Delete old insecure server-save PHP in favor of a new php-savefile extension which requires addition by user of a configuration page "savefile_config.php" in order to work (and where the user should do their own validation). Add this config file and "saved.svg" (the default name when no filename is supplied) to SVN ignore list.
git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2658 eee81c28-f429-11dd-99c0-75d572ba1ddd
This commit is contained in:
Brett Zamir
24
editor/extensions/ext-php_savefile.js
Normal file
24
editor/extensions/ext-php_savefile.js
Normal file
@@ -0,0 +1,24 @@
|
||||
/*globals $, svgCanvas, svgEditor*/
|
||||
/*jslint regexp:true*/
|
||||
svgEditor.addExtension("php_savefile", {
|
||||
callback: function() {
|
||||
'use strict';
|
||||
function getFileNameFromTitle () {
|
||||
var title = svgCanvas.getDocumentTitle();
|
||||
return $.trim(title); // .replace(/[^a-z0-9\.\_\-]+/gi, '_'); // We could do this more stringent client-side filtering, but we need to do on the server anyways
|
||||
}
|
||||
var save_svg_action = 'extensions/savefile.php';
|
||||
svgEditor.setCustomHandlers({
|
||||
save: function(win, data) {
|
||||
var svg = "<?xml version=\"1.0\"?>\n" + data,
|
||||
filename = getFileNameFromTitle();
|
||||
|
||||
$.post(save_svg_action, {output_svg: svg, filename: filename});
|
||||
}
|
||||
});
|
||||
}
|
||||
});
|
||||
|
||||
this.saveHandler = function(svg) {'use strict';
|
||||
$.post("svg-editor-save.php", {svg_data: svg});
|
||||
};
|
||||
Reference in New Issue
Block a user