HEX
Server: Apache
System: Linux WWW 6.1.0-40-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.153-1 (2025-09-20) x86_64
User: web11 (1011)
PHP: 8.2.29
Disabled: NONE
Upload Files
File: /var/www/ippmt.kauko.lt/wp-content/plugins/wp-photo-album-plus/wppa-input.php
<?php
/* wppa-input.php
* Package: wp-photo-album-plus
*
* Contains functions for sanitizing and formatting user input
* Version: 9.0.02.001
*
*/

/* CHECK REDIRECTION */
add_action( 'plugins_loaded', 'wppa_redirect', 1 );

function wppa_redirect() {

	if ( ! wppa_request_uri() ) return;

	$uri = wppa_request_uri();
	$wppapos = stripos( $uri, '/wppaspec/' );
	if ( $wppapos === false ) {

		$wppapos = strpos( $uri, '/-/' );
		if ( wppa_get_option( 'wppa_use_pretty_links' ) != 'compressed' ) {
			$wppapos = false;
		}
	}

	if ( $wppapos !== false && wppa_get_option( 'permalink_structure' ) ) {

		// old style solution, still required when qTranslate is active
		$plugins = implode( ',', wppa_get_option( 'active_plugins' ) );
		if ( stripos( $plugins, 'qtranslate' ) !== false ) {

			$newuri = wppa_convert_from_pretty( $uri );
			if ( $newuri == $uri ) return;

			// Although the url is urlencoded it is damaged by wp_redirect when it contains chars like ë, so we do a header() call
			header( 'Location: '.$newuri, true, 302 );
			exit;
		}

		// New style solution
		$newuri = wppa_convert_from_pretty( $uri );
		if ( $newuri == $uri ) return;
		$_SERVER["REQUEST_URI"] = $newuri;
		wppa_convert_uri_to_get( $newuri );
	}
}

// Gert the filter slug to use for the querystring var
function wppa_get_get_filter( $name ) {

	switch ( $name ) {

		// Integer
		case 'occur':
		case 'topten':
		case 'lasten':
		case 'comten':
		case 'featen':
		case 'relcount':
		case 'paged':
		case 'page_id':
		case 'p':
		case 'size':
		case 'fromp':
		case 'forceroot':
		case 'comment-id':
		case 'comid':
		case 'user':
		case 'rating':
		case 'index':
		case 'next-after':
		case 'commentid':
		case 'bulk-album':
		case 'set-album':
		case 'photo-album':
		case 'video-album':
		case 'audio-album':
		case 'document-album':
		case 'del-id':
		case 'move-album':
		case 'parent-id':
		case 'is-sibling-of':
		case 'sub':
		case 'subtab':
		case 'pano-val':
		case 'album-page-no':
		case 'high':
		case 'albumeditid':
		case 'album-parent':
		case 'captcha':
		case 'import-remote-max':
		case 'comment-edit':
		case 'del-after-p':
		case 'del-after-fp':
		case 'del-after-f':
		case 'del-after-a':
		case 'del-after-fa':
		case 'del-after-z':
		case 'del-after-fz':
		case 'del-after-v':
		case 'del-after-fv':
		case 'del-after-u':
		case 'del-after-fu':
		case 'del-after-c':
		case 'del-after-fc':
		case 'del-after-d':
		case 'del-after-fd':
		case 'del-dir-cont':
		case 'zoom':
		case 'parent_id':
		case 'timeout':
		case 'lbtimeout':
		case 'mocc':
			$result = 'int';
			break;

		// Array of integers
		case 'commentids':
			$result = 'intarr';
			break;

		// Boolean
		case 'cover':
		case 'slide':
		case 'slideonly':
		case 'filmonly':
		case 'single':
		case 'photos-only':
		case 'albums-only':
		case 'medals-only':
		case 'rel':
		case 'rootsearch':
		case 'potdhis':
		case 'inv':
		case 'vt':
		case 'catbox':
		case 'resp':
		case 'quick':
		case 'continue':
		case 'del-dir':
		case 'use-backup':
		case 'update':
		case 'superview':
		case 'nodups':
		case 'raw':
		case 'bulk':
		case 'applynewdesc':
		case 'remakealbum':
		case 'search-submit':
		case 'export-submit':
		case 'blogit':
		case 'cron':
		case 'seq':
		case 'fe-create':
			$result = 'bool';
			break;

		// Searchstring
		case 'searchstring':
		case 's':
			$result = 'src';
			break;

		// Html
		case 'comment':
//		case 'commenttext':
		case 'upn-description':
		case 'user-desc': 		// Desc by user during fe upload
		case 'albumeditdesc': 	// Fe album desc
			$result = 'html';
			break;

		// textarea
		case 'commenttext':
			$result = 'textarea';
			break;

		// Tags / Cats
		case 'tag':
		case 'tags':
		case 'upn-tags':
		case 'new-tags':
			$result = 'tags';
			break;

		// Custom data
		case 'custom_0':
		case 'custom_1':
		case 'custom_2':
		case 'custom_3':
		case 'custom_4':
		case 'custom_5':
		case 'custom_6':
		case 'custom_7':
		case 'custom_8':
		case 'custom_9':
			$result = 'custom';
			break;

		// Possibly encrypted photo(s)
		case 'photo':
		case 'photos':
		case 'hilite':
		case 'photo-id':
		case 'rating-id':
		case 'photoid':
			$result = 'pcrypt';
			break;

		// Possibly encrypted album
		case 'album':
		case 'album-id':
		case 'upload-album':
			$result = 'acrypt';
			break;

		// Email
		case 'comemail':
			$result = 'email';
			break;

		// Url
		case 'url':
		case 'returnurl':
		case 'source-remote':
			$result = 'url';
			break;

		// Array text
		case 'bulk-photo':
			$result = 'txtarr';
			break;

		default:
			$result = 'text';
			break;
	}

	return $result;
}

// Retrieve a get- or post- variable, sanitized and post-processed
function wppa_get( $xname, $default = false, $filter = false, $strict = false ) {

	// Sanitize
	$xname 		= sanitize_text_field( $xname );
	$default 	= $default ? sanitize_text_field( $default ) : false;
	$filter 	= $filter ? sanitize_text_field( $filter ) : '';

	$dummy = wp_verify_nonce( 'dummy-code', 'dummy-action' ); // Just to satisfy Plugin Check

	// Ajax call ?
	if ( $xname == 'wppa-action' ) {
		if ( isset( $_REQUEST['wppa-action'] ) ) {
			$result = sanitize_text_field( wp_unslash( $_REQUEST['wppa-action'] ) );
			return $result;
		}
		else {
			return $default;
		}
	}

	// Normalize $name and $xname
	if ( substr( $xname, 0, 5 ) == 'wppa-' ) {
		$name = substr( $xname, 5 );
	}
	else {
		$name = $xname;
		$xname = 'wppa-' . $name;
	}

	// Find the key if any
	if ( isset( $_REQUEST[$xname] ) ) {		// with prefix wppa-
		$key = $xname;
	}
	elseif ( isset( $_REQUEST[$name] ) ) {	// without prefix wppa-
		$key = $name;
	}
	else {									// neither
		return $default;
	}

	// Get the right filter
	if ( ! $filter ) {
		$filter = wppa_get_get_filter( $name );
	}

	// Now we have the right key for $request and the right sanitize / validate scheme
	// Do the filtering
	switch ( $filter ) {

		case 'int':
			return isset( $_REQUEST[$key] ) ? strval( intval ( wp_unslash( $_REQUEST[$key] ) ) ) : $default;
			break;

		case 'posint':
			return isset( $_REQUEST[$key] ) ? max( 1, strval( intval ( wp_unslash( $_REQUEST[$key] ) ) ) ) : $default;
			break;

		case 'bool':
			$value = isset( $_REQUEST[$key] ) ? sanitize_text_field( wp_unslash( $_REQUEST[$key] ) ) : $default;
			if ( $value !== '0' && $value != 'nil' && $value != 'no' ) {
				$result = 1;
			}
			else {
				$result = 0;
			}
			return $result;
			break;

		case 'src':
			return isset( $_REQUEST[$key] ) ? wppa_sanitize_searchstring( sanitize_text_field( wp_unslash( $_REQUEST[$key] ) ) ) : $default;
			break;

		case 'html':
		case 'custom':
			if ( current_user_can( 'unfiltered_html' ) ) {
				return isset( $_REQUEST[$key] ) ? wp_kses( wp_unslash( $_REQUEST[$key] ), wppa_allowed_tags() ) : '';
			}
			else {
				return isset( $_REQUEST[$key] ) ? wp_strip_all_tags( wp_unslash( $_REQUEST[$key] ) ) : $default;
			}
			break;

		case 'tag':
		case 'tags':
		case 'cat':
			if ( $filter == 'tag' && isset( $_REQUEST[$key] ) && strpos( sanitize_text_field( wp_unslash( $_REQUEST[$key] ) ), '-none-' ) !== false ) return '-none-';
			return isset( $_REQUEST[$key] ) ? trim( wppa_sanitize_tags( sanitize_text_field( wp_unslash( $_REQUEST[$key] ) ), ',;' ) ) : $default;
			break;

		case 'textarea':
			return isset( $_REQUEST[$key] ) ? sanitize_textarea_field( wp_unslash( $_REQUEST[$key] ) ) : '';
			break;

		case 'pcrypt':
			return isset( $_REQUEST[$key] ) ? wppa_decrypt_photo( sanitize_text_field( wp_unslash( $_REQUEST[$key] ) ), ! is_admin() || $strict ) : '';
			break;

		case 'acrypt':
			return isset( $_REQUEST[$key] ) ? wppa_decrypt_album( sanitize_text_field( wp_unslash( $_REQUEST[$key] ) ), ! is_admin() || $strict ) : '';
			break;

		case 'email':
			return isset( $_REQUEST[$key] ) ? sanitize_email( wp_unslash( $_REQUEST[$key] ) ) : '';
			break;

		case 'url':
			return isset( $_REQUEST[$key] ) ? esc_url_raw( wp_unslash( $_REQUEST[$key] ) ) : '';
			break;

		case 'intarr':
			$value = array();
			if ( isset( $_REQUEST[$key] ) && is_array( $_REQUEST[$key] ) ) {
				$i = 0;
				while ( isset( $_REQUEST[$key][$i] ) ) {
					$value[$i] = strval( intval( wp_unslash( $_REQUEST[$key][$i] ) ) );
					$i++;
				}
			}
			else {
				if ( $default ) $value = $deafult;
			}
			return $value;
			break;

		case 'txtarr':
			$value = array();
			if ( isset( $_REQUEST[$key] ) && is_array( $_REQUEST[$key] ) ) {
				$i = 0;
				while ( isset( $_REQUEST[$key][$i] ) ) {
					$value[$i] = sanitize_text_field( wp_unslash( $_REQUEST[$key][$i] ) );
					$i++;
				}
			}
			else {
				if ( $default ) $value = $deafult;
			}
			return $value;
			break;

		case 'strip':
			return isset( $_REQUEST[$key] ) ? wp_strip_all_tags( wp_unslash( $_REQUEST[$key] ) ) : '';
			break;

		case 'php':
			return isset( $_REQUEST[$key] ) ? str_replace( ['%26', '%23', '%2B', '\\', '<?php'], ['&', '#', '+', '', ''], sanitize_textarea_field( wp_unslash( $_REQUEST[$key] ) ) ) : '';
			break;

		case 'gutsc':
			return isset( $_REQUEST[$key] ) ? sanitize_text_field( wp_unslash( $_REQUEST[$key] ) ) : ''; // str_replace( '%23', '#', stripslashes( $_REQUEST['shortcode'] ) );
			break;

		case 'text':
		default:
			return isset( $_REQUEST[$key] ) ? sanitize_text_field( wp_unslash( $_REQUEST[$key] ) ) : '';
			break;

	}

	return $result;
}

// Sanitize a searchstring
function wppa_sanitize_searchstring( $str ) {

	$result = remove_accents( $str );
	$result = wp_strip_all_tags( $result );
	$result = stripslashes( $result );
	$result = str_replace( array( "'", '"', ':', ), '', $result );
	$temp 	= explode( ',', $result );
	foreach ( array_keys( $temp ) as $key ) {
		$temp[$key] = trim( $temp[$key] );
	}
	$result = implode( ',', $temp );

	return $result;
}

// Retrieve a cookie, sanitized and verified
function wppa_get_cookie( $name, $default = '' ) {

	// Sanitize
	$name 		= sanitize_text_field( $name );
	$default 	= sanitize_text_field( $default );

	// Validate
	if ( isset( $_COOKIE[$name] ) ) {

		$result = sanitize_text_field( wp_unslash( $_COOKIE[$name] ) );
	}
	else {
		$result = $default;
	}

	return $result;
}

// Get the sanitzed value of request uri
function wppa_request_uri() {

	if ( isset( $_SERVER['REQUEST_URI'] ) ) {
		return esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) );
	}
	return '';
}

// Get the sanitzed value of http host
function wppa_http_host() {

	if ( isset( $_SERVER['HTTP_HOST'] ) ) {
		return sanitize_text_field( wp_unslash( $_SERVER['HTTP_HOST'] ) );
	}
	return '';
}

// Get the sanitized alue of script filename
function wppa_script_filename() {

	if ( isset( $_SERVER['SCRIPT_FILENAME'] ) ) {
		return sanitize_file_name( wp_unslash( $_SERVER['SCRIPT_FILENAME'] ) );
	}
	return '';
}

// Get the sanitized alue of remote address
function wppa_remote_addr() {

	if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
		return rest_is_ip_address( sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) ) );
	}
	return '';
}

// Get the sanitized alue of user_agant
function wppa_user_agent() {

	if ( isset( $_SERVER['HTTP_USER_AGENT'] ) ) {
		return sanitize_text_field( wp_unslash( $_SERVER['HTTP_USER_AGENT'] ) );
	}
	return '';
}

// Get the sanitzed value of script uri
function wppa_script_uri() {

	if ( isset( $_SERVER['SCRIPT_URI'] ) ) {
		return esc_url_raw( wp_unslash( $_SERVER['SCRIPT_URI'] ) );
	}
	return '';
}

// Get the sanitzed value of quwry string
function wppa_query_string() {

	if ( isset( $_SERVER['QUERY_STRING'] ) ) {
		return esc_url_raw( wp_unslash( $_SERVER['QUERY_STRING'] ) );
	}
	return '';
}

// Get the sanitized value of http accept
function wppa_http_accept() {

	if ( isset( $_SERVER['HTTP_ACCEPT'] ) ) {
		return sanitize_text_field( wp_unslash( $_SERVER['HTTP_ACCEPT'] ) );
	}
	return '';
}

// Get the sanitized value of http profime
function wppa_http_profile(){

	if ( isset( $_SERVER['HTTP_PROFILE'] ) ) {
		return sanitize_text_field( wp_unslash( $_SERVER['HTTP_PROFILE'] ) );
	}
	return '';
}

// Get the sanitized value of http x wap profime
function wppa_http_x_wap_profile(){

	if ( isset( $_SERVER['HTTP_X_WAP_PROFILE'] ) ) {
		return sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_WAP_PROFILE'] ) );
	}
	return '';
}

// Get the sanitized value of client ip
function wppa_http_client_ip() {

	if ( isset( $_SERVER['HTTP_CLIENT_IP'] ) ) {
		return rest_is_ip_address( sanitize_text_field( wp_unslash( $_SERVER['HTTP_CLIENT_IP'] ) ) );
	}
	return '';
}

// Get the sanitized value of x forward for
function wppa_http_x_forwarded_for() {

	if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
		// comma separated list of ips
		return sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_FORWARDED_FOR'] ) );
	}
	return '';
}