Headline
CVE-2023-2688: Diff [2909107:2915978] for wp-file-upload/trunk – WordPress Plugin Repository
The WordPress File Upload and WordPress File Upload Pro plugins for WordPress are vulnerable to Path Traversal in versions up to, and including, 4.19.1 via the vulnerable parameter wfu_newpath. This allows administrator-level attackers to move files uploaded with the plugin (located in wp-content/uploads by default) outside of the web root.
wp-file-upload/trunk/js/wordpress_file_upload_adminfunctions.js
r2909107
r2915978
159
159
val;document.getElementById("wfu\_attribute\_value\_"+attribute).value=val;wfu\_generate\_shortcode();wfu\_update\_formfield\_variables()}}
160
160
function wfu\_update\_formfield\_variables(){var userdata=document.getElementById("wfu\_attribute\_value\_userdatalabel");if(!userdata)return;var shadows=document.querySelectorAll("#wfu\_wrapper div.wfu\_shadow\_userdata");var selects=document.getElementsByName("wfu\_formfield\_select");for(var i=0;i<selects.length;i++)selects\[i\].style.display="none";if(shadows.length==0)return;if(shadows\[0\].style.display=="block")return;var options\_str='<option style="display:none;">%userdataXXX%</option>';var userfields=userdata.value.replace(/\\//g,
161
"\[/\]").replace(/\\(.\*\\)/,function(m){return m.replace(/\\\[\\/\\\]/g,"/")}).split("\[/\]");var ind=2;while(document.getElementById("wfu\_attribute\_userdatalabel"+ind)){var userfields2=document.getElementById("wfu\_attribute\_value\_userdatalabel"+ind).value.replace(/\\//g,"\[/\]").replace(/\\(.\*\\)/,function(m){return m.replace(/\\\[\\/\\\]/g,"/")}).split("\[/\]");userfields=userfields.concat(userfields2);ind++}var field="";var pos=0;ind=1;for(var i=0;i<userfields.length;i++){field=userfields\[i\];if(field\[0\]=="\*")field=field.substr(1);
162
pos=field.indexOf("|");if(pos>-1)field=field.substr(0,pos);if(field.trim()!=""){options\_str+='<option value="%userdata'+ind+'%">'+ind+": "+field.trim()+"</option>";ind++}}for(var i=0;i<selects.length;i++){selects\[i\].innerHTML=options\_str;selects\[i\].style.display="inline-block"}}
161
"\[/\]").replace(/\\(.\*?\\)/g,function(m){return m.replace(/\\\[\\/\\\]/g,"/")}).split("\[/\]");var ind=2;while(document.getElementById("wfu\_attribute\_userdatalabel"+ind)){var userfields2=document.getElementById("wfu\_attribute\_value\_userdatalabel"+ind).value.replace(/\\//g,"\[/\]").replace(/\\(.\*?\\)/g,function(m){return m.replace(/\\\[\\/\\\]/g,"/")}).split("\[/\]");userfields=userfields.concat(userfields2);ind++}var field="";var pos=0;ind=1;for(var i=0;i<userfields.length;i++){field=userfields\[i\];if(field\[0\]=="\*")field=
162
field.substr(1);pos=field.indexOf("|");if(pos>-1)field=field.substr(0,pos);if(field.trim()!=""){options\_str+='<option value="%userdata'+ind+'%">'+ind+": "+field.trim()+"</option>";ind++}}for(var i=0;i<selects.length;i++){selects\[i\].innerHTML=options\_str;selects\[i\].style.display="inline-block"}}
163
163
function wfu\_attach\_element\_handlers(item,handler){var elem\_events=\["DOMAttrModified","textInput","input","change","keypress","paste","focus","propertychange"\];for(var i=0;i<elem\_events.length;i++)wfu\_addEventHandler(item,elem\_events\[i\],handler)}
164
164
function wfu\_Attach\_Admin\_Events(autosave\_shortcode){Autosave=autosave\_shortcode;wfu\_generate\_shortcode();wfu\_update\_formfield\_variables();wfu\_Attach\_Admin\_DragDrop\_Events();var text\_elements=document.getElementsByName("wfu\_text\_elements");for(var i=0;i<text\_elements.length;i++)wfu\_attach\_element\_handlers(text\_elements\[i\],wfu\_update\_text\_value);var ptext\_elements=document.getElementsByName("wfu\_ptext\_elements");for(var i=0;i<ptext\_elements.length;i++)wfu\_attach\_element\_handlers(ptext\_elements\[i\],
…
…
218
218
var title=parts\[3\];var item\_sort="";if(item\_parts.length==1)item\_sort=flat\_name=="custom"?"+-s":sortable?"-+"+sorttype:"";else if(flat\_name=="custom")item\_sort="+"+(item\_parts\[1\]==""?"-s":"+"+item\_parts\[1\]);else item\_sort=sortable?"-"+(item\_parts\[1\]==""?"-":"+")+sorttype:"";if(item\_title=="")item\_title=title;var opt=document.createElement("OPTION");opt.value=item\_name+":"+item\_sort+"/"+label+"/"+item\_title;opt.innerHTML=label+(title!=label?" ("+title+")":"");opt.className=source.options\[ind\].className;
219
219
opt.onclick=source.options\[i\].onclick;target.appendChild(opt)}}wfu\_update\_column\_props(attribute);wfu\_update\_columns(attribute)}else if(type=="dimensions"){var dims=value.split(",");var details,nam,val,item;var group=document.getElementsByName("wfu\_dimension\_elements\_"+attribute);for(var i=0;i<group.length;i++)group\[i\].value="";for(var i=0;i<dims.length;i++){details=dims\[i\].split(":",2);nam=details.length<1?"":details\[0\];val=details.length<2?nam:details\[1\];item=document.getElementById("wfu\_attribute\_"+
220
attribute+"\_"+nam.trim());if(item)item.value=val.trim()}item=group\[0\];wfu\_update\_dimension\_value({target:item})}else if(type=="userfields"){var fields\_arr=value.replace(/\\//g,"\[/\]").replace(/\\(.\*\\)/,function(m){return m.replace(/\\\[\\/\\\]/g,"/")}).split("\[/\]");var is\_req;var fields=Array();for(var i=0;i<fields\_arr.length;i++){is\_req=fields\_arr\[i\].substr(0,1)=="\*";if(is\_req)fields\_arr\[i\]=fields\_arr\[i\].substr(1);if(fields\_arr\[i\]!="")fields.push({name:fields\_arr\[i\],required:is\_req})}var container=document.getElementById("wfu\_attribute\_"+
220
attribute+"\_"+nam.trim());if(item)item.value=val.trim()}item=group\[0\];wfu\_update\_dimension\_value({target:item})}else if(type=="userfields"){var fields\_arr=value.replace(/\\//g,"\[/\]").replace(/\\(.\*?\\)/g,function(m){return m.replace(/\\\[\\/\\\]/g,"/")}).split("\[/\]");var is\_req;var fields=Array();for(var i=0;i<fields\_arr.length;i++){is\_req=fields\_arr\[i\].substr(0,1)=="\*";if(is\_req)fields\_arr\[i\]=fields\_arr\[i\].substr(1);if(fields\_arr\[i\]!="")fields.push({name:fields\_arr\[i\],required:is\_req})}var container=document.getElementById("wfu\_attribute\_"+
221
221
attribute);var first=null;var remove\_array=Array();for(var i=0;i<container.childNodes.length;i++)if(container.childNodes\[i\].nodeType===1)if(first==null)first=container.childNodes\[i\];else remove\_array.push(container.childNodes\[i\]);for(var i=0;i<remove\_array.length;i++)container.removeChild(remove\_array\[i\]);wfu\_userdata\_edit\_field(first,"",false);var newline;var prevline=first;for(var i=0;i<fields.length;i++)if(i==0)wfu\_userdata\_edit\_field(first,fields\[i\].name,fields\[i\].required);else{newline=prevline.cloneNode(true);
222
222
wfu\_userdata\_edit\_field(newline,fields\[i\].name,fields\[i\].required);container.insertBefore(newline,prevline.nextSibling);prevline=newline}var item;for(var i=0;i<first.childNodes.length;i++){item=first.childNodes\[i\];if(item.tagName=="INPUT")break}wfu\_update\_userfield\_value({target:item})}else if(type=="formfields"){var fields=Array();var fielddefs=window\["wfu\_attribute\_"+attribute+"\_typeprops"\];var fielddef\_array=fielddefs\[0\].split(",");var defaults={};for(var i=0;i<fielddef\_array.length;i++){var fielddef=
223
223
fielddefs\[fielddef\_array\[i\]\];var def={};def.type=fielddef\_array\[i\];def.label=fielddef.label;def.labelposition=fielddef.labelposition.substr(5);def.required=fielddef.required.substr(5)=="true";def.donotautocomplete=fielddef.donotautocomplete.substr(5)=="true";def.validate=fielddef.validate.substr(5)=="true";def.typehook=fielddef.typehook.substr(5)=="true";def.hintposition=fielddef.hintposition.substr(5);def\["default"\]=fielddef\["default"\].substr(5);def.data=fielddef.data.substr(5);def.group=fielddef.group.substr(5);
224
def.format=fielddef.format.substr(5);defaults\[fielddef\_array\[i\]\]=def}var fields\_arr=value.replace(/\\//g,"\[/\]").replace(/\\(.\*\\)/,function(m){return m.replace(/\\\[\\/\\\]/g,"/")}).split("\[/\]");for(var i=0;i<fields\_arr.length;i++){var field\_raw=fields\_arr\[i\].trim();var fieldprops={};for(prop in defaults\["text"\])fieldprops\[prop\]=defaults\["text"\]\[prop\];if(field\_raw.substr(0,1)=="\*"){fieldprops.required=true;field\_raw=field\_raw.substr(1)}var field\_parts=field\_raw.split("|");if(field\_parts\[0\].trim()!=""){var type\_key=
224
def.format=fielddef.format.substr(5);defaults\[fielddef\_array\[i\]\]=def}var fields\_arr=value.replace(/\\//g,"\[/\]").replace(/\\(.\*?\\)/g,function(m){return m.replace(/\\\[\\/\\\]/g,"/")}).split("\[/\]");for(var i=0;i<fields\_arr.length;i++){var field\_raw=fields\_arr\[i\].trim();var fieldprops={};for(prop in defaults\["text"\])fieldprops\[prop\]=defaults\["text"\]\[prop\];if(field\_raw.substr(0,1)=="\*"){fieldprops.required=true;field\_raw=field\_raw.substr(1)}var field\_parts=field\_raw.split("|");if(field\_parts\[0\].trim()!=""){var type\_key=
225
225
\-1;var new\_type="";for(var j=0;j<field\_parts.length;j++){var part=field\_parts\[j\].replace(/^\\s+/gm,"");var flag=part.substr(0,2);var val=part.substr(2);if(flag=="t:"&&j>0&&fielddef\_array.indexOf(val)>-1){new\_type=val;type\_key=j;break}}if(new\_type!=""){for(prop in defaults\[new\_type\])fieldprops\[prop\]=defaults\[new\_type\]\[prop\];field\_parts.splice(type\_key,1)}fieldprops.label=field\_parts\[0\].trim();field\_parts.splice(0,1);for(var j=0;j<field\_parts.length;j++){var part=field\_parts\[j\].replace(/^\\s+/gm,"");
226
226
var flag=part.substr(0,2);var val=part.substr(2);if(flag=="s:")fieldprops.labelposition=val;else if(flag=="r:")fieldprops.required=val=="1";else if(flag=="a:")fieldprops.donotautocomplete=val=="1";else if(flag=="v:")fieldprops.validate=val=="1";else if(flag=="d:")fieldprops\["default"\]=val;else if(flag=="l:")fieldprops.data=val;else if(flag=="g:")fieldprops.group=val;else if(flag=="f:")fieldprops.format=val;else if(flag=="p:")fieldprops.hintposition=val;else if(flag=="h:")fieldprops.typehook=val==
wp-file-upload/trunk/js/wordpress_file_upload_functions.js
r2909107
r2915978
8
8
item\[section\].func;if(func!=null){val=func.apply(this,Array.prototype.slice.call(arguments,1));arguments\[1\]=val}}return val};this.do\_action=function(section){var idlist=this.\_calc\_prioritized\_list(section);if(idlist.length==0)return;for(var i=0;i<idlist.length;i++){var item=this.items\[idlist\[i\]\];var func=null;if(typeof item\[section\]=="function")func=item\[section\];else if(typeof item\[section\].func=="function")func=item\[section\].func;if(func!=null)func.apply(this,Array.prototype.slice.call(arguments,
9
9
1))}}}
10
function wfu\_plugin\_load\_action(sid){var WFU=GlobalData.WFU\[sid\];wfu\_install\_unload\_hook();if(!!WFU.visualeditorbutton\_exist){WFU.visualeditorbutton.init();var invoke\_function=function(){wfu\_invoke\_shortcode\_editor(WFU)};WFU.visualeditorbutton.attachInvokeHandler(invoke\_function)}if(WFU.is\_formupload)WFU.uploadaction=function(){wfu\_redirect\_to\_classic(sid,0,0)};else WFU.uploadaction=function(){wfu\_HTML5UploadFile(sid)};var clickaction=function(){wfu\_selectbutton\_clicked(sid)};var changeaction=function(fileselected){var WFU\=
11
GlobalData.WFU\[sid\];var usefilearray=0;wfu\_selectbutton\_changed(sid,usefilearray);wfu\_update\_uploadbutton\_status(sid);if(WFU.singlebutton&&fileselected)WFU.uploadaction()};if(!!WFU.uploadform\_exist)WFU.uploadform.attachActions(clickaction,changeaction);var completeaction=function(status){document.getElementById("consentresult\_"+sid).value=status};if(!!WFU.consent\_exist){WFU.consent.attachActions(completeaction);WFU.consent.update("init")}if(!!WFU.submit\_exist){if(WFU.testmode)clickaction=function(){alert(GlobalData.consts.notify\_testmode)};
12
else clickaction=function(){WFU.uploadaction()};WFU.submit.attachClickAction(clickaction)}}function wfu\_install\_unload\_hook(){window.onbeforeunload=wfu\_unload\_hook}function wfu\_unload\_hook(){if(GlobalData.UploadInProgressString!="")if(GlobalData.UploadInProgressString.trim()!="")return GlobalData.consts.wfu\_pageexit\_prompt}
10
function wfu\_plugin\_load\_action(sid){var WFU=GlobalData.WFU\[sid\];wfu\_Code\_Objects\[sid\].do\_action("pre\_load");wfu\_install\_unload\_hook();if(!!WFU.visualeditorbutton\_exist){WFU.visualeditorbutton.init();var invoke\_function=function(){wfu\_invoke\_shortcode\_editor(WFU)};WFU.visualeditorbutton.attachInvokeHandler(invoke\_function)}if(WFU.is\_formupload)WFU.uploadaction=function(){wfu\_redirect\_to\_classic(sid,0,0)};else WFU.uploadaction=function(){wfu\_HTML5UploadFile(sid)};var clickaction=function(){wfu\_selectbutton\_clicked(sid)};var changeaction\=
11
function(fileselected){var WFU=GlobalData.WFU\[sid\];var usefilearray=0;wfu\_selectbutton\_changed(sid,usefilearray);wfu\_update\_uploadbutton\_status(sid);if(WFU.singlebutton&&fileselected)WFU.uploadaction()};if(!!WFU.uploadform\_exist)WFU.uploadform.attachActions(clickaction,changeaction);var completeaction=function(status){wfu\_set\_stored\_formdata(sid,"consentresult\_"+sid,status)};if(!!WFU.consent\_exist){WFU.consent.attachActions(completeaction);WFU.consent.update("init")}if(!!WFU.submit\_exist){if(WFU.testmode)clickaction=
12
function(){alert(GlobalData.consts.notify\_testmode)};else clickaction=function(){WFU.uploadaction()};WFU.submit.attachClickAction(clickaction)}}function wfu\_install\_unload\_hook(){window.onbeforeunload=wfu\_unload\_hook}function wfu\_unload\_hook(){if(GlobalData.UploadInProgressString!="")if(GlobalData.UploadInProgressString.trim()!="")return GlobalData.consts.wfu\_pageexit\_prompt}
13
13
function wfu\_Check\_Browser\_Capabilities(){if(typeof wfu\_BrowserCaps!="undefined")return;wfu\_BrowserCaps=new Object;var xmlhttp=wfu\_GetHttpRequestObject();wfu\_BrowserCaps.supportsAJAX=xmlhttp!=null;wfu\_BrowserCaps.supportsUploadProgress=!!(xmlhttp&&"upload"in xmlhttp&&"onprogress"in xmlhttp.upload);var fd=null;try{var fd=new FormData}catch(e$0){}wfu\_BrowserCaps.supportsHTML5=fd!=null;var e=document.createElement("iframe");wfu\_BrowserCaps.supportsIFRAME=e!=null;wfu\_BrowserCaps.supportsDRAGDROP=window.FileReader?
14
14
true:false;wfu\_BrowserCaps.supportsAnimation=wfu\_check\_animation();wfu\_BrowserCaps.isSafari=Object.prototype.toString.call(window.HTMLElement).indexOf("Constructor")>0}
…
…
23
23
function wfu\_add\_files(sid,files){var WFU=GlobalData.WFU\[sid\];if(typeof WFU.filearray=="undefined"){WFU.filearray=Array();WFU.filearrayprops=Array()}if(!!WFU.uploadform\_exist)WFU.uploadform.reset();WFU.filearray.length=WFU.filearrayprops.length=0;for(var i=0;i<files.length;i++){WFU.filearray.push(files\[i\].file);WFU.filearrayprops.push(files\[i\].props)}}
24
24
function wfu\_attach\_cancel\_event(sid,unique\_upload\_id){function wfu\_cancel\_classic\_upload\_final(){var Params=wfu\_Initialize\_Params();Params.general.shortcode\_id=sid;Params.general.unique\_id="";Params.general.files\_count=0;Params.general.state=16;wfu\_ProcessUploadComplete(sid,0,Params,"no-ajax","",\[false,null,false\]);if(!!WFU.uploadform\_exist){WFU.uploadform.reset();WFU.uploadform.submit();WFU.uploadform.lock()}}function wfu\_cancel\_classic\_upload(){var url=GlobalData.consts.ajax\_url+"?action=wfu\_ajax\_action\_cancel\_upload&wfu\_uploader\_nonce="+
25
document.getElementById("wfu\_uploader\_nonce\_"+sid).value+"&sid="+sid+"&unique\_id="+unique\_upload\_id+"&session\_token="+GlobalData.WFU\[sid\].session;var xmlhttp=wfu\_GetHttpRequestObject();if(xmlhttp==null){var i=document.createElement("iframe");if(i){i.style.display="none";i.src=url;document.body.appendChild(i);i.onload=function(){wfu\_cancel\_classic\_upload\_final()};return}}xmlhttp.open("GET",url,true);xmlhttp.onreadystatechange=function(){if(xmlhttp.readyState==4&&xmlhttp.status==200)wfu\_cancel\_classic\_upload\_final()};
25
wfu\_get\_stored\_formdata(sid,"wfu\_uploader\_nonce\_"+sid)+"&sid="+sid+"&unique\_id="+unique\_upload\_id+"&session\_token="+GlobalData.WFU\[sid\].session;var xmlhttp=wfu\_GetHttpRequestObject();if(xmlhttp==null){var i=document.createElement("iframe");if(i){i.style.display="none";i.src=url;document.body.appendChild(i);i.onload=function(){wfu\_cancel\_classic\_upload\_final()};return}}xmlhttp.open("GET",url,true);xmlhttp.onreadystatechange=function(){if(xmlhttp.readyState==4&&xmlhttp.status==200)wfu\_cancel\_classic\_upload\_final()};
26
26
xmlhttp.send(null)}var WFU=GlobalData.WFU\[sid\];if(!!WFU.textbox\_exist){var textbox\_cancel\_function=function(){var answer=false;if(WFU.is\_formupload){answer=confirm(GlobalData.consts.cancel\_upload\_prompt);if(answer==true)wfu\_cancel\_classic\_upload()}else{if(!GlobalData\[sid\]||GlobalData\[sid\].xhrs.length==0)return false;var answer=confirm(GlobalData.consts.cancel\_upload\_prompt);if(answer==true){var farr=wfu\_get\_filelist(sid);var firstxhr=\[\];var filename=\[\];for(var i=0;i<farr.length;i++){firstxhr.push(null);
27
27
filename.push(farr\[i\].name)}for(var i=0;i<GlobalData\[sid\].xhrs.length;i++){var file\_ind=GlobalData\[sid\].xhrs\[i\].file\_id-1;if(file\_ind>=0&&firstxhr\[file\_ind\]==null)firstxhr\[file\_ind\]=GlobalData\[sid\].xhrs\[i\]}if(WFU.debugmode)console.log("upload cancelled!");for(var i=0;i<firstxhr.length;i++){if(firstxhr\[i\]==null){firstxhr\[i\]=wfu\_GetHttpRequestObject();if(firstxhr\[i\]!=null)wfu\_initialize\_fileupload\_xhr(firstxhr\[i\],sid,unique\_upload\_id,i,filename\[i\])}if(firstxhr\[i\]!=-1){var evt={target:{responseText:"force\_cancel\_code",
…
…
30
30
function wfu\_selectbutton\_clicked(sid){var WFU=GlobalData.WFU\[sid\];if(!!WFU.message\_exist)WFU.message.reset();var resetform=true;if(resetform)if(!!WFU.uploadform\_exist)WFU.uploadform.reset()}function wfu\_update\_uploadbutton\_status(sid){var WFU=GlobalData.WFU\[sid\];if(!!WFU.submit\_exist){var submit=WFU.submit;var farr=wfu\_get\_filelist(sid);var status=farr.length>0||WFU.allownofile;status=wfu\_Code\_Objects\[sid\].apply\_filters("uploadbutton\_status",status);submit.toggle(status)}}
31
31
function wfu\_update\_filename\_text(sid){var WFU=GlobalData.WFU\[sid\];if(!!WFU.textbox\_exist){var farr=wfu\_get\_filelist(sid);var filenames=\[\];for(var i=0;i<farr.length;i++)filenames.push(farr\[i\].name);WFU.textbox.update("set",filenames)}}
32
function wfu\_init\_userdata\_handlers(sid,key){var WFU=GlobalData.WFU\[sid\];var props=WFU.userdata.props\[key\];var JS=WFU.userdata.codes\[key\];var obj=WFU.userdata;JS.init=function(){};JS.value=function(){return""};JS.lock=function(){};JS.unlock=function(){};JS.reset=function(){};JS.empty=function(){return""};JS.validate=null;JS.typehook=null;if(props.type=="text"){JS.init=function(){obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};
33
JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""}}else if(props.type=="multitext"){JS.init=function(){obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===
34
""?obj.error\_empty:""}}else if(props.type=="number"){JS.init=function(){obj.attachHandlers(props,function(e){if(props.typehook)JS.typehook(e);else props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""};JS.validate=function(){var re=/^(\\+|\\-)?\[0-9\]\*$/i;if(props.format\==
35
"f")re=/^(\\+|\\-)?\[0-9\]\*?\\.?\[0-9\]\*$/i;return re.test(obj.getValue(props))?"":obj.error\_invalid\_number};JS.typehook=function(e){var re=/^(\\+|\\-)?\[0-9\]\*$/i;if(props.format=="f")re=/^(\\+|\\-)?\[0-9\]\*?\\.?\[0-9\]\*$/i;if(re.test(e.target.value))props.store();else e.target.value=props.getstored()}}else if(props.type=="email"){JS.init=function(){obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};
36
JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""};JS.validate=function(){if(obj.getValue(props)=="")return"";var re=/^(\[\\w-\]+(?:\\.\[\\w-\]+)\*)@((?:\[\\w-\]+\\.)\*\\w\[\\w-\]{0,66})\\.(\[a-z\]{2,6}(?:\\.\[a-z\]{2})?)$/i;return re.test(obj.getValue(props))?"":obj.error\_invalid\_email}}else if(props.type=="confirmemail"){JS.init=function(){obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};
37
JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""};JS.validate=function(){var baseprops=null;for(var i=0;i<WFU.userdata.props.length;i++)if(WFU.userdata.props\[i\]&&WFU.userdata.props\[i\].type=="email"&&WFU.userdata.props\[i\].group==props.group){baseprops=WFU.userdata.props\[i\];break}return baseprops!=null?obj.getValue(props)==obj.getValue(baseprops)?
38
"":obj.error\_confirm\_email\_nomatch:obj.error\_confirm\_email\_nobase}}else if(props.type=="password"){JS.init=function(){obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""}}else if(props.type=="confirmpassword"){JS.init=function(){obj.attachHandlers(props,
39
function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""};JS.validate=function(){var baseprops=null;for(var i=0;i<WFU.userdata.props.length;i++)if(WFU.userdata.props\[i\]&&WFU.userdata.props\[i\].type=="password"&&WFU.userdata.props\[i\].group==props.group){baseprops=
40
WFU.userdata.props\[i\];break}return baseprops!=null?obj.getValue(props)==obj.getValue(baseprops)?"":obj.error\_confirm\_password\_nomatch:obj.error\_confirm\_password\_nobase}}else if(props.type=="checkbox"){JS.init=function(){obj.initField(props);obj.setValue(props,props\["default"\]=="true");obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)?"true":"false"};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,
41
props\["default"\]=="true");props.store()};JS.empty=function(){return!obj.getValue(props)?obj.error\_checkbox\_notchecked:""}}else if(props.type=="radiobutton"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?
42
obj.error\_radio\_notselected:""}}else if(props.type=="date"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){def=props\["default"\].trim();if(def.substr(0,1)=="("&&def.substr(def.length-1,1)==")")def=def.substr(1,def.length-2);else def="";obj.setValue(props,def);props.store()};JS.empty=function(){return obj.getValue(props)===
43
""?obj.error\_empty:""}}else if(props.type=="time"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){def=props\["default"\].trim();if(def.substr(0,1)=="("&&def.substr(def.length-1,1)==")")def=def.substr(1,def.length-2);else def="";obj.setValue(props,def);props.store()};JS.empty=function(){return obj.getValue(props)===
44
""?obj.error\_empty:""}}else if(props.type=="datetime"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){def=props\["default"\].trim();if(def.substr(0,1)=="("&&def.substr(def.length-1,1)==")")def=def.substr(1,def.length-2);else def="";obj.setValue(props,def);props.store()};JS.empty=function(){return obj.getValue(props)===
45
""?obj.error\_empty:""}}else if(props.type=="list"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""}}else if(props.type=="dropdown"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,
46
function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""}}else if(props.type=="honeypot"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};
47
JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""}}JS.init()}function wfu\_Redirect(link){window.location=link}function wfu\_loadStart(evt){}
32
function wfu\_init\_userdata\_handlers(sid,key){var WFU=GlobalData.WFU\[sid\];var props=WFU.userdata.props\[key\];var JS=WFU.userdata.codes\[key\];var obj=WFU.userdata;JS.init=function(){};JS.value=function(){return""};JS.lock=function(){};JS.unlock=function(){};JS.reset=function(){};JS.empty=function(){return""};JS.validate=null;JS.typehook=null;if(props.type=="text"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};
33
JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""}}else if(props.type=="multitext"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,
34
props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""}}else if(props.type=="number"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){if(props.typehook)JS.typehook(e);else props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)=\==
35
""?obj.error\_empty:""};JS.validate=function(){var re=/^(\\+|\\-)?\[0-9\]\*$/i;if(props.format=="f")re=/^(\\+|\\-)?\[0-9\]\*?\\.?\[0-9\]\*$/i;return re.test(obj.getValue(props))?"":obj.error\_invalid\_number};JS.typehook=function(e){var re=/^(\\+|\\-)?\[0-9\]\*$/i;if(props.format=="f")re=/^(\\+|\\-)?\[0-9\]\*?\\.?\[0-9\]\*$/i;if(re.test(e.target.value))props.store();else e.target.value=props.getstored()}}else if(props.type=="email"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=
36
function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""};JS.validate=function(){if(obj.getValue(props)=="")return"";var re=/^(\[\\w-\]+(?:\\.\[\\w-\]+)\*)@((?:\[\\w-\]+\\.)\*\\w\[\\w-\]{0,66})\\.(\[a-z\]{2,6}(?:\\.\[a-z\]{2})?)$/i;return re.test(obj.getValue(props))?"":obj.error\_invalid\_email}}else if(props.type=="confirmemail"){JS.init=
37
function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""};JS.validate=function(){var baseprops=null;for(var i=0;i<WFU.userdata.props.length;i++)if(WFU.userdata.props\[i\]&&WFU.userdata.props\[i\].type=="email"&&
38
WFU.userdata.props\[i\].group==props.group){baseprops=WFU.userdata.props\[i\];break}return baseprops!=null?obj.getValue(props)==obj.getValue(baseprops)?"":obj.error\_confirm\_email\_nomatch:obj.error\_confirm\_email\_nobase}}else if(props.type=="password"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,
39
props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""}}else if(props.type=="confirmpassword"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:
40
""};JS.validate=function(){var baseprops=null;for(var i=0;i<WFU.userdata.props.length;i++)if(WFU.userdata.props\[i\]&&WFU.userdata.props\[i\].type=="password"&&WFU.userdata.props\[i\].group==props.group){baseprops=WFU.userdata.props\[i\];break}return baseprops!=null?obj.getValue(props)==obj.getValue(baseprops)?"":obj.error\_confirm\_password\_nomatch:obj.error\_confirm\_password\_nobase}}else if(props.type=="checkbox"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};
41
JS.value=function(){return obj.getValue(props)?"true":"false"};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]=="true");props.store()};JS.empty=function(){return!obj.getValue(props)?obj.error\_checkbox\_notchecked:""}}else if(props.type=="radiobutton"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};
42
JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_radio\_notselected:""}}else if(props.type=="date"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){def=props\["default"\].trim();if(def.substr(0,
43
1)=="("&&def.substr(def.length-1,1)==")")def=def.substr(1,def.length-2);else def="";obj.setValue(props,def);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""}}else if(props.type=="time"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){def=props\["default"\].trim();if(def.substr(0,
44
1)=="("&&def.substr(def.length-1,1)==")")def=def.substr(1,def.length-2);else def="";obj.setValue(props,def);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""}}else if(props.type=="datetime"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){def=props\["default"\].trim();if(def.substr(0,
45
1)=="("&&def.substr(def.length-1,1)==")")def=def.substr(1,def.length-2);else def="";obj.setValue(props,def);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""}}else if(props.type=="list"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);
46
props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""}}else if(props.type=="dropdown"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""}}else if(props.type==
47
"honeypot"){JS.init=function(){obj.initField(props);obj.attachHandlers(props,function(e){props.store()})};JS.value=function(){return obj.getValue(props)};JS.lock=function(){obj.disable(props)};JS.unlock=function(){obj.enable(props)};JS.reset=function(){obj.setValue(props,props\["default"\]);props.store()};JS.empty=function(){return obj.getValue(props)===""?obj.error\_empty:""}}JS.init()}function wfu\_Redirect(link){window.location=link}function wfu\_loadStart(evt){}
48
48
function wfu\_update\_upload\_metrics(sid){var totalsize=0;var totalloaded=0;var totaldelta=0;var metrics=Array();var farr=wfu\_get\_filelist(sid);for(var i=0;i<farr.length;i++)metrics\[i\]={size:farr\[i\].size,aborted:false,loaded:0,delta:0};for(var i=0;i<GlobalData\[sid\].xhrs.length;i++){var file\_id=GlobalData\[sid\].xhrs\[i\].file\_id;if(file\_id>0&&GlobalData\[sid\].xhrs\[i\].aborted&&metrics\[file\_id-1\])metrics\[file\_id-1\].aborted=true}for(var i=0;i<GlobalData\[sid\].xhrs.length;i++){var file\_id=GlobalData\[sid\].xhrs\[i\].file\_id;
49
49
if(file\_id>0&&metrics\[file\_id-1\]&&!metrics\[file\_id-1\].aborted){metrics\[file\_id-1\].size=Math.max(GlobalData\[sid\].xhrs\[i\].totalsize,metrics\[file\_id-1\].size);metrics\[file\_id-1\].loaded+=GlobalData\[sid\].xhrs\[i\].sizeloaded;metrics\[file\_id-1\].delta+=Math.max(GlobalData\[sid\].xhrs\[i\].deltaloaded,0)}else if(file\_id>0&&metrics\[file\_id-1\]&&metrics\[file\_id-1\].aborted){if(!metrics\[file\_id-1\].hasOwnProperty("abort\_metrics"))metrics\[file\_id-1\].abort\_metrics={size:farr\[file\_id-1\].size,loaded:0,delta:0};metrics\[file\_id-
…
…
83
83
suffix\].color,bgcolor:GlobalData.States\["State"+final\_upload\_state+suffix\].bgcolor,borcolor:GlobalData.States\["State"+final\_upload\_state+suffix\].borcolor,message1:GlobalData.States\["State"+final\_upload\_state+suffix\].message,message2:nonadmin\_message,message3:admin\_message,debug\_data:G.admin\_messages.debug,files:\[\]};for(var i=0;i<Params.general.files\_count;i++)data.files\[i\]={index:i+file\_id,result:Params\[i\].message\_type,message1:Params\[i\].header,message2:Params\[i\].message,message3:Params\[i\].admin\_messages};
84
84
WFU.message.update(data)}if(js\_script\_enc)eval(wfu\_plugin\_decode\_string(js\_script\_enc));if(do\_redirect)wfu\_Redirect(G.redirect\_link);return G.last}function wfu\_uploadFailed(evt,debugmode){if(debugmode){console.log("failure report following");console.log(evt)}var xhr=evt.target;var new\_evt={target:{responseText:"",shortcode\_id:xhr.shortcode\_id}};wfu\_uploadComplete.call(xhr,new\_evt)}function wfu\_uploadCanceled(evt){}
85
function wfu\_notify\_server\_upload\_ended(sid,unique\_id){var WFU=GlobalData.WFU\[sid\];var xhr=wfu\_GetHttpRequestObject();if(xhr==null)return;var url=GlobalData.consts.ajax\_url;params=new Array(6);params\[0\]=new Array(2);params\[0\]\[0\]="action";params\[0\]\[1\]="wfu\_ajax\_action";params\[1\]=new Array(2);params\[1\]\[0\]="wfu\_uploader\_nonce";params\[1\]\[1\]=document.getElementById("wfu\_uploader\_nonce\_"+sid).value;params\[2\]=new Array(2);params\[2\]\[0\]="uniqueuploadid\_"+sid;params\[2\]\[1\]=unique\_id;params\[3\]=new Array(2);params\[3\]\[0\]=
85
function wfu\_notify\_server\_upload\_ended(sid,unique\_id){var WFU=GlobalData.WFU\[sid\];var xhr=wfu\_GetHttpRequestObject();if(xhr==null)return;var url=GlobalData.consts.ajax\_url;params=new Array(6);params\[0\]=new Array(2);params\[0\]\[0\]="action";params\[0\]\[1\]="wfu\_ajax\_action";params\[1\]=new Array(2);params\[1\]\[0\]="wfu\_uploader\_nonce";params\[1\]\[1\]=wfu\_get\_stored\_formdata(sid,"wfu\_uploader\_nonce\_"+sid);params\[2\]=new Array(2);params\[2\]\[0\]="uniqueuploadid\_"+sid;params\[2\]\[1\]=unique\_id;params\[3\]=new Array(2);params\[3\]\[0\]=
86
86
"params\_index";params\[3\]\[1\]=WFU.params\_index;params\[4\]=new Array(2);params\[4\]\[0\]="session\_token";params\[4\]\[1\]=WFU.session;params\[5\]=new Array(2);params\[5\]\[0\]="upload\_finished";params\[5\]\[1\]=1;var parameters="";for(var i=0;i<params.length;i++)parameters+=(i>0?"&":"")+params\[i\]\[0\]+"="+encodeURI(params\[i\]\[1\]);xhr.open("POST",url,true);xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded");xhr.onreadystatechange=function(){if(xhr.readyState==4)if(xhr.status==200)wfu\_Code\_Objects\[sid\].do\_action("after\_upload",
87
87
xhr.responseText)};xhr.send(parameters)}
…
…
90
90
function wfu\_redirect\_to\_classic(sid,flag,adminerrorcode){var WFU=GlobalData.WFU\[sid\];WFU.is\_formupload=true;var numfiles=wfu\_filesselected(sid);if(numfiles==0&&!WFU.allownofile)return;if(!!WFU.subfolders\_exist&&numfiles>0&&!WFU.subfolders.check())return;if(!wfu\_check\_required\_userdata(sid,true))return;if(!wfu\_Code\_Objects\[sid\].apply\_filters("pre\_start\_check",true))return;wfu\_redirect\_to\_classic\_cont(sid,flag,adminerrorcode)}
91
91
function wfu\_redirect\_to\_classic\_cont(sid,flag,adminerrorcode){var process\_function=function(responseText){var WFU=GlobalData.WFU\[sid\];var txt\_value="";var session\_token=WFU.session;var success\_txt="wfu\_askserver\_success:";var error\_txt="wfu\_askserver\_error:";var pos\_success=responseText.indexOf(success\_txt);var pos\_error=responseText.indexOf(error\_txt);if(pos\_success>-1){txt\_value=responseText.substr(pos\_success+success\_txt.length);var numfiles=wfu\_filesselected(sid);var nofileupload=numfiles==0&&
92
WFU.allownofile;wfu\_Code\_Objects\[sid\].do\_action("askserver\_success",txt\_value,"no-ajax");if(!!WFU.progressbar\_exist&&!nofileupload)WFU.progressbar.show("shuffle");wfu\_attach\_cancel\_event(sid,unique\_id);var Params=wfu\_Initialize\_Params();Params.general.shortcode\_id=sid;Params.general.unique\_id="";Params.general.files\_count=numfiles;if(nofileupload)Params.general.state=13;wfu\_ProcessUploadComplete(sid,0,Params,"no-ajax","",\[false,null,false\]);document.getElementById("uniqueuploadid\_"+sid).value=unique\_id;
93
document.getElementById("nofileupload\_"+sid).value=nofileupload?"1":"0";var suffix="";var redirected\_txt="";if(flag==1)redirected\_txt="\_redirected";if(!!WFU.uploadform\_exist){WFU.uploadform.changeFileName("uploadedfile\_"+sid+redirected\_txt+suffix);document.getElementById("uploadedfile\_"+sid+"\_name").name="uploadedfile\_"+sid+redirected\_txt+"\_name";document.getElementById("uploadedfile\_"+sid+"\_size").name="uploadedfile\_"+sid+redirected\_txt+"\_size"}if(adminerrorcode>0)document.getElementById("adminerrorcodes\_"+
94
sid).value=adminerrorcode;else document.getElementById("adminerrorcodes\_"+sid).value="";if(!!WFU.uploadform\_exist){WFU.uploadform.submit();WFU.uploadform.lock()}}else if(pos\_error>-1){txt\_value=responseText.substr(pos\_error+error\_txt.length);wfu\_unlock\_upload(sid);wfu\_Code\_Objects\[sid\].do\_action("askserver\_error",txt\_value)}};var unique\_id=wfu\_randomString(10);wfu\_lock\_upload(sid);wfu\_Code\_Objects\[sid\].do\_action("pre\_start");var pass\_params="";var params\_obj=wfu\_Code\_Objects\[sid\].apply\_filters("askserver\_pass\_params",
95
{});for(var prop in params\_obj)if(params\_obj.hasOwnProperty(prop))pass\_params+="&"+prop+"="+params\_obj\[prop\];var d=new Date;var url=GlobalData.consts.ajax\_url+"?action=wfu\_ajax\_action\_ask\_server&wfu\_uploader\_nonce="+document.getElementById("wfu\_uploader\_nonce\_"+sid).value+"&sid="+sid+"&unique\_id="+unique\_id+"&start\_time="+d.getTime()+"&session\_token="+GlobalData.WFU\[sid\].session+pass\_params;var xmlhttp=wfu\_GetHttpRequestObject();if(xmlhttp==null){var i=document.createElement("iframe");if(i){i.style.display=
96
"none";i.src=url;document.body.appendChild(i);i.onload=function(){process\_function(i.contentDocument.body.innerHTML)};return}else{wfu\_Code\_Objects\[sid\].do\_action("not\_supported");return}}xmlhttp.open("GET",url,true);xmlhttp.onreadystatechange=function(){if(xmlhttp.readyState==4)if(xmlhttp.status==200)process\_function(xmlhttp.responseText);else{alert(GlobalData.consts.remoteserver\_noresult);wfu\_Code\_Objects\[sid\].do\_action("askserver\_noresult")}};xmlhttp.send(null)}
97
Code\_Initializators\[Code\_Initializators.length\]=function(sid){var CBUV\_Code\_Objects={};CBUV\_Code\_Objects.pre\_start\_check=function(attr){if(!attr)return attr;var sid=this.sid;var result=true;if(!!GlobalData.WFU\[sid\].consent\_exist){if(GlobalData.WFU\[sid\].consent.consent\_format!="prompt"&&document.getElementById("consentresult\_"+sid).value==""){alert(GlobalData.consts.wfu\_consent\_notcompleted);result=false}else if(GlobalData.WFU\[sid\].consent.consent\_format=="prompt"){document.getElementById("consentresult\_"+
98
sid).value=confirm(GlobalData.WFU\[sid\].consent.consent\_question)?"yes":"no";result=true}if(GlobalData.WFU\[sid\].consent.no\_rejects\_upload&&document.getElementById("consentresult\_"+sid).value=="no"){alert(GlobalData.WFU\[sid\].consent\_rejection\_message);result=false}}return result};CBUV\_Code\_Objects.pre\_start\_ask\_server=function(attr,has\_filters){if(attr)return attr;var sid=this.sid;var consent\_ask\_server=GlobalData.WFU\[sid\].consent\_maybe\_ask\_server&&!GlobalData.WFU\[sid\].consent\_exist;return has\_filters==
99
"true"||consent\_ask\_server};CBUV\_Code\_Objects.askserver\_pass\_params=function(params){var sid=this.sid;var farr=wfu\_get\_filelist(sid);var filenames="";var filesizes="";for(var i=0;i<farr.length;i++){if(i>0){filenames+=";";filesizes+=";"}filenames+=wfu\_plugin\_encode\_string(farr\[i\].name);filesizes+=farr\[i\].size}var userdata=\[\];var userdata\_count=wfu\_get\_userdata\_count(sid);for(var i=0;i<userdata\_count;i++)userdata.push("\_"+wfu\_plugin\_encode\_string(document.getElementById("hiddeninput\_"+sid+"\_userdata\_"+
100
i).value));params.filenames=filenames;params.filesizes=filesizes;params.userdata=userdata.join(";");if(GlobalData.WFU\[sid\].consent\_maybe\_ask\_server&&!GlobalData.WFU\[sid\].consent\_exist){params.consent\_check="1";params.consent\_rejection\_message=GlobalData.WFU\[sid\].consent\_rejection\_message}return params};CBUV\_Code\_Objects.askserver\_success=function(response,mode){var sid=this.sid;var upload\_status="success";var txt\_match=response.match(/CBUVJS\\\[(.\*?)\\\]/);var txt\_header=txt\_match?typeof txt\_match\[1\]!=
101
"undefined"?txt\_match\[1\]:"":"";if(txt\_header!="")eval(wfu\_plugin\_decode\_string(txt\_header))};CBUV\_Code\_Objects.askserver\_error=function(response,mode){var sid=this.sid;var upload\_status="error";var txt\_match=response.match(/CBUVJS\\\[(.\*?)\\\]/);var txt\_header=txt\_match?typeof txt\_match\[1\]!="undefined"?txt\_match\[1\]:"":"";if(txt\_header!="")eval(wfu\_plugin\_decode\_string(txt\_header));txt\_match=response.match(/CBUV\\\[(.\*?)\\\]/);txt\_header=txt\_match?typeof txt\_match\[1\]!="undefined"?txt\_match\[1\]:"":"";if(txt\_header!\=
102
""){var Params=wfu\_Initialize\_Params();GlobalData\[sid\]={};Params.general.shortcode\_id=sid;Params.general.message=txt\_header;Params.general.state=12;wfu\_ProcessUploadComplete(sid,0,Params,"no-ajax","",\[false,null,false\]);wfu\_clear(sid)}};CBUV\_Code\_Objects.lock\_upload=function(){var sid=this.sid;if(!!GlobalData.WFU\[sid\].consent\_exist)GlobalData.WFU\[sid\].consent.update("lock")};CBUV\_Code\_Objects.unlock\_upload=function(){var sid=this.sid;if(!!GlobalData.WFU\[sid\].consent\_exist)GlobalData.WFU\[sid\].consent.update("unlock")};
103
CBUV\_Code\_Objects.clear\_upload=function(){var sid=this.sid;var WFU=GlobalData.WFU\[sid\];if(!!WFU.consent\_exist)if(WFU.consent.remember\_consent){WFU.consent.update("clear");WFU.consent\_exist=false}else WFU.consent.update("init")};CBUV\_Code\_Objects.upload\_pass\_params=function(params,mode){var sid=this.sid;if(!!GlobalData.WFU\[sid\].consent\_exist)params.consent\_result=document.getElementById("consentresult\_"+sid).value;return params};CBUV\_Code\_Objects.after\_upload=function(response){var sid=this.sid;var txt\_match=
92
WFU.allownofile;wfu\_Code\_Objects\[sid\].do\_action("askserver\_success",txt\_value,"no-ajax");if(!!WFU.progressbar\_exist&&!nofileupload)WFU.progressbar.show("shuffle");wfu\_attach\_cancel\_event(sid,unique\_id);var Params=wfu\_Initialize\_Params();Params.general.shortcode\_id=sid;Params.general.unique\_id="";Params.general.files\_count=numfiles;if(nofileupload)Params.general.state=13;wfu\_ProcessUploadComplete(sid,0,Params,"no-ajax","",\[false,null,false\]);wfu\_set\_stored\_formdata(sid,"uniqueuploadid\_"+sid,unique\_id);
93
wfu\_set\_stored\_formdata(sid,"nofileupload\_"+sid,nofileupload?"1":"0");var suffix="";var redirected\_txt="";if(flag==1)redirected\_txt="\_redirected";if(!!WFU.uploadform\_exist)WFU.uploadform.changeFileName("uploadedfile\_"+sid+redirected\_txt+suffix);if(adminerrorcode>0)wfu\_set\_stored\_formdata(sid,"adminerrorcodes\_"+sid,adminerrorcode);else wfu\_set\_stored\_formdata(sid,"adminerrorcodes\_"+sid,"");if(!!WFU.uploadform\_exist){WFU.uploadform.submit();WFU.uploadform.lock()}}else if(pos\_error>-1){txt\_value=responseText.substr(pos\_error+
94
error\_txt.length);wfu\_unlock\_upload(sid);wfu\_Code\_Objects\[sid\].do\_action("askserver\_error",txt\_value)}};var unique\_id=wfu\_randomString(10);wfu\_lock\_upload(sid);wfu\_Code\_Objects\[sid\].do\_action("pre\_start");var pass\_params="";var params\_obj=wfu\_Code\_Objects\[sid\].apply\_filters("askserver\_pass\_params",{});for(var prop in params\_obj)if(params\_obj.hasOwnProperty(prop))pass\_params+="&"+prop+"="+params\_obj\[prop\];var d=new Date;var url=GlobalData.consts.ajax\_url+"?action=wfu\_ajax\_action\_ask\_server&wfu\_uploader\_nonce="+
95
wfu\_get\_stored\_formdata(sid,"wfu\_uploader\_nonce\_"+sid)+"&sid="+sid+"&unique\_id="+unique\_id+"&start\_time="+d.getTime()+"&session\_token="+GlobalData.WFU\[sid\].session+pass\_params;var xmlhttp=wfu\_GetHttpRequestObject();if(xmlhttp==null){var i=document.createElement("iframe");if(i){i.style.display="none";i.src=url;document.body.appendChild(i);i.onload=function(){process\_function(i.contentDocument.body.innerHTML)};return}else{wfu\_Code\_Objects\[sid\].do\_action("not\_supported");return}}xmlhttp.open("GET",url,
96
true);xmlhttp.onreadystatechange=function(){if(xmlhttp.readyState==4)if(xmlhttp.status==200)process\_function(xmlhttp.responseText);else{alert(GlobalData.consts.remoteserver\_noresult);wfu\_Code\_Objects\[sid\].do\_action("askserver\_noresult")}};xmlhttp.send(null)}
97
Code\_Initializators\[Code\_Initializators.length\]=function(sid){var CBUV\_Code\_Objects={};CBUV\_Code\_Objects.pre\_start\_check=function(attr){if(!attr)return attr;var sid=this.sid;var result=true;if(!!GlobalData.WFU\[sid\].consent\_exist){if(GlobalData.WFU\[sid\].consent.consent\_format!="prompt"&&wfu\_get\_stored\_formdata(sid,"consentresult\_"+sid)==""){alert(GlobalData.consts.wfu\_consent\_notcompleted);result=false}else if(GlobalData.WFU\[sid\].consent.consent\_format=="prompt"){wfu\_set\_stored\_formdata(sid,"consentresult\_"+
98
sid,confirm(GlobalData.WFU\[sid\].consent.consent\_question)?"yes":"no");result=true}if(GlobalData.WFU\[sid\].consent.no\_rejects\_upload&&wfu\_get\_stored\_formdata(sid,"consentresult\_"+sid)=="no"){alert(GlobalData.WFU\[sid\].consent\_rejection\_message);result=false}}return result};CBUV\_Code\_Objects.pre\_start\_ask\_server=function(attr,has\_filters){if(attr)return attr;var sid=this.sid;var consent\_ask\_server=GlobalData.WFU\[sid\].consent\_maybe\_ask\_server&&!GlobalData.WFU\[sid\].consent\_exist;return has\_filters=="true"||
99
consent\_ask\_server};CBUV\_Code\_Objects.askserver\_pass\_params=function(params){var sid=this.sid;var farr=wfu\_get\_filelist(sid);var filenames="";var filesizes="";for(var i=0;i<farr.length;i++){if(i>0){filenames+=";";filesizes+=";"}filenames+=wfu\_plugin\_encode\_string(farr\[i\].name);filesizes+=farr\[i\].size}var userdata=\[\];var userdata\_count=wfu\_get\_userdata\_count(sid);for(var i=0;i<userdata\_count;i++)userdata.push("\_"+wfu\_plugin\_encode\_string(wfu\_get\_stored\_formdata(sid,"hiddeninput\_"+sid+"\_userdata\_"+
100
i)));params.filenames=filenames;params.filesizes=filesizes;params.userdata=userdata.join(";");if(GlobalData.WFU\[sid\].consent\_maybe\_ask\_server&&!GlobalData.WFU\[sid\].consent\_exist){params.consent\_check="1";params.consent\_rejection\_message=GlobalData.WFU\[sid\].consent\_rejection\_message}return params};CBUV\_Code\_Objects.askserver\_success=function(response,mode){var sid=this.sid;var upload\_status="success";var txt\_match=response.match(/CBUVJS\\\[(.\*?)\\\]/);var txt\_header=txt\_match?typeof txt\_match\[1\]!="undefined"?
101
txt\_match\[1\]:"":"";if(txt\_header!="")eval(wfu\_plugin\_decode\_string(txt\_header))};CBUV\_Code\_Objects.askserver\_error=function(response,mode){var sid=this.sid;var upload\_status="error";var txt\_match=response.match(/CBUVJS\\\[(.\*?)\\\]/);var txt\_header=txt\_match?typeof txt\_match\[1\]!="undefined"?txt\_match\[1\]:"":"";if(txt\_header!="")eval(wfu\_plugin\_decode\_string(txt\_header));txt\_match=response.match(/CBUV\\\[(.\*?)\\\]/);txt\_header=txt\_match?typeof txt\_match\[1\]!="undefined"?txt\_match\[1\]:"":"";if(txt\_header!=""){var Params\=
102
wfu\_Initialize\_Params();GlobalData\[sid\]={};Params.general.shortcode\_id=sid;Params.general.message=txt\_header;Params.general.state=12;wfu\_ProcessUploadComplete(sid,0,Params,"no-ajax","",\[false,null,false\]);wfu\_clear(sid)}};CBUV\_Code\_Objects.lock\_upload=function(){var sid=this.sid;if(!!GlobalData.WFU\[sid\].consent\_exist)GlobalData.WFU\[sid\].consent.update("lock")};CBUV\_Code\_Objects.unlock\_upload=function(){var sid=this.sid;if(!!GlobalData.WFU\[sid\].consent\_exist)GlobalData.WFU\[sid\].consent.update("unlock")};
103
CBUV\_Code\_Objects.clear\_upload=function(){var sid=this.sid;var WFU=GlobalData.WFU\[sid\];if(!!WFU.consent\_exist)if(WFU.consent.remember\_consent){WFU.consent.update("clear");WFU.consent\_exist=false}else WFU.consent.update("init")};CBUV\_Code\_Objects.upload\_pass\_params=function(params,mode){var sid=this.sid;if(!!GlobalData.WFU\[sid\].consent\_exist)params.consent\_result=wfu\_get\_stored\_formdata(sid,"consentresult\_"+sid);return params};CBUV\_Code\_Objects.after\_upload=function(response){var sid=this.sid;var txt\_match=
104
104
response.match(/CBUVJS\\\[(.\*?)\\\]/);var txt\_header=txt\_match?typeof txt\_match\[1\]!="undefined"?txt\_match\[1\]:"":"";if(txt\_header!="")eval(wfu\_plugin\_decode\_string(txt\_header))};return CBUV\_Code\_Objects};function wfu\_filesselected(sid){var WFU=GlobalData.WFU\[sid\];var farr=wfu\_get\_filelist(sid);if(farr.length==0&&!WFU.allownofile&&!!WFU.textbox\_exist)WFU.textbox.update("nofile");return farr.length}
105
function wfu\_get\_stored\_formdata(sid,id){var WFU=GlobalData.WFU\[sid\];if(!WFU.uploadform\_exist)return null;if(!WFU.uploadform.getStoreddata)return document.getElementById(id).value;else return WFU.uploadform.getStoreddata(id)}function wfu\_set\_stored\_formdata(sid,id,value){var WFU=GlobalData.WFU\[sid\];if(!WFU.uploadform\_exist)return null;if(!WFU.uploadform.setStoreddata)document.getElementById(id).value=value;else WFU.uploadform.setStoreddata(id,value)}
105
106
function wfu\_check\_required\_userdata(sid,prompt){var WFU=GlobalData.WFU\[sid\];var userdata\_count=wfu\_get\_userdata\_count(sid);var req\_empty=false;for(var i=0;i<userdata\_count;i++){WFU.userdata.props\[i\].store();var error\_message="";if(WFU.userdata.props\[i\].required)error\_message=WFU.userdata.codes\[i\].empty();if(error\_message===""&&WFU.userdata.codes\[i\].validate!=null&&WFU.userdata.props\[i\].validate)error\_message=WFU.userdata.codes\[i\].validate();if(error\_message!==""){if(prompt)WFU.userdata.prompt(WFU.userdata.props\[i\],
106
107
error\_message);req\_empty=true}}return!req\_empty}
107
108
function wfu\_HTML5UploadFile(sid){var WFU=GlobalData.WFU\[sid\];if(!wfu\_BrowserCaps.supportsAJAX){wfu\_redirect\_to\_classic(sid,1,1);return}if(!wfu\_BrowserCaps.supportsHTML5){wfu\_redirect\_to\_classic(sid,1,2);return}var xhr=wfu\_GetHttpRequestObject();if(xhr==null)return;var numfiles=wfu\_filesselected(sid);if(numfiles==0&&!WFU.allownofile)return;if(numfiles==0)wfu\_selectbutton\_clicked(sid);if(!!WFU.subfolders\_exist&&numfiles>0&&!WFU.subfolders.check()){if(WFU.singlebutton)wfu\_clear\_files(sid);return}var numpasses=
108
109
numfiles;numpasses+=numpasses;if(!wfu\_check\_required\_userdata(sid,true)){if(WFU.singlebutton)wfu\_clear\_files(sid);return}if(!wfu\_Code\_Objects\[sid\].apply\_filters("pre\_start\_check",true))return;var unique\_upload\_id=wfu\_randomString(10);wfu\_lock\_upload(sid);wfu\_Code\_Objects\[sid\].do\_action("pre\_start");if(!wfu\_Code\_Objects\[sid\].apply\_filters("pre\_start\_ask\_server",false,WFU.has\_filters?"true":"false"))wfu\_HTML5UploadFile\_cont(sid,unique\_upload\_id);else{var url=GlobalData.consts.ajax\_url;params=new Array(5);
109
params\[0\]=new Array(2);params\[0\]\[0\]="action";params\[0\]\[1\]="wfu\_ajax\_action\_ask\_server";params\[1\]=new Array(2);params\[1\]\[0\]="session\_token";params\[1\]\[1\]=WFU.session;params\[2\]=new Array(2);params\[2\]\[0\]="sid";params\[2\]\[1\]=sid;params\[3\]=new Array(2);params\[3\]\[0\]="unique\_id";params\[3\]\[1\]=unique\_upload\_id;params\[4\]=new Array(2);params\[4\]\[0\]="wfu\_uploader\_nonce";params\[4\]\[1\]=document.getElementById("wfu\_uploader\_nonce\_"+sid).value;var params\_obj=wfu\_Code\_Objects\[sid\].apply\_filters("askserver\_pass\_params",
110
params\[0\]=new Array(2);params\[0\]\[0\]="action";params\[0\]\[1\]="wfu\_ajax\_action\_ask\_server";params\[1\]=new Array(2);params\[1\]\[0\]="session\_token";params\[1\]\[1\]=WFU.session;params\[2\]=new Array(2);params\[2\]\[0\]="sid";params\[2\]\[1\]=sid;params\[3\]=new Array(2);params\[3\]\[0\]="unique\_id";params\[3\]\[1\]=unique\_upload\_id;params\[4\]=new Array(2);params\[4\]\[0\]="wfu\_uploader\_nonce";params\[4\]\[1\]=wfu\_get\_stored\_formdata(sid,"wfu\_uploader\_nonce\_"+sid);var params\_obj=wfu\_Code\_Objects\[sid\].apply\_filters("askserver\_pass\_params",
110
111
{});for(var prop in params\_obj)if(params\_obj.hasOwnProperty(prop))params.push(\[prop,params\_obj\[prop\]\]);var parameters="";for(var i=0;i<params.length;i++)parameters+=(i>0?"&":"")+params\[i\]\[0\]+"="+encodeURI(params\[i\]\[1\]);xhr.open("POST",url,true);xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded");xhr.onreadystatechange=function(){if(xhr.readyState==4)if(xhr.status==200){var txt=xhr.responseText;var txt\_value="";var success\_txt="wfu\_askserver\_success:";var error\_txt="wfu\_askserver\_error:";
111
112
var pos\_success=txt.indexOf(success\_txt);var pos\_error=txt.indexOf(error\_txt);var pos=-1;if(pos\_success>-1){txt\_value=txt.substr(pos\_success+success\_txt.length);wfu\_Code\_Objects\[sid\].do\_action("askserver\_success",txt\_value,"ajax");wfu\_HTML5UploadFile\_cont(sid,unique\_upload\_id)}else if(pos\_error>-1){txt\_value=txt.substr(pos\_error+error\_txt.length);wfu\_unlock\_upload(sid);wfu\_Code\_Objects\[sid\].do\_action("askserver\_error",txt\_value)}}else{alert(GlobalData.consts.remoteserver\_noresult);wfu\_unlock\_upload(sid);
112
113
wfu\_Code\_Objects\[sid\].do\_action("askserver\_noresult")}};xhr.send(parameters)}}
113
function wfu\_HTML5UploadFile\_cont(sid,unique\_upload\_id){function sendfile(ind,file,only\_check,force\_close\_connection){ret\_status=true;var xhr=wfu\_GetHttpRequestObject();var xhr\_close\_connection=wfu\_GetHttpRequestObject();if(xhr==null||xhr\_close\_connection==null)return;var fd=null;var fd\_close\_connection=null;try{var fd=new FormData;var fd\_close\_connection=new FormData}catch(e){}if(fd==null||fd\_close\_connection==null)return;fd.append("action","wfu\_ajax\_action");fd.append("wfu\_uploader\_nonce",document.getElementById("wfu\_uploader\_nonce\_"+
114
sid).value);if(!only\_check)fd.append("uploadedfile\_"+sid+suffice,file);fd.append("uploadedfile\_"+sid+"\_index",ind);fd.append("uploadedfile\_"+sid+"\_name",wfu\_plugin\_encode\_string(farr\[ind\].name));fd.append("uploadedfile\_"+sid+"\_size",farr\[ind\].size);fd.append("uniqueuploadid\_"+sid,unique\_upload\_id);fd.append("params\_index",WFU.params\_index);fd.append("subdir\_sel\_index",subdir\_sel\_index);fd.append("nofileupload\_"+sid,nofileupload?"1":"0");if(only\_check)fd.append("only\_check","1");else fd.append("only\_check",
115
"0");fd.append("session\_token",WFU.session);var other\_params=wfu\_Code\_Objects\[sid\].apply\_filters("upload\_pass\_params",{},"ajax");for(var prop in other\_params)if(other\_params.hasOwnProperty(prop))fd.append(prop,other\_params\[prop\]);var userdata\_count=wfu\_get\_userdata\_count(sid);for(var ii=0;ii<userdata\_count;ii++)fd.append("hiddeninput\_"+sid+"\_userdata\_"+ii,document.getElementById("hiddeninput\_"+sid+"\_userdata\_"+ii).value);wfu\_initialize\_fileupload\_xhr(xhr,sid,unique\_upload\_id,ind,farr\[ind\].name);xhr.loading=
116
true;if(!only\_check){xhr.size=file.size;xhr.totalsize=farr\[ind\].size}if(force\_close\_connection){fd\_close\_connection.append("action","wfu\_ajax\_action");fd\_close\_connection.append("wfu\_uploader\_nonce",document.getElementById("wfu\_uploader\_nonce\_"+sid).value);fd\_close\_connection.append("params\_index",WFU.params\_index);fd\_close\_connection.append("session\_token",WFU.session);fd\_close\_connection.append("force\_connection\_close","1");xhr\_close\_connection.open("POST",GlobalData.consts.ajax\_url,false);try{xhr\_close\_connection.send(fd\_close\_connection)}catch(err){}ret\_status=
114
function wfu\_HTML5UploadFile\_cont(sid,unique\_upload\_id){function sendfile(ind,file,only\_check,force\_close\_connection){ret\_status=true;var xhr=wfu\_GetHttpRequestObject();var xhr\_close\_connection=wfu\_GetHttpRequestObject();if(xhr==null||xhr\_close\_connection==null)return;var fd=null;var fd\_close\_connection=null;try{var fd=new FormData;var fd\_close\_connection=new FormData}catch(e){}if(fd==null||fd\_close\_connection==null)return;fd.append("action","wfu\_ajax\_action");fd.append("wfu\_uploader\_nonce",wfu\_get\_stored\_formdata(sid,
115
"wfu\_uploader\_nonce\_"+sid));if(!only\_check)fd.append("uploadedfile\_"+sid+suffice,file);fd.append("uploadedfile\_"+sid+"\_index",ind);fd.append("uploadedfile\_"+sid+"\_name",wfu\_plugin\_encode\_string(farr\[ind\].name));fd.append("uploadedfile\_"+sid+"\_size",farr\[ind\].size);fd.append("uniqueuploadid\_"+sid,unique\_upload\_id);fd.append("params\_index",WFU.params\_index);fd.append("subdir\_sel\_index",subdir\_sel\_index);fd.append("nofileupload\_"+sid,nofileupload?"1":"0");if(only\_check)fd.append("only\_check","1");else fd.append("only\_check",
116
"0");fd.append("session\_token",WFU.session);var other\_params=wfu\_Code\_Objects\[sid\].apply\_filters("upload\_pass\_params",{},"ajax");for(var prop in other\_params)if(other\_params.hasOwnProperty(prop))fd.append(prop,other\_params\[prop\]);var userdata\_count=wfu\_get\_userdata\_count(sid);for(var ii=0;ii<userdata\_count;ii++)fd.append("hiddeninput\_"+sid+"\_userdata\_"+ii,wfu\_get\_stored\_formdata(sid,"hiddeninput\_"+sid+"\_userdata\_"+ii));wfu\_initialize\_fileupload\_xhr(xhr,sid,unique\_upload\_id,ind,farr\[ind\].name);xhr.loading=
117
true;if(!only\_check){xhr.size=file.size;xhr.totalsize=farr\[ind\].size}if(force\_close\_connection){fd\_close\_connection.append("action","wfu\_ajax\_action");fd\_close\_connection.append("wfu\_uploader\_nonce",wfu\_get\_stored\_formdata(sid,"wfu\_uploader\_nonce\_"+sid));fd\_close\_connection.append("params\_index",WFU.params\_index);fd\_close\_connection.append("session\_token",WFU.session);fd\_close\_connection.append("force\_connection\_close","1");xhr\_close\_connection.open("POST",GlobalData.consts.ajax\_url,false);try{xhr\_close\_connection.send(fd\_close\_connection)}catch(err){}ret\_status=
117
118
xhr\_close\_connection.responseText.indexOf("success")>-1}if(ret\_status)if(!only\_check){xhr.upload.xhr=xhr;xhr.upload.dummy=1;xhr.upload.addEventListener("loadstart",wfu\_loadStart,false);xhr.upload.addEventListener("progress",new Function("evt","wfu\_uploadProgress(evt, "+sid+", "+xhr.xhrid+", "+(WFU.debugmode?"true":"false")+");"),false);xhr.addEventListener("load",wfu\_uploadComplete,false);xhr.addEventListener("error",new Function("evt","wfu\_uploadFailed(evt, "+(WFU.debugmode?"true":"false")+");"),
118
119
false);xhr.addEventListener("abort",wfu\_uploadCanceled,false);xhr.open("POST",GlobalData.consts.ajax\_url,true);xhr.send(fd)}else{xhr.addEventListener("load",function(evt){evt={target:{responseText:evt.target.responseText,shortcode\_id:sid,return\_status:true}};var file\_status=wfu\_uploadComplete.call(xhr,evt);xhr.file\_id=0;ret\_status=file\_status=="success"||file\_status=="warning";if(ret\_status&&!nofileupload)sendfile(ind,file,false,false);else if(ret\_status&&nofileupload);},false);xhr.addEventListener("error",
…
…
156
157
wfu\_webcam\_pause=function(sid){var webcam\_obj=GlobalData.WFU\[sid\].webcam;var webcam\_props=GlobalData.WFU\[sid\].webcamProps;webcam\_obj.pause();webcam\_obj.updateButtonStatus("ready\_playback");webcam\_props.playing=false};wfu\_webcam\_back=function(sid){GlobalData.WFU\[sid\].webcam.back()};wfu\_webcam\_fwd=function(sid){var webcam\_obj=GlobalData.WFU\[sid\].webcam;var webcam\_props=GlobalData.WFU\[sid\].webcamProps;webcam\_obj.fwd(webcam\_props.duration)};
157
158
wfu\_webcam\_take\_picture=function(sid){var webcam\_obj=GlobalData.WFU\[sid\].webcam;var webcam\_props=GlobalData.WFU\[sid\].webcamProps;if(webcam\_props.stream){webcam\_obj.screenshot(function(image\_file){image\_file.name="image.png";wfu\_add\_files(sid,\[{file:image\_file,props:{}}\],false);wfu\_update\_uploadbutton\_status(sid)},"image/png");webcam\_obj.updateButtonStatus("after\_screenshot")}};
158
wfu\_webcam\_update\_pos=function(sid){var webcam\_obj=GlobalData.WFU\[sid\].webcam;var webcam\_props=GlobalData.WFU\[sid\].webcamProps;webcam\_obj.updatePlayProgress(webcam\_props.duration);webcam\_obj.updateTimer(video.currentTime)};wfu\_run\_js\_from\_bank();
159
wfu\_webcam\_update\_pos=function(sid){var webcam\_obj=GlobalData.WFU\[sid\].webcam;var webcam\_props=GlobalData.WFU\[sid\].webcamProps;webcam\_obj.updatePlayProgress(webcam\_props.duration);webcam\_obj.updateTimer(video.currentTime)};
160
wfu\_webcam\_init\_svginjector=function(){!function(t,e){function r(t){t=t.split(" ");for(var e={},r=t.length,n=\[\];r--;)e.hasOwnProperty(t\[r\])||(e\[t\[r\]\]=1,n.unshift(t\[r\]));return n.join(" ")}var n="file:"===t.location.protocol,i=e.implementation.hasFeature("http://www.w3.org/TR/SVG11/feature#BasicStructure","1.1"),o=Array.prototype.forEach||function(t,e){if(void 0===this||null===this||"function"!=typeof t)throw new TypeError;var r,n=this.length>>>0;for(r=0;n>r;++r)r in this&&t.call(e,this\[r\],r,this)},
161
a={},l=0,s=\[\],u=\[\],c={},f=function(t){return t.cloneNode(!0)},p=function(t,e){u\[t\]=u\[t\]||\[\],u\[t\].push(e)},d=function(t){for(var e=0,r=u\[t\].length;r>e;e++)!function(e){setTimeout(function(){u\[t\]\[e\](f(a\[t\]))},0)}(e)},v=function(e,r){if(void 0!==a\[e\])a\[e\]instanceof SVGSVGElement?r(f(a\[e\])):p(e,r);else{if(!t.XMLHttpRequest)return r("Browser does not support XMLHttpRequest"),!1;a\[e\]={},p(e,r);var i=new XMLHttpRequest;i.onreadystatechange=function(){if(4===i.readyState){if(404===i.status||null===i.responseXML)return r("Unable to load SVG file: "+
162
e),n&&r("Note: SVG injection ajax calls do not work locally without adjusting security setting in your browser. Or consider using a local webserver."),r(),!1;if(!(200===i.status||n&&0===i.status))return r("There was a problem injecting the SVG: "+i.status+" "+i.statusText),!1;if(i.responseXML instanceof Document)a\[e\]=i.responseXML.documentElement;else if(DOMParser&&DOMParser instanceof Function){var t;try{var o=new DOMParser;t=o.parseFromString(i.responseText,"text/xml")}catch(l$3){t=void 0}if(!t||
163
t.getElementsByTagName("parsererror").length)return r("Unable to parse SVG file: "+e),!1;a\[e\]=t.documentElement}d(e)}},i.open("GET",e),i.overrideMimeType&&i.overrideMimeType("text/xml"),i.send()}},h=function(e,n,a,u){var f=e.getAttribute("data-src")||e.getAttribute("src");if(!/\\.svg/i.test(f))return void u("Attempted to inject a file with a non-svg extension: "+f);if(!i){var p=e.getAttribute("data-fallback")||e.getAttribute("data-png");return void(p?(e.setAttribute("src",p),u(null)):a?(e.setAttribute("src",
164
a+"/"+f.split("/").pop().replace(".svg",".png")),u(null)):u("This browser does not support SVG and no PNG fallback was defined."))}-1===s.indexOf(e)&&(s.push(e),e.setAttribute("src",""),v(f,function(i){if("undefined"==typeof i||"string"==typeof i)return u(i),!1;var a=e.getAttribute("id");a&&i.setAttribute("id",a);var p=e.getAttribute("title");p&&i.setAttribute("title",p);var d=\[\].concat(i.getAttribute("class")||\[\],"injected-svg",e.getAttribute("class")||\[\]).join(" ");i.setAttribute("class",r(d));
165
var v=e.getAttribute("style");v&&i.setAttribute("style",v);var h=\[\].filter.call(e.attributes,function(t){return/^data-\\w\[\\w\\-\]\*$/.test(t.name)});o.call(h,function(t){t.name&&t.value&&i.setAttribute(t.name,t.value)});var g,m,b,y,A,w={clipPath:\["clip-path"\],"color-profile":\["color-profile"\],cursor:\["cursor"\],filter:\["filter"\],linearGradient:\["fill","stroke"\],marker:\["marker","marker-start","marker-mid","marker-end"\],mask:\["mask"\],pattern:\["fill","stroke"\],radialGradient:\["fill","stroke"\]};Object.keys(w).forEach(function(t){g=
166
t,b=w\[t\],m=i.querySelectorAll("defs "+g+"\[id\]");for(var e=0,r=m.length;r>e;e++){y=m\[e\].id,A=y+"-"+l;var n;o.call(b,function(t){n=i.querySelectorAll("\["+t+'\*="'+y+'"\]');for(var e=0,r=n.length;r>e;e++)n\[e\].setAttribute(t,"url(#"+A+")")}),m\[e\].id=A}}),i.removeAttribute("xmlns:a");for(var x,S,k=i.querySelectorAll("script"),j=\[\],G=0,T=k.length;T>G;G++)S=k\[G\].getAttribute("type"),S&&"application/ecmascript"!==S&&"application/javascript"!==S||(x=k\[G\].innerText||k\[G\].textContent,j.push(x),i.removeChild(k\[G\]));
167
if(j.length>0&&("always"===n||"once"===n&&!c\[f\])){for(var M=0,V=j.length;V>M;M++)(new Function(j\[M\]))(t);c\[f\]=!0}var E=i.querySelectorAll("style");o.call(E,function(t){t.textContent+=""}),e.parentNode.replaceChild(i,e),delete s\[s.indexOf(e)\],e=null,l++,u(i)}))},g=function(t,e,r){e=e||{};var n=e.evalScripts||"always",i=e.pngFallback||!1,a=e.each;if(void 0!==t.length){var l=0;o.call(t,function(e){h(e,n,i,function(e){a&&"function"==typeof a&&a(e),r&&t.length===++l&&r(l)})})}else t?h(t,n,i,function(e){a&&
168
"function"==typeof a&&a(e),r&&r(1),t=null}):r&&r(0)};"object"==typeof module&&"object"==typeof module.exports?module.exports=exports=g:"function"==typeof define&&define.amd?define(function(){return g}):"object"==typeof t&&(t.SVGInjector=g)}(window,document)};
169
wfu\_webcam\_initialize\_toBlob=function(){!function(t){var e=t.HTMLCanvasElement&&t.HTMLCanvasElement.prototype,o=t.Blob&&function(){try{return Boolean(new Blob)}catch(t$4){return!1}}(),n=o&&t.Uint8Array&&function(){try{return 100===(new Blob(\[new Uint8Array(100)\])).size}catch(t$5){return!1}}(),r=t.BlobBuilder||t.WebKitBlobBuilder||t.MozBlobBuilder||t.MSBlobBuilder,a=/^data:((.\*?)(;charset=.\*?)?)(;base64)?,/,i=(o||r)&&t.atob&&t.ArrayBuffer&&t.Uint8Array&&function(t){var e,i,l,u,b,c,d,B,f;if(e=t.match(a),
170
!e)throw new Error("invalid data URI");for(i=e\[2\]?e\[1\]:"text/plain"+(e\[3\]||";charset=US-ASCII"),l=!!e\[4\],u=t.slice(e\[0\].length),b=l?atob(u):decodeURIComponent(u),c=new ArrayBuffer(b.length),d=new Uint8Array(c),B=0;B<b.length;B+=1)d\[B\]=b.charCodeAt(B);return o?new Blob(\[n?d:c\],{type:i}):(f=new r,f.append(c),f.getBlob(i))};t.HTMLCanvasElement&&!e.toBlob&&(e.mozGetAsFile?e.toBlob=function(t,o,n){t(n&&e.toDataURL&&i?i(this.toDataURL(o,n)):this.mozGetAsFile("blob",o))}:e.toDataURL&&i&&(e.toBlob=function(t,
171
e,o){t(i(this.toDataURL(e,o)))})),"function"==typeof define&&define.amd?define(function(){return i}):"object"==typeof module&&module.exports?module.exports=i:t.dataURLtoBlob=i}(window);window\["wfu\_toBlob\_function\_initialized"\]=true};wfu\_run\_js\_from\_bank();
wp-file-upload/trunk/lib/wfu_admin_browser.php
r2909107
r2915978
872
872
//check if user is allowed to view file details
873
873
if ( !$is\_admin ) return;
874
875
if ( isset($\_POST\['submitBtn'\]) && $\_POST\['submitBtn'\] == "Cancel" ) return true;
874
876
875
877
if ( !is\_array($file\_code) ) $file\_code = array( $file\_code );
…
…
894
896
if ( substr($newpath, 0, 1) != '/' ) $newpath = '/'.$newpath;
895
897
$newpath = realpath(wfu\_path\_rel2abs($newpath));
896
if ( substr($newpath, -1) != '/' ) $newpath = $newpath.'/';
898
if ( $newpath !== false && substr($newpath, -1) != '/' ) $newpath = $newpath.'/';
897
899
$replacefiles = ( $\_POST\['wfu\_replace'\] == 'yes' ? 'yes' : ( $\_POST\['wfu\_replace'\] == 'no' ? 'no' : '' ) );
898
900
if ( trim($\_POST\['wfu\_newpath'\]) == "" ) $error = 'Error: Destination path cannot be empty!';
899
901
elseif ( $newpath == $oldpath ) $error = 'Error: Destination path is the same as source path!';
900
902
elseif ( preg\_match($regex, $\_POST\['wfu\_newpath'\]) ) $error = 'Error: path contained invalid characters that were stripped off! Please try again.';
901
elseif ( !wfu\_file\_exists($newpath, "wfu\_move\_file:1") ) $error = 'Error: Destination folder <strong>'.$\_POST\['wfu\_newpath'\].'</strong> does not exist!';
903
elseif ( $newpath === false || !wfu\_file\_exists($newpath, "wfu\_move\_file:1") ) $error = 'Error: Destination folder does not exist!';
904
// added check to forbid moving of files outside root and avoid
905
// directory traversal attacks
906
elseif ( substr($newpath, 0, strlen(ABSPATH)) != ABSPATH ) $error = 'Error: Destination folder cannot be outside the root of the website!';
902
907
elseif ( $replacefiles == "" ) $error = 'Error: Invalid selection about replacing files with same filename at destination!';
903
908
else {
…
…
919
924
if ( $error != "" ) {
920
925
WFU\_USVAR\_store('wfu\_move\_file\_error', $error);
921
$move\_file = WFU\_USVAR('wfu\_move\_file');
926
$move\_file = ( WFU\_USVAR\_exists('wfu\_move\_file') && is\_array(WFU\_USVAR('wfu\_move\_file')) ? WFU\_USVAR('wfu\_move\_file') : array() );
922
927
$move\_file\['newpath'\] = preg\_replace($regex, "", $\_POST\['wfu\_newpath'\]);
923
928
$move\_file\['replacefiles'\] = $replacefiles;
wp-file-upload/trunk/lib/wfu_admin_settings.php
r2909107
r2915978
132
132
$plugin\_options = wfu\_decode\_plugin\_options(get\_option( "wordpress\_file\_upload\_options" ));
133
133
134
// correctly escape text settings to avoid XSS
135
$plugin\_options\['basedir'\] = esc\_attr($plugin\_options\['basedir'\]);
136
134
137
$echo\_str = '<div class="wrap">';
135
138
$echo\_str .= "\\n\\t".'<h2>Wordpress File Upload Control Panel</h2>';
…
…
292
295
$new\_plugin\_options\['shortcode'\] = $plugin\_options\['shortcode'\];
293
296
$new\_plugin\_options\['hashfiles'\] = $hashfiles;
294
$new\_plugin\_options\['basedir'\] = sanitize\_text\_field($\_POST\['wfu\_basedir'\]);
297
$new\_plugin\_options\['basedir'\] = sanitize\_url($\_POST\['wfu\_basedir'\]);
295
298
$new\_plugin\_options\['personaldata'\] = $personaldata;
296
$new\_plugin\_options\['postmethod'\] = sanitize\_text\_field($\_POST\['wfu\_postmethod'\]);
297
$new\_plugin\_options\['userstatehandler'\] = sanitize\_text\_field($\_POST\['wfu\_userstatehandler'\]);
299
$new\_plugin\_options\['postmethod'\] = sanitize\_key($\_POST\['wfu\_postmethod'\]);
300
$new\_plugin\_options\['userstatehandler'\] = sanitize\_key($\_POST\['wfu\_userstatehandler'\]);
298
301
$new\_plugin\_options\['relaxcss'\] = $relaxcss;
299
302
$new\_plugin\_options\['admindomain'\] = sanitize\_text\_field($\_POST\['wfu\_admindomain'\]);
wp-file-upload/trunk/lib/wfu_blocks.php
r2909107
r2915978
169
169
//initialize subfolders object properties
170
170
$subfolders\_item\["js"\] = "GlobalData.WFU\[".$data\["ID"\]."\].subfolders = { ".
171
"update\_handler: function(new\_value) { document.getElementById('hiddeninput\_".$data\["ID"\]."').value = new\_value; }, ".
171
"update\_handler: function(new\_value) { wfu\_set\_stored\_formdata('".$data\["ID"\]."', 'hiddeninput\_".$data\["ID"\]."', new\_value); }, ".
172
172
"check: function() { return true; }, ".
173
173
"index: function() { return -1; }, ".
…
…
337
337
$uploadform\_item\["js"\] = "GlobalData.WFU\[".$data\["ID"\]."\].uploadform = { ".
338
338
"attachActions: function(clickaction, changeaction) {}, ".
339
"getStoreddata: function(id) { return ''; }, ".
340
"setStoreddata: function(id, value) {}, ".
339
341
"reset: function() {}, ".
340
342
"resetDummy: function() {}, ".
…
…
758
760
$userdata\_init .= "\\n\\t\\t".'WFU.userdata.codes\['.$userdata\_field\["key"\].'\] = {};';
759
761
$userdata\_init .= "\\n\\t\\t".'WFU.userdata.props\['.$userdata\_field\["key"\].'\] = '.wfu\_PHP\_array\_to\_JS\_object($userdata\_field).';';
760
$userdata\_init .= "\\n\\t\\t".'WFU.userdata.props\['.$userdata\_field\["key"\].'\].store = function() { document.getElementById("hiddeninput\_'.$data\["ID"\].'\_userdata\_'.$userdata\_field\["key"\].'").value = WFU.userdata.codes\['.$userdata\_field\["key"\].'\].value(); };';
761
$userdata\_init .= "\\n\\t\\t".'WFU.userdata.props\['.$userdata\_field\["key"\].'\].getstored = function() { return document.getElementById("hiddeninput\_'.$data\["ID"\].'\_userdata\_'.$userdata\_field\["key"\].'").value; };';
762
$userdata\_init .= "\\n\\t\\t".'WFU.userdata.props\['.$userdata\_field\["key"\].'\].store = function() { wfu\_set\_stored\_formdata("'.$data\["ID"\].'", "hiddeninput\_'.$data\["ID"\].'\_userdata\_'.$userdata\_field\["key"\].'", WFU.userdata.codes\['.$userdata\_field\["key"\].'\].value()); };';
763
$userdata\_init .= "\\n\\t\\t".'WFU.userdata.props\['.$userdata\_field\["key"\].'\].getstored = function() { return wfu\_get\_stored\_formdata("'.$data\["ID"\].'", "hiddeninput\_'.$data\["ID"\].'\_userdata\_'.$userdata\_field\["key"\].'"); };';
762
764
$userdata\_init .= "\\n\\t\\t".'wfu\_init\_userdata\_handlers('.$data\["ID"\].', '.$userdata\_field\["key"\].');';
763
765
}
wp-file-upload/trunk/lib/wfu_constants.php
r2909107
r2915978
294
294
"WFU\_REDIRECTLINK" => array( "Default Redirect URL", "string", "", "The default redirect URL of the uploader shortcode." ),
295
295
"WFU\_ADMINMESSAGES" => array( "Default State for Admin Messages", "string", "false", "The default state of displaying or not admin messages of the uploader shortcode. It can be 'true' or 'false'." ),
296
"WFU\_BLOCKCOMPATIBILITY" => array( "Default Block Themes Compatibility Mode", "string", "auto", "The default state of block themes compatibility mode. It can be 'auto', 'on' or 'off'." ),
296
"WFU\_BLOCKCOMPATIBILITY" => array( "Default Block Themes Compatibility Mode", "string", "off", "The default state of block themes compatibility mode. It can be 'auto', 'on' or 'off'." ),
297
297
"WFU\_SUCCESSMESSAGECOLORS" => array( "Default Colors for Success Message", "string", "#006600,#EEFFEE,#006666", "The default color triplet (text, background and border colors) of success message of the uploader shortcode." ),
298
298
"WFU\_WARNINGMESSAGECOLORS" => array( "Default Colors for Warning Message", "string", "#F88017,#FEF2E7,#633309", "The default color triplet (text, background and border colors) of warning message of the uploader shortcode." ),
wp-file-upload/trunk/lib/wfu_functions.php
r2909107
r2915978
6106
6106
$defaults\[$def\["type"\]\] = $default;
6107
6107
}
6108
// $fields\_arr = explode("/", $value);
6109
6108
$value = str\_replace("/", "\[/\]", $value);
6110
$value = preg\_replace\_callback("/\\(.\*\\)/", "wfu\_preg\_replace\_callback\_func", $value);
6109
$value = preg\_replace\_callback("/\\(.\*?\\)/", "wfu\_preg\_replace\_callback\_func", $value);
6111
6110
$fields\_arr = explode("\[/\]", $value);
6112
6111
//parse shortcode attribute to $fields
wp-file-upload/trunk/lib/wfu_template.php
r2909107
r2915978
488
488
this.update = function(action, filenames) {
489
489
var textbox = document.getElementById('fileName\_$ID');
490
if (action == "init" && textbox.className == "file\_input\_textbox\_nofile") {
490
if (!(action != "init" || textbox.className != "file\_input\_textbox\_nofile")) {
491
491
textbox.value = "";
492
492
textbox.className = "file\_input\_textbox";
…
…
1051
1051
this.check = function() {
1052
1052
//synchronize editbox with selected value
1053
if (this.\_editable && this.\_sel.selectedIndex > 0) {
1053
if (!(!this.\_editable || this.\_sel.selectedIndex <= 0)) {
1054
1054
this.\_editbox.value = this.\_sel.value.replace(/^\\s+/,"");
1055
1055
this.\_set\_editbox\_status("match");
…
…
1060
1060
else this.update\_handler(this.\_sel.selectedIndex);
1061
1061
1062
if ((!this.\_editable && this.\_sel.selectedIndex == 0) || (this.\_editable && (this.\_editbox.value == '' || this.\_get\_editbox\_status() == "empty"))) {
1062
if (!(this.\_editable || this.\_sel.selectedIndex != 0) || !(!this.\_editable || !(this.\_editbox.value == '' || this.\_get\_editbox\_status() == "empty"))) {
1063
1063
if (this.\_editable) this.\_editbox.value = "";
1064
1064
this.\_set\_select\_status("prompt");
…
…
1497
1497
1498
1498
/\*\*
1499
\* returns the value of a form's stored hidden field
1500
\*
1501
\* This function returns the value of a hidden field of the upload form
1502
\* element.
1503
\*
1504
\* @param id the id of the hidden field
1505
\*
1506
\* @return string the value of the hidden field
1507
\*/
1508
this.getStoreddata = function(id) {
1509
return document.getElementById(id).value;
1510
}
1511
1512
/\*\*
1513
\* sets the value of a form's stored hidden field
1514
\*
1515
\* This function sets the value of a hidden field of the upload form element.
1516
\*
1517
\* @param id the id of the hidden field
1518
\* @param value the new value
1519
\*/
1520
this.setStoreddata = function(id, value) {
1521
document.getElementById(id).value = value;
1522
}
1523
1524
/\*\*
1499
1525
\* attaches click action event on select button
1500
1526
\*
…
…
1601
1627
this.changeFileName = function(new\_filename) {
1602
1628
document.getElementById("upfile\_$ID").name = new\_filename;
1629
var new\_filename\_prefix = new\_filename;
1630
if (new\_filename\_prefix.endsWith('\[\]')) new\_filename\_prefix = new\_filename\_prefix.substr(0, new\_filename\_prefix.length - 2);
1631
document.getElementById('uploadedfile\_$ID\_name').name = new\_filename\_prefix + '\_name';
1632
document.getElementById('uploadedfile\_$ID\_size').name = new\_filename\_prefix + '\_size';
1603
1633
}
1604
1634
…
…
2130
2160
\*/
2131
2161
this.initButtons = function(mode) {
2132
if (typeof SVGInjector == "undefined") {
2133
!function(t,e){"use strict";function r(t){t=t.split(" ");for(var e={},r=t.length,n=\[\];r--;)e.hasOwnProperty(t\[r\])||(e\[t\[r\]\]=1,n.unshift(t\[r\]));return n.join(" ")}var n="file:"===t.location.protocol,i=e.implementation.hasFeature("http://www.w3.org/TR/SVG11/feature#BasicStructure","1.1"),o=Array.prototype.forEach||function(t,e){if(void 0===this||null===this||"function"!=typeof t)throw new TypeError;var r,n=this.length>>>0;for(r=0;n>r;++r)r in this&&t.call(e,this\[r\],r,this)},a={},l=0,s=\[\],u=\[\],c={},f=function(t){return t.cloneNode(!0)},p=function(t,e){u\[t\]=u\[t\]||\[\],u\[t\].push(e)},d=function(t){for(var e=0,r=u\[t\].length;r>e;e++)!function(e){setTimeout(function(){u\[t\]\[e\](f(a\[t\]))},0)}(e)},v=function(e,r){if(void 0!==a\[e\])a\[e\]instanceof SVGSVGElement?r(f(a\[e\])):p(e,r);else{if(!t.XMLHttpRequest)return r("Browser does not support XMLHttpRequest"),!1;a\[e\]={},p(e,r);var i=new XMLHttpRequest;i.onreadystatechange=function(){if(4===i.readyState){if(404===i.status||null===i.responseXML)return r("Unable to load SVG file: "+e),n&&r("Note: SVG injection ajax calls do not work locally without adjusting security setting in your browser. Or consider using a local webserver."),r(),!1;if(!(200===i.status||n&&0===i.status))return r("There was a problem injecting the SVG: "+i.status+" "+i.statusText),!1;if(i.responseXML instanceof Document)a\[e\]=i.responseXML.documentElement;else if(DOMParser&&DOMParser instanceof Function){var t;try{var o=new DOMParser;t=o.parseFromString(i.responseText,"text/xml")}catch(l){t=void 0}if(!t||t.getElementsByTagName("parsererror").length)return r("Unable to parse SVG file: "+e),!1;a\[e\]=t.documentElement}d(e)}},i.open("GET",e),i.overrideMimeType&&i.overrideMimeType("text/xml"),i.send()}},h=function(e,n,a,u){var f=e.getAttribute("data-src")||e.getAttribute("src");if(!/\\.svg/i.test(f))return void u("Attempted to inject a file with a non-svg extension: "+f);if(!i){var p=e.getAttribute("data-fallback")||e.getAttribute("data-png");return void(p?(e.setAttribute("src",p),u(null)):a?(e.setAttribute("src",a+"/"+f.split("/").pop().replace(".svg",".png")),u(null)):u("This browser does not support SVG and no PNG fallback was defined."))}-1===s.indexOf(e)&&(s.push(e),e.setAttribute("src",""),v(f,function(i){if("undefined"==typeof i||"string"==typeof i)return u(i),!1;var a=e.getAttribute("id");a&&i.setAttribute("id",a);var p=e.getAttribute("title");p&&i.setAttribute("title",p);var d=\[\].concat(i.getAttribute("class")||\[\],"injected-svg",e.getAttribute("class")||\[\]).join(" ");i.setAttribute("class",r(d));var v=e.getAttribute("style");v&&i.setAttribute("style",v);var h=\[\].filter.call(e.attributes,function(t){return/^data-\\w\[\\w\\-\]\*$/.test(t.name)});o.call(h,function(t){t.name&&t.value&&i.setAttribute(t.name,t.value)});var g,m,b,y,A,w={clipPath:\["clip-path"\],"color-profile":\["color-profile"\],cursor:\["cursor"\],filter:\["filter"\],linearGradient:\["fill","stroke"\],marker:\["marker","marker-start","marker-mid","marker-end"\],mask:\["mask"\],pattern:\["fill","stroke"\],radialGradient:\["fill","stroke"\]};Object.keys(w).forEach(function(t){g=t,b=w\[t\],m=i.querySelectorAll("defs "+g+"\[id\]");for(var e=0,r=m.length;r>e;e++){y=m\[e\].id,A=y+"-"+l;var n;o.call(b,function(t){n=i.querySelectorAll("\["+t+'\*="'+y+'"\]');for(var e=0,r=n.length;r>e;e++)n\[e\].setAttribute(t,"url(#"+A+")")}),m\[e\].id=A}}),i.removeAttribute("xmlns:a");for(var x,S,k=i.querySelectorAll("script"),j=\[\],G=0,T=k.length;T>G;G++)S=k\[G\].getAttribute("type"),S&&"application/ecmascript"!==S&&"application/javascript"!==S||(x=k\[G\].innerText||k\[G\].textContent,j.push(x),i.removeChild(k\[G\]));if(j.length>0&&("always"===n||"once"===n&&!c\[f\])){for(var M=0,V=j.length;V>M;M++)new Function(j\[M\])(t);c\[f\]=!0}var E=i.querySelectorAll("style");o.call(E,function(t){t.textContent+=""}),e.parentNode.replaceChild(i,e),delete s\[s.indexOf(e)\],e=null,l++,u(i)}))},g=function(t,e,r){e=e||{};var n=e.evalScripts||"always",i=e.pngFallback||!1,a=e.each;if(void 0!==t.length){var l=0;o.call(t,function(e){h(e,n,i,function(e){a&&"function"==typeof a&&a(e),r&&t.length===++l&&r(l)})})}else t?h(t,n,i,function(e){a&&"function"==typeof a&&a(e),r&&r(1),t=null}):r&&r(0)};"object"==typeof module&&"object"==typeof module.exports?module.exports=exports=g:"function"==typeof define&&define.amd?define(function(){return g}):"object"==typeof t&&(t.SVGInjector=g)}(window,document);
2134
}
2162
wfu\_webcam\_init\_svginjector();
2135
2163
if (document.getElementById("webcam\_$ID\_btns\_converted").value != "1") {
2136
2164
SVGInjector(document.getElementById("webcam\_$ID\_btns"));
…
…
2461
2489
//does not exist; initialization will be executed only once
2462
2490
if (!window\["wfu\_toBlob\_function\_initialized"\]) {
2463
!function(t){"use strict";var e=t.HTMLCanvasElement&&t.HTMLCanvasElement.prototype,o=t.Blob&&function(){try{return Boolean(new Blob)}catch(t){return!1}}(),n=o&&t.Uint8Array&&function(){try{return 100===new Blob(\[new Uint8Array(100)\]).size}catch(t){return!1}}(),r=t.BlobBuilder||t.WebKitBlobBuilder||t.MozBlobBuilder||t.MSBlobBuilder,a=/^data:((.\*?)(;charset=.\*?)?)(;base64)?,/,i=(o||r)&&t.atob&&t.ArrayBuffer&&t.Uint8Array&&function(t){var e,i,l,u,b,c,d,B,f;if(e=t.match(a),!e)throw new Error("invalid data URI");for(i=e\[2\]?e\[1\]:"text/plain"+(e\[3\]||";charset=US-ASCII"),l=!!e\[4\],u=t.slice(e\[0\].length),b=l?atob(u):decodeURIComponent(u),c=new ArrayBuffer(b.length),d=new Uint8Array(c),B=0;B<b.length;B+=1)d\[B\]=b.charCodeAt(B);return o?new Blob(\[n?d:c\],{type:i}):(f=new r,f.append(c),f.getBlob(i))};t.HTMLCanvasElement&&!e.toBlob&&(e.mozGetAsFile?e.toBlob=function(t,o,n){t(n&&e.toDataURL&&i?i(this.toDataURL(o,n)):this.mozGetAsFile("blob",o))}:e.toDataURL&&i&&(e.toBlob=function(t,e,o){t(i(this.toDataURL(e,o)))})),"function"==typeof define&&define.amd?define(function(){return i}):"object"==typeof module&&module.exports?module.exports=i:t.dataURLtoBlob=i}(window);
2464
window\["wfu\_toBlob\_function\_initialized"\] = true;
2491
wfu\_webcam\_initialize\_toBlob();
2465
2492
}
2466
2493
if (canvas.toBlob) {
…
…
3143
3170
var file\_ids = \[\];
3144
3171
while (next\_block != null) {
3145
if (next\_block.nodeType === 1 && next\_block.id.substr(0, prefix.length) == prefix)
3172
if (!(next\_block.nodeType !== 1 || next\_block.id.substr(0, prefix.length) != prefix))
3146
3173
file\_ids.push(next\_block.id.substr(next\_block.id.lastIndexOf("\_") + 1));
3147
3174
next\_block = next\_block.nextSibling;
…
…
3823
3850
l2.style.display = "inline-block";
3824
3851
f2.checked = (props.default == f2.value);
3825
if (i > 0 && or == "vertical") p.appendChild(document.createElement("BR"));
3852
if (!(i <= 0 || or != "vertical")) p.appendChild(document.createElement("BR"));
3826
3853
p.appendChild(w);
3827
3854
}
…
…
3830
3857
jQuery(function() {
3831
3858
format = props.format.trim();
3832
if (format.substr(0, 1) == "(" && format.substr(format.length - 1, 1) == ")")
3859
if (!(format.substr(0, 1) != "(" || format.substr(format.length - 1, 1) != ")"))
3833
3860
format = format.substr(1, format.length - 2);
3834
3861
else format = "";
3835
3862
if (format == "") format = "yy-mm-dd";
3836
3863
def = props.default.trim();
3837
if (def.substr(0, 1) == "(" && def.substr(def.length - 1, 1) == ")")
3864
if (!(def.substr(0, 1) != "(" || def.substr(def.length - 1, 1) != ")"))
3838
3865
def = def.substr(1, def.length - 2);
3839
3866
else def = "";
…
…
3844
3871
jQuery(function() {
3845
3872
format = props.format.trim();
3846
if (format.substr(0, 1) == "(" && format.substr(format.length - 1, 1) == ")")
3873
if (!(format.substr(0, 1) != "(" || format.substr(format.length - 1, 1) != ")"))
3847
3874
format = format.substr(1, format.length - 2);
3848
3875
else format = "";
3849
3876
if (format == "") format = "HH:mm";
3850
3877
def = props.default.trim();
3851
if (def.substr(0, 1) == "(" && def.substr(def.length - 1, 1) == ")")
3878
if (!(def.substr(0, 1) != "(" || def.substr(def.length - 1, 1) != ")"))
3852
3879
def = def.substr(1, def.length - 2);
3853
3880
else def = "";
…
…
3866
3893
}
3867
3894
def = props.default.trim();
3868
if (def.substr(0, 1) == "(" && def.substr(def.length - 1, 1) == ")")
3895
if (!(def.substr(0, 1) != "(" || def.substr(def.length - 1, 1) != ")"))
3869
3896
def = def.substr(1, def.length - 2);
3870
3897
else def = "";
…
…
4185
4212
<input type="password" id="userdata\_$ID\_field\_<?php echo $p\["key"\]; ?>" class="file\_userdata\_message" value="<?php echo esc\_html($p\["default"\]); ?>" autocomplete="<?php echo ( $p\["donotautocomplete"\] ? 'off' : 'on' ); ?>" form="dummy\_$ID" onfocus="GlobalData.WFU\[$ID\].userdata.\_focused(this);"<?php echo ( $p\["labelposition"\] == "placeholder" ? ' placeholder="'.esc\_html($p\["label"\]).'"' : '' ); ?> />
4186
4213
<?php elseif ( $p\["type"\] == "checkbox" ): ?>
4187
<input type="checkbox" id="userdata\_$ID\_field\_<?php echo $p\["key"\]; ?>" class="file\_userdata\_checkbox" autocomplete="<?php echo ( $p\["donotautocomplete"\] ? 'off' : 'on' ); ?>" form="dummy\_$ID" style="display:none;" onfocus="GlobalData.WFU\[$ID\].userdata.\_focused(this);" />
4214
<input type="checkbox" id="userdata\_$ID\_field\_<?php echo $p\["key"\]; ?>" class="file\_userdata\_checkbox"<?php echo ( $p\["default"\] == "true" ? ' checked="true"' : '' ); ?> autocomplete="<?php echo ( $p\["donotautocomplete"\] ? 'off' : 'on' ); ?>" form="dummy\_$ID" style="display:none;" onfocus="GlobalData.WFU\[$ID\].userdata.\_focused(this);" />
4188
4215
<label id="userdata\_$ID\_checklabel\_<?php echo $p\["key"\]; ?>" class="file\_userdata\_checkbox\_description" for="userdata\_$ID\_field\_<?php echo $p\["key"\]; ?>" style="display:none;"><?php echo esc\_html($p\["data"\]); ?></label>
4189
4216
<?php elseif ( $p\["type"\] == "radiobutton" ): ?>
…
…
4322
4349
var radioyes = document.querySelector('#consent\_$ID .file\_consent\_radio\_yes');
4323
4350
var radiono = document.querySelector('#consent\_$ID .file\_consent\_radio\_no');
4324
if (radioyes && radiono) {
4351
if (!(!radioyes || !radiono)) {
4325
4352
radioyes.onchange = function() { completeaction((radioyes.checked ? "yes" : (radiono.checked ? "no" : ""))); };
4326
4353
radiono.onchange = function() { completeaction((radioyes.checked ? "yes" : (radiono.checked ? "no" : ""))); };
…
…
4344
4371
var radioyes = document.querySelector('#consent\_$ID .file\_consent\_radio\_yes');
4345
4372
var radiono = document.querySelector('#consent\_$ID .file\_consent\_radio\_no');
4346
if (radioyes && radiono) return (radioyes.checked || radiono.checked);
4373
if (!(!radioyes || !radiono)) return (radioyes.checked || radiono.checked);
4347
4374
}
4348
4375
return true;
…
…
4371
4398
box.onchange();
4372
4399
}
4373
else if (radioyes && radiono) {
4400
else if (!(!radioyes || !radiono)) {
4374
4401
radioyes.checked = false;
4375
4402
radiono.checked = false;
…
…
4383
4410
else if (action == "lock") {
4384
4411
if (box) box.disabled = true;
4385
else if (radioyes && radiono) {
4412
else if (!(!radioyes || !radiono)) {
4386
4413
radioyes.disabled = true;
4387
4414
radiono.disabled = true;
…
…
4390
4417
else if (action == "unlock") {
4391
4418
if (box) box.disabled = false;
4392
else if (radioyes && radiono) {
4419
else if (!(!radioyes || !radiono)) {
4393
4420
radioyes.disabled = false;
4394
4421
radiono.disabled = false;
wp-file-upload/trunk/readme.txt
r2909107
r2915978
4
4
Tags: file, upload, ajax, form, page, post, sidebar, responsive, widget, webcam, ftp
5
5
Requires at least: 2.9.2
6
Tested up to: 6.2
6
Tested up to: 6.2.2
7
7
Stable tag: "trunk"
8
8
License: GPLv2 or later
…
…
149
149
150
150
\== Changelog ==
151
152
\= 4.19.2 =
153
\* codes improvements in plugin settings to protect against XSS attacks
154
\* code improvements in backend file browser to avoid directory traversal attacks
155
\* permanent fix for compatibility with block themes
151
156
152
157
\= 4.19.1 =
…
…
941
946
\== Upgrade Notice ==
942
947
948
\= 4.19.2 =
949
Urgent update to fix some security issues.
950
943
951
\= 4.19.1 =
944
952
Minor update to fix some bugs and introduce some code improvements.
wp-file-upload/trunk/release_notes.txt
r2909107
r2915978
1
<!-- --><span><strong>Version 4.19.1</strong> is a regular update that introduces some code improvements regarding <strong>upload metrics</strong> and bug fixes.<br /><br />
1
<!-- --><span><strong>Version 4.19.2</strong> is a regular update that introduces some code improvements to better shield the plugin against <strong>XSS</strong> and <strong>directory traversal</strong> attacks. It also introduces a permanent fix for compatibility with <strong>block themes</strong>.<br /><br />
2
2
For more details about this version's changes please visit the <strong>Release Notes</strong> of the plugin's </span><a href="http://www.iptanus.com/wordpress-plugins/wordpress-file-upload/">support page</a><span>.</span><!-- -->
3
3
<!-- -->
wp-file-upload/trunk/wfu_loader.php
r2909107
r2915978
208
208
wp\_enqueue\_script('jquery-ui-timepicker-addon-js', WPFILEUPLOAD\_DIR.'vendor/jquery/jquery-ui-timepicker-addon.min.js', array("jquery-ui-datepicker"));
209
209
}
210
/\*\*
211
\* Execute Custom Actions After Loading Frontpage Scripts.
212
\*
213
\* This filter allows to execute custom actions after the plugin's frontpage
214
\* styles and scripts have been loaded.
215
\*
216
\* @since 4.19.2
217
\*/
218
do\_action('wfu\_after\_frontpage\_scripts');
210
219
}
211
220
wp-file-upload/trunk/wordpress_file_upload.php
r2909107
r2915978
4
4
Plugin URI: https://www.iptanus.com/support/wordpress-file-upload
5
5
Description: Simple interface to upload files from a page.
6
Version: 4.19.1
6
Version: 4.19.2
7
7
Author: Nickolas Bossinas
8
8
Author URI: https://www.iptanus.com/nickolas