default_value' => variable_get('print_logo_url', PRINT_LOGO_URL_DEFAULT),
79 '#size' => 60,
80 '#maxlength' => 250,
81 );
82
83 $form['settings']['logo']['print_logo_upload'] = array(
84 '#type' => 'file',
85 '#title' => t('Upload logo'),
86 '#size' => 60,
87 '#maxlength' => 250,
88 '#description' => t("If you don't have direct file access to the server, use this field to upload your logo."),
89 );
90
91 $form['settings']['footer'] = array(
92 '#type' => 'fieldset',
93 '#title' => t('Footer options'),
94 '#collapsible' => TRUE,
95 '#collapsed' => TRUE,
96 );
97
98 $form['settings']['footer']['print_footer_options'] = array(
99 '#type' => 'radios',
100 '#title' => t('Footer type'),
101 '#options' => array(t('None (Disabled)'), t("Site's footer"), t('User-specified')),
102 '#default_value' => variable_get('print_footer_options', PRINT_FOOTER_OPTIONS_DEFAULT),
103 '#description' => t("Select the type of footer to display on the printer-friendly version. In case of a user-specified footer, insert it below."),
104 );
105
106 $form['settings']['footer']['print_footer_user'] = array(
107 '#type' => 'textfield',
108 '#title' => t('User-specified'),
109 '#default_value' => variable_get('print_footer_user', PRINT_FOOTER_USER_DEFAULT),
110 '#size' => 60,
111 '#maxlength' => 250,
112 );
113
114 $form['settings']['print_sourceurl_settings'] = array(
115 '#type' => 'fieldset',
116 '#title' => t('Source URL'),
117 '#collapsible' => TRUE,
118 '#collapsed' => TRUE,
119 );
120
121 $form['settings']['print_sourceurl_settings']['print_sourceurl_enabled'] = array(
122 '#type' => 'checkbox',
123 '#title' => t('Display source URL'),
124 '#default_value' => variable_get('print_sourceurl_enabled', PRINT_SOURCEURL_ENABLED_DEFAULT),
125 '#description' => t('When this option is selected, the URL for the original page will be displayed at the bottom of the printer-friendly version.'),
126 );
127
128 $form['settings']['print_sourceurl_settings']['print_sourceurl_date'] = array(
129 '#type' => 'checkbox',
130 '#title' => t('Add current time/date to the source URL'),
131 '#default_value' => variable_get('print_sourceurl_date', PRINT_SOURCEURL_DATE_DEFAULT),
132 '#description' => t('Display the current date and time in the Source URL line.'),
133 );
134
135 $form['settings']['print_sourceurl_settings']['print_sourceurl_forcenode'] = array(
136 '#type' => 'checkbox',
137 '#title' => t('Force use of node ID in source URL'),
138 '#default_value' => variable_get('print_sourceurl_forcenode', PRINT_SOURCEURL_FORCENODE_DEFAULT),
139 '#description' => t("Drupal will attempt to use the page's defined alias in case there is one. To force the use of the fixed URL, activate this option."),
140 );
141
142 $form['#attributes'] = array('enctype' => 'multipart/form-data');
143 $form['#validate']['_print_main_settings_validate'] = array();
144
145 return system_settings_form($form);
146 }
147
148 /**
149 * Validate print_main_settings form.
150 */
151 function _print_main_settings_validate($form_id, $form_values, $form) {
152 global $base_url;
153
154 // Check for a new uploaded logo, and use that instead.
155 if ($file = file_check_upload('print_logo_upload')) {
156 if ($info = image_get_info($file->filepath)) {
157 $parts = pathinfo($file->filename);
158 $filename = 'print_logo.'. strtolower($parts['extension']);
159
160 if ($file = file_save_upload('print_logo_upload', $filename, 1)) {
161 form_set_value($form['settings']['logo']['print_logo_options'], 2);
162 form_set_value($form['settings']['logo']['print_logo_url'], base_path() . $file->filepath);
163 }
164 }
165 else {
166 form_set_error('print_logo_upload', t('Only JPEG, PNG and GIF images are allowed to be used as logos.'));
167 }
168 }
169
170 // Check that the stylesheet URL is a local URL, if it is an absolute URL, then it must start with the site's base URL
171 if (preg_match('!^http://.*!', $form_state['values']['print_css'], $matches)) {
172 if (!preg_match("!^$base_url/!", $matches[0])) {
173 form_set_error('print_css', t("Stylesheet URL must be a relative path or start with the site's base URL"));
174 }
175 }
176 }
177
178 /**
179 * Menu callback for the Printer-friendly pages HTML settings form.
180 *
181 * @ingroup forms
182 */
183 function print_html_settings() {
184 $form['settings'] = array(
185 '#type' => 'fieldset',
186 '#title' => t('Web page options'),
187 );
188
189 $form['settings']['print_html_link_pos'] = array(
190 '#type' => 'checkboxes',
191 '#title' => t('Printer-friendly page link'),
192 '#default_value' => variable_get('print_html_link_pos', array(PRINT_HTML_LINK_POS_DEFAULT => PRINT_HTML_LINK_POS_DEFAULT)),
193 '#options' => array('link' => t('Links area'), 'corner' => t('Content corner')),
194 '#description' => t('Choose the location of the link(s) to the printer-friendly page. The Links area is usually below the node content, whereas the Content corner is placed in the upper-right corner of the node content. Unselect all options to disable the link. Even if the link is disabled, you can still view the print version of a node by going to !path/nid where nid is the numeric id of the node.', array('!path' => PRINT_PATH)),
195 );
196
197 $form['settings']['adv_link'] = array(
198 '#type' => 'fieldset',
199 '#title' => t('Advanced link options'),
200 '#collapsible' => TRUE,
201 '#collapsed' => FALSE,
202 );
203
204 $form['settings']['adv_link']['print_html_show_link'] = array(
205 '#type' => 'radios',
206 '#title' => t('Link style'),
207 '#default_value' => variable_get('print_html_show_link', PRINT_HTML_SHOW_LINK_DEFAULT),
208 '#options' => array(1 => t('Text only'), 2 => t('Icon only'), 3 => t('Icon and Text')),
209 '#description' => t('Select the visual style of the link.'),
210 );
211
212 $form['settings']['adv_link']['print_html_link_use_alias'] = array(
213 '#type' => 'checkbox',
214 '#title' => t('Use URL alias instead of node ID'),
215 '#default_value' => variable_get('print_html_link_use_alias', PRINT_HTML_LINK_USE_ALIAS_DEFAULT),
216 '#description' => t('Enabling this will create the link using the URL alias instead of the node ID.'),
217 );
218
219 $form['settings']['adv_link']['print_html_link_class'] = array(
220 '#type' => 'textfield',
221 '#title' => t('Link class'),
222 '#default_value' => variable_get('print_html_link_class', PRINT_HTML_LINK_CLASS_DEFAULT),
223 '#size' => 60,
224 '#maxlength' => 250,
225 '#description' => t('This can be used by themers to change the link style or by jQuery modules to open in a new window (e.g. greybox or thickbox). Multiple classes can be specified, separated by spaces.'),
226 );
227
228 $form['settings']['adv_link']['print_html_node_link_visibility'] = array(
229 '#type' => 'radios',
230 '#title' => t('Link visibility'),
231 '#default_value' => variable_get('print_html_node_link_visibility', PRINT_HTML_NODE_LINK_VISIBILITY_DEFAULT),
232 '#options' => array(t('Show on every page except the listed pages.'), t('Show on only the listed pages.')),
233 );
234
235 $form['settings']['adv_link']['print_html_node_link_pages'] = array(
236 '#type' => 'textarea',
237 '#default_value' => variable_get('print_html_node_link_pages', PRINT_HTML_NODE_LINK_PAGES_DEFAULT),
238 '#rows' => 3,
239 '#description' => t("Enter one page per line as Drupal paths. The '*' character is a wildcard. Example paths are %blog for the blog page and %blog-wildcard for every personal blog. %front is the front page.", array('%blog' => 'blog', '%blog-wildcard' => 'blog/*', '%front' => '<front>')),
240 );
241
242 $access = user_access('use PHP for link visibility');
243
244 if ($form['settings']['adv_link']['print_html_node_link_visibility']['#default_value'] == 2 && !$access) {
245 $form['settings']['adv_link']['print_html_node_link_visibility'] = array('#type' => 'value', '#value' => 2);
246 $form['settings']['adv_link']['print_html_node_link_pages'] = array('#type' => 'value', '#value' => $form['settings']['adv_link']['print_html_node_link_pages']['#default_value']);
247 }
248 elseif ($access) {
249 $form['settings']['adv_link']['print_html_node_link_visibility']['#options'][] = t('Show if the following PHP code returns <code>TRUE</code> (PHP-mode, experts only).');
250 $form['settings']['adv_link']['print_html_node_link_pages']['#description'] .= ' '. t('If the PHP-mode is chosen, enter PHP code between %php. Note that executing incorrect PHP-code can break your Drupal site.', array('%php' => '<?php ?>'));
251 }
252
253 $form['settings']['adv_link']['print_html_sys_link_visibility'] = array(
254 '#type' => 'radios',
255 '#title' => t('Show link in system (non-content) pages'),
256 '#default_value' => variable_get('print_html_sys_link_visibility', PRINT_HTML_SYS_LINK_VISIBILITY_DEFAULT),
257 '#options' => array(t('Show on every page except the listed pages.'), t('Show on only the listed pages.')),
258 );
259
260 $form['settings']['adv_link']['print_html_sys_link_pages'] = array(
261 '#type' => 'textarea',
262 '#default_value' => variable_get('print_html_sys_link_pages', PRINT_HTML_SYS_LINK_PAGES_DEFAULT),
263 '#rows' => 3,
264 '#description' => t('Setting this option will add a printer-friendly version page link on pages created by Drupal or the enabled modules.') .'<br />'.
265 t("Enter one page per line as Drupal paths. The '*' character is a wildcard. Example paths are %blog for the blog page and %blog-wildcard for every personal blog. %front is the front page.", array('%blog' => 'blog', '%blog-wildcard' => 'blog/*', '%front' => '<front>')),
266 );
267
268 if ($form['settings']['adv_link']['print_html_sys_link_visibility']['#default_value'] == 2 && !$access) {
269 $form['settings']['adv_link']['print_html_sys_link_visibility'] = array('#type' => 'value', '#value' => 2);
270 $form['settings']['adv_link']['print_html_sys_link_pages'] = array('#type' => 'value', '#value' => $form['settings']['adv_link']['print_html_sys_link_pages']['#default_value']);
271 }
272 elseif ($access) {
273 $form['settings']['adv_link']['print_html_sys_link_visibility']['#options'][] = t('Show if the following PHP code returns <code>TRUE</code> (PHP-mode, experts only).');
274 $form['settings']['adv_link']['print_html_sys_link_pages']['#description'] .= ' '. t('If the PHP-mode is chosen, enter PHP code between %php. Note that executing incorrect PHP-code can break your Drupal site.', array('%php' => '<?php ?>'));
275 }
276
277 $form['settings']['adv_link']['print_html_book_link'] = array(
278 '#type' => 'radios',
279 '#title' => t('Link in book hierarchy nodes'),
280 '#default_value' => variable_get('print_html_book_link', PRINT_HTML_BOOK_LINK_DEFAULT),
281 '#options' => array(t('Book module link not modified'), t('Current page and sub-pages'), t('Current page only')),
282 );
283
284 $form['settings']['print_html_new_window'] = array(
285 '#type' => 'checkbox',
286 '#title' => t('Open the printer-friendly version in a new window'),
287 '#default_value' => variable_get('print_html_new_window', PRINT_HTML_NEW_WINDOW_DEFAULT),
288 '#description' => t('Setting this option will make the printer-friendly version open in a new window/tab.'),
289 );
290
291 $form['settings']['print_html_sendtoprinter'] = array(
292 '#type' => 'checkbox',
293 '#title' => t('Send to printer'),
294 '#default_value' => variable_get('print_html_sendtoprinter', PRINT_HTML_SENDTOPRINTER_DEFAULT),
295 '#description' => t("Automatically calls the browser's print function when the printer-friendly version is displayed."),
296 );
297
298 $form['settings']['print_robots_settings'] = array(
299 '#type' => 'fieldset',
300 '#title' => t('Robots META tags'),
301 '#collapsible' => TRUE,
302 '#collapsed' => TRUE,
303 );
304
305 $form['settings']['print_robots_settings']['print_robots_noindex'] = array(
306 '#type' => 'checkbox',
307 '#title' => t('Add noindex'),
308 '#default_value' => variable_get('print_robots_noindex', PRINT_ROBOTS_NOINDEX_DEFAULT),
309 '#description' => t('Instruct robots to not index printer-friendly pages. Recommended for good search engine karma.'),
310 );
311
312 $form['settings']['print_robots_settings']['print_robots_nofollow'] = array(
313 '#type' => 'checkbox',
314 '#title' => t('Add nofollow'),
315 '#default_value' => variable_get('print_robots_nofollow', PRINT_ROBOTS_NOFOLLOW_DEFAULT),
316 '#description' => t('Instruct robots to not follow outgoing links on printer-friendly pages.'),
317 );
318
319 $form['settings']['print_robots_settings']['print_robots_noarchive'] = array(
320 '#type' => 'checkbox',
321 '#title' => t('Add noarchive'),
322 '#default_value' => variable_get('print_robots_noarchive', PRINT_ROBOTS_NOARCHIVE_DEFAULT),
323 '#description' => t('Non-standard tag to instruct search engines to not show a "Cached" link for your printer-friendly pages. Recognized by Googlebot.'),
324 );
325
326 return system_settings_form($form);
327 }
328
329 /**
330 * Menu callback for the Printer-friendly pages module text strings settings form.
331 *
332 * @ingroup forms
333 */
334 function print_main_strings_settings() {
335 drupal_set_message(t("Saving these strings will disable their translation via Drupal's language system. Use the reset button to return them to the original state."), 'warning');
336
337 $form['print_main_text'] = array(
338 '#type' => 'fieldset',
339 '#title' => t('Text strings'),
340 );
341
342 $form['print_main_text']['print_text_published'] = array(
343 '#type' => 'textfield',
344 '#default_value' => variable_get('print_text_published', t('Published on %site_name')),
345 );
346 $form['print_main_text']['print_text_by'] = array(
347 '#type' => 'textfield',
348 '#default_value' => variable_get('print_text_by', t('By %author')),
349 );
350 $form['print_main_text']['print_text_created'] = array(
351 '#type' => 'textfield',
352 '#default_value' => variable_get('print_text_created', t('Created %date')),
353 );
354 $form['print_main_text']['print_text_source_url'] = array(
355 '#type' => 'textfield',
356 '#default_value' => variable_get('print_text_source_url', t('Source URL')),
357 );
358 $form['print_main_text']['print_text_retrieved'] = array(
359 '#type' => 'textfield',
360 '#default_value' => variable_get('print_text_retrieved', t('retrieved on %date')),
361 );
362 $form['print_main_text']['print_text_links'] = array(
363 '#type' => 'textfield',
364 '#default_value' => variable_get('print_text_links', t('Links')),
365 );
366
367 return system_settings_form($form);
368 }
369
370 /**
371 * Menu callback for the Printer-friendly pages module text strings settings form.
372 *
373 * @ingroup forms
374 */
375 function print_html_strings_settings() {
376 drupal_set_message(t("Saving these strings will disable their translation via Drupal's language system. Use the reset button to return them to the original state."), 'warning');
377
378 $form['print_html_text'] = array(
379 '#type' => 'fieldset',
380 '#title' => t('Text strings'),
381 );
382
383 $form['print_html_text']['print_html_link_text'] = array(
384 '#type' => 'textfield',
385 '#title' => t('Link text'),
386 '#default_value' => variable_get('print_html_link_text', t('Printer-friendly version')),
387 '#description' => t('Text used in the link to the printer-friendly version.'),
388 );
389
390 return system_settings_form($form);
391 }