diff --git a/inc/actions.php b/inc/actions.php
index 345ef8e37b5242326e9f5831463693fbdaab9b26..6208e19704cf9f1ed2cea826566031881e333d13 100644
--- a/inc/actions.php
+++ b/inc/actions.php
@@ -9,6 +9,7 @@
if(!defined('DOKU_INC')) define('DOKU_INC',realpath(dirname(__FILE__).'/../').'/');
require_once(DOKU_INC.'inc/template.php');
+
/**
* Call the needed action handlers
*
@@ -22,6 +23,9 @@ function act_dispatch(){
global $lang;
global $conf;
+ //sanitize $ACT
+ $ACT = act_clean($ACT);
+
//check permissions
$ACT = act_permcheck($ACT);
@@ -35,7 +39,7 @@ function act_dispatch(){
//edit
if(($ACT == 'edit' || $ACT == $lang['btn_preview']) && $INFO['editable']){
- $ACT = act_save($ACT);
+ $ACT = act_edit($ACT);
}else{
unlock($ID); //try to unlock
}
@@ -55,13 +59,35 @@ function act_dispatch(){
$ACT = 'show';
}
- //fixme sanitize $ACT
-
//call template FIXME: all needed vars available?
header('Content-Type: text/html; charset=utf-8');
include(DOKU_INC.'tpl/'.$conf['template'].'/main.php');
}
+/**
+ * Sanitize the action command
+ *
+ * Add all allowed commands here.
+ *
+ * @author Andreas Gohr <andi@splitbrain.org>
+ */
+function act_clean($act){
+ global $lang;
+ global $conf;
+
+ if($act == 'register' && !$conf['openregister'])
+ return 'show';
+
+ if(!array_search($act,array('login','logout','register','save','edit',
+ $lang['btn_preview'],'export_raw','export_html',
+ 'search','show','check','index','revisions',
+ 'diff','recent','backlink',))){
+ msg('Unknown command',-1);
+ return 'show';
+ }
+ return $act;
+}
+
/**
* Run permissionchecks
*
@@ -83,6 +109,7 @@ function act_permcheck($act){
return 'denied';
}
+
return $act;
}
diff --git a/inc/template.php b/inc/template.php
index 00de7ad673d2ddb80423c572448a65bd9b5e733c..bb2a52352b5c2bf8605ff43124de75d447b62b37 100644
--- a/inc/template.php
+++ b/inc/template.php
@@ -95,7 +95,6 @@ function tpl_content(){
html_login();
break;
case 'register':
- #FIXME check for $conf['openregister']) needs to be done first!!
html_register();
break;
default:
@@ -104,7 +103,6 @@ function tpl_content(){
}
-
/**
* Print the correct HTML meta headers
*
@@ -223,12 +221,11 @@ function tpl_button($type){
/**
* Print the search form
*
- * @todo svcheck missing
* @author Andreas Gohr <andi@splitbrain.org>
*/
function tpl_searchform(){
global $lang;
- print '<form action="'.wl().'" accept-charset="utf-8" class="search">';
+ print '<form action="'.wl().'" accept-charset="utf-8" class="search" onsubmit="return svchk()">';
print '<input type="hidden" name="do" value="search" />';
print '<input type="text" accesskey="f" name="id" class="edit" />';
print '<input type="submit" value="'.$lang['btn_search'].'" class="button" />';
diff --git a/tpl/default/layout.css b/tpl/default/layout.css
index c4208c2c6bbbe6dfa365fc8b11431f2f2654c690..2928513161275c05628a9bdd699fc27fe6ae7852 100644
--- a/tpl/default/layout.css
+++ b/tpl/default/layout.css
@@ -55,6 +55,7 @@
background:#DEE7EC;
padding:2px;
margin:0;
+ clear: both;
}
.bar-left {