Shikiryu
/
bookmarklet.shikiryu.com
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

đź”’ SĂ©curise en partie le bookmarklet 

Fix #3
This commit is contained in:
Clement Desmidt 2017-01-17 17:24:56 +01:00
parent 8251df4718
commit fad6af051a
1 changed files with 26 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
index.php
View File

@ -37,10 +37,20 @@ if (isset($_GET['v'])) {
$title = isset($_GET['t']) ? $_GET['t'] : '';
$version = isset($_GET['v']) ? $_GET['v'] : '';
$xpath = isset($_GET['q']) ? $_GET['q'] : '';
$filtered_email = filter_var($email, FILTER_VALIDATE_EMAIL);
$filtered_version = filter_var($version, FILTER_VALIDATE_INT);
$filtered_url = filter_var($url, FILTER_VALIDATE_URL);
if ($filtered_email !== false && $filtered_version !== false && $filtered_url !== false) {
if ($filtered_version !== false && $filtered_url !== false) {
//ADDING STATS
include "XMLSQL.php";
$stats = new XMLSQL('emails.xml');
$filtered_email = $stats->select(['email'])->from('email')->where(null, ['token' => $email])->query();
if (empty($filtered_email)) {
echo sprintf('loadScript("//%s/js/alertify.min.js",function() { alertify.alert("Invalid token"); });', $_SERVER['HTTP_HOST']);
// TODO log for fail2ban
exit;
} else {
$filtered_email = current($filtered_email);
}
$content = '';
$f = $xpath != '' ? @DomDocument::loadHTMLFile($url) : false;
if ($f) {
@ -59,7 +69,7 @@ if (isset($_GET['v'])) {
$mail = new PHPMailer(true);
$mail->setFrom($config['from_email'], $config['from_name']);
$mail->Subject = 'A new article to read : ' . $title;
$mail->addAddress($email);
$mail->addAddress($filtered_email);
if (!empty($config['bcc'])) {
$mail->addBCC($config['bcc']);
}
@ -68,49 +78,43 @@ if (isset($_GET['v'])) {
else
$mail->Body = '<hr/>' . nl2br($body) . '<hr/>';
if ($mail->send()) {
echo 'loadScript("//' . $_SERVER['HTTP_HOST'].'/js/alertify.min.js",
function() { alertify.alert("Email Sent."); });';
echo sprintf('loadScript("//%s/js/alertify.min.js",function() { alertify.alert("Email Sent."); });', $_SERVER['HTTP_HOST']);
} else {
echo ':(';
echo sprintf('loadScript("//%s/js/alertify.min.js",function() { alertify.alert("Problem while sending email. Sorry."); });', $_SERVER['HTTP_HOST']);
}
} catch (phpmailerException $et) {
echo 'alert("Error from sendmail :(");';
echo sprintf('loadScript("//%s/js/alertify.min.js",function() { alertify.alert("Error from sendmail :("); });', $_SERVER['HTTP_HOST']);
exit;
} catch (Exception $ep) {
echo 'alert("Email from SMTP :(");';
echo sprintf('loadScript("//%s/js/alertify.min.js",function() { alertify.alert("Email from SMTP :("); });', $_SERVER['HTTP_HOST']);
exit;
}
} else {
if ($filtered_email === false) {
echo 'alert("Invalid Email");';
}
if ($filtered_version === false) {
echo 'alert("Invalid Version");';
echo sprintf('loadScript("//%s/js/alertify.min.js",function() { alertify.alert("Invalid Version"); });', $_SERVER['HTTP_HOST']);
}
if ($filtered_url === false) {
echo 'alert("Invalid URL");';
echo sprintf('loadScript("//%s/js/alertify.min.js",function() { alertify.alert("Invalid URL"); });', $_SERVER['HTTP_HOST']);
}
}
} else if (isset($_POST['email'])) {
$filtered_email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
if ($filtered_email !== false) {
if ($_POST['html'] == 'on') { // bookmarklet pour l'envoi en HTML
$include = '<a href="javascript:void((function(){if(typeof(jQuery)!=\'function\'){var%20n=document.createElement(\'script\');n.setAttribute(\'src\',\'//ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js\');document.getElementsByTagName(\'head\')[0].appendChild(n);}function%20v(){if(typeof(jQuery)==\'function\'){clearInterval(i);c();}}var%20i=window.setInterval(v,100);function%20c(){q=\'\';function%20gx(el){el=el.get(0);xp=\'\';for(;el&&el.nodeType==1;el=el.parentNode){id=jQuery(el.parentNode).children(el.tagName).index(el)+1;id>1?(id=\'[\'+id+\']\'):(id=\'\');xp=\'/\'+el.tagName.toLowerCase()+id+xp;}return%20xp;}jQuery(\'*\').bind(\'mouseenter\',function(){jQuery(\'*\').removeClass(\'shikihover\');jQuery(\'*\').css(\'border\',\'\');jQuery(this).css(\'border\',\'3px%20solid%20yellow\');jQuery(this).addClass(\'shikihover\');});jQuery(\'.shikihover\').live(\'click\',function(){jQuery(\'*\').unbind(\'mouseenter\').removeClass(\'shikihover\');jQuery(this).css(\'border\',\'\');var%20q=\'&q=\'+gx(jQuery(this)),d=document,t=d.title,f=\'//' . $_SERVER['HTTP_HOST'] . substr($_SERVER[PHP_SELF], 0, -9) . '\',m=\'' . $_POST['email'] . '\',l=d.location,e=encodeURIComponent,p=\'?v=1&u=\'+e(l.href)+\'&t=\'+e(t)+\'&m=\'+e(m),u=f+p+q;newScript=d.createElement(\'script\');newScript.type=\'text/javascript\';newScript.src=u;d.body.appendChild(newScript);});}})())">Bookmark by email</a>';
} else { // bookmarklet pour l'envoi normal
$include = "<a href='javascript:var%20d=document,t=d.title,f=\"//" . $_SERVER['HTTP_HOST'] . substr($_SERVER['PHP_SELF'], 0, -9) . "\",m=\"" . $_POST['email'] . "\",l=d.location,e=encodeURIComponent,p=\"?v=1&u=\"+e(l.href)+\"&t=\"+e(t)+\"&m=\"+e(m),u=f+p;var%20ns=document.createElement(\"script\");ns.type=\"text/javascript\";ns.src=u;document.body.appendChild(ns);void(0)'>Bookmark by email</a>";
}
$token = bin2hex(random_bytes(72));
//ADDING STATS
include "XMLSQL.php";
$stats = new XMLSQL('emails.xml');
$stats->insert(array('ip' => getenv('REMOTE_ADDR'), 'date' => date('d/m/Y'), 'email' => $_POST['email']))->into('emails')->query();
$stats->insert(array('ip' => getenv('REMOTE_ADDR'), 'date' => date('d/m/Y'), 'token' => $token, 'email' => $_POST['email']))->into('emails')->query();
if ($_POST['html'] == 'on') { // bookmarklet pour l'envoi en HTML
$include = '<a href="javascript:void((function(){if(typeof(jQuery)!=\'function\'){var%20n=document.createElement(\'script\');n.setAttribute(\'src\',\'//ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js\');document.getElementsByTagName(\'head\')[0].appendChild(n);}function%20v(){if(typeof(jQuery)==\'function\'){clearInterval(i);c();}}var%20i=window.setInterval(v,100);function%20c(){q=\'\';function%20gx(el){el=el.get(0);xp=\'\';for(;el&&el.nodeType==1;el=el.parentNode){id=jQuery(el.parentNode).children(el.tagName).index(el)+1;id>1?(id=\'[\'+id+\']\'):(id=\'\');xp=\'/\'+el.tagName.toLowerCase()+id+xp;}return%20xp;}jQuery(\'*\').bind(\'mouseenter\',function(){jQuery(\'*\').removeClass(\'shikihover\');jQuery(\'*\').css(\'border\',\'\');jQuery(this).css(\'border\',\'3px%20solid%20yellow\');jQuery(this).addClass(\'shikihover\');});jQuery(\'.shikihover\').live(\'click\',function(){jQuery(\'*\').unbind(\'mouseenter\').removeClass(\'shikihover\');jQuery(this).css(\'border\',\'\');var%20q=\'&q=\'+gx(jQuery(this)),d=document,t=d.title,f=\'//' . $_SERVER['HTTP_HOST'] . substr($_SERVER['PHP_SELF'], 0, -9) . '\',m=\'' . $token . '\',l=d.location,e=encodeURIComponent,p=\'?v=1&u=\'+e(l.href)+\'&t=\'+e(t)+\'&m=\'+e(m),u=f+p+q;newScript=d.createElement(\'script\');newScript.type=\'text/javascript\';newScript.src=u;d.body.appendChild(newScript);});}})())">Bookmark by email</a>';
} else { // bookmarklet pour l'envoi normal
$include = "<a href='javascript:var%20d=document,t=d.title,f=\"//" . $_SERVER['HTTP_HOST'] . substr($_SERVER['PHP_SELF'], 0, -9) . "\",m=\"" . $token . "\",l=d.location,e=encodeURIComponent,p=\"?v=1&u=\"+e(l.href)+\"&t=\"+e(t)+\"&m=\"+e(m),u=f+p;var%20ns=document.createElement(\"script\");ns.type=\"text/javascript\";ns.src=u;document.body.appendChild(ns);void(0)'>Bookmark by email</a>";
}
} else {
$include = '<p class="error">Invalid email. Please <a href="javascript:history.go(-1);">go back</a></p>';
}
include 'template.php';
} else {
$include = '<form name="bookmarkletGenerator" action="" method="POST">
<input type="email" name="email" id="email" value="" placeholder="email@example.com" /><input type="checkbox" id="html" value="on" name="html" /><label for="html">html?</label>