fix merge conflicts

3rdparty/Google/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2007 Andy Smith
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

3rdparty/Google/OAuth.php

@@ -0,0 +1,751 @@
+<?php
+// vim: foldmethod=marker
+
+/* Generic exception class
+ */
+class OAuthException extends Exception {/*{{{*/
+  // pass
+}/*}}}*/
+
+class OAuthConsumer {/*{{{*/
+  public $key;
+  public $secret;
+
+  public function __construct($key, $secret, $callback_url=NULL) {/*{{{*/
+    $this->key = $key;
+    $this->secret = $secret;
+    $this->callback_url = $callback_url;
+  }/*}}}*/
+}/*}}}*/
+
+class OAuthToken {/*{{{*/
+  // access tokens and request tokens
+  public $key;
+  public $secret;
+
+  /**
+   * key = the token
+   * secret = the token secret
+   */
+  function __construct($key, $secret) {/*{{{*/
+    $this->key = $key;
+    $this->secret = $secret;
+  }/*}}}*/
+
+  /**
+   * generates the basic string serialization of a token that a server
+   * would respond to request_token and access_token calls with
+   */
+  function to_string() {/*{{{*/
+    return "oauth_token=" . OAuthUtil::urlencodeRFC3986($this->key) . 
+        "&oauth_token_secret=" . OAuthUtil::urlencodeRFC3986($this->secret);
+  }/*}}}*/
+
+  function __toString() {/*{{{*/
+    return $this->to_string();
+  }/*}}}*/
+}/*}}}*/
+
+class OAuthSignatureMethod {/*{{{*/
+  public function check_signature(&$request, $consumer, $token, $signature) {
+    $built = $this->build_signature($request, $consumer, $token);
+    return $built == $signature;
+  }
+}/*}}}*/
+
+class OAuthSignatureMethod_HMAC_SHA1 extends OAuthSignatureMethod {/*{{{*/
+  function get_name() {/*{{{*/
+    return "HMAC-SHA1";
+  }/*}}}*/
+
+  public function build_signature($request, $consumer, $token, $privKey=NULL) {/*{{{*/
+    $base_string = $request->get_signature_base_string();
+    $request->base_string = $base_string;
+
+    $key_parts = array(
+      $consumer->secret,
+      ($token) ? $token->secret : ""
+    );
+
+    $key_parts = array_map(array('OAuthUtil','urlencodeRFC3986'), $key_parts);
+    $key = implode('&', $key_parts);
+
+    return base64_encode( hash_hmac('sha1', $base_string, $key, true));
+  }/*}}}*/
+}/*}}}*/
+
+class OAuthSignatureMethod_RSA_SHA1 extends OAuthSignatureMethod {/*{{{*/
+  public function get_name() {/*{{{*/
+    return "RSA-SHA1";
+  }/*}}}*/
+
+  protected function fetch_public_cert(&$request) {/*{{{*/
+    // not implemented yet, ideas are:
+    // (1) do a lookup in a table of trusted certs keyed off of consumer
+    // (2) fetch via http using a url provided by the requester
+    // (3) some sort of specific discovery code based on request
+    //
+    // either way should return a string representation of the certificate
+    throw Exception("fetch_public_cert not implemented");
+  }/*}}}*/
+
+  protected function fetch_private_cert($privKey) {//&$request) {/*{{{*/
+    // not implemented yet, ideas are:
+    // (1) do a lookup in a table of trusted certs keyed off of consumer
+    //
+    // either way should return a string representation of the certificate
+    throw Exception("fetch_private_cert not implemented");
+  }/*}}}*/
+
+  public function build_signature(&$request, $consumer, $token, $privKey) {/*{{{*/
+    $base_string = $request->get_signature_base_string();
+
+    // Fetch the private key cert based on the request
+    //$cert = $this->fetch_private_cert($consumer->privKey);
+
+    //Pull the private key ID from the certificate
+    //$privatekeyid = openssl_get_privatekey($cert);
+
+    // hacked in 
+    if ($privKey == '') {
+      $fp = fopen($GLOBALS['PRIV_KEY_FILE'], "r");
+      $privKey = fread($fp, 8192);
+      fclose($fp); 
+    }
+    $privatekeyid = openssl_get_privatekey($privKey);
+
+    //Check the computer signature against the one passed in the query
+    $ok = openssl_sign($base_string, $signature, $privatekeyid);   
+
+    //Release the key resource
+    openssl_free_key($privatekeyid);
+
+    return base64_encode($signature);
+  } /*}}}*/
+
+  public function check_signature(&$request, $consumer, $token, $signature) {/*{{{*/
+    $decoded_sig = base64_decode($signature);
+
+    $base_string = $request->get_signature_base_string();
+
+    // Fetch the public key cert based on the request
+    $cert = $this->fetch_public_cert($request);
+
+    //Pull the public key ID from the certificate
+    $publickeyid = openssl_get_publickey($cert);
+
+    //Check the computer signature against the one passed in the query
+    $ok = openssl_verify($base_string, $decoded_sig, $publickeyid);   
+
+    //Release the key resource
+    openssl_free_key($publickeyid);
+
+    return $ok == 1;
+  } /*}}}*/
+}/*}}}*/
+
+class OAuthRequest {/*{{{*/
+  private $parameters;
+  private $http_method;
+  private $http_url;
+  // for debug purposes
+  public $base_string;
+  public static $version = '1.0';
+
+  function __construct($http_method, $http_url, $parameters=NULL) {/*{{{*/
+    @$parameters or $parameters = array();
+    $this->parameters = $parameters;
+    $this->http_method = $http_method;
+    $this->http_url = $http_url;
+  }/*}}}*/
+
+
+  /**
+   * attempt to build up a request from what was passed to the server
+   */
+  public static function from_request($http_method=NULL, $http_url=NULL, $parameters=NULL) {/*{{{*/
+    $scheme = (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") ? 'http' : 'https';
+    @$http_url or $http_url = $scheme . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
+    @$http_method or $http_method = $_SERVER['REQUEST_METHOD'];
+
+    $request_headers = OAuthRequest::get_headers();
+
+    // let the library user override things however they'd like, if they know
+    // which parameters to use then go for it, for example XMLRPC might want to
+    // do this
+    if ($parameters) {
+      $req = new OAuthRequest($http_method, $http_url, $parameters);
+    }
+    // next check for the auth header, we need to do some extra stuff
+    // if that is the case, namely suck in the parameters from GET or POST
+    // so that we can include them in the signature
+    else if (@substr($request_headers['Authorization'], 0, 5) == "OAuth") {
+      $header_parameters = OAuthRequest::split_header($request_headers['Authorization']);
+      if ($http_method == "GET") {
+        $req_parameters = $_GET;
+      } 
+      else if ($http_method = "POST") {
+        $req_parameters = $_POST;
+      } 
+      $parameters = array_merge($header_parameters, $req_parameters);
+      $req = new OAuthRequest($http_method, $http_url, $parameters);
+    }
+    else if ($http_method == "GET") {
+      $req = new OAuthRequest($http_method, $http_url, $_GET);
+    }
+    else if ($http_method == "POST") {
+      $req = new OAuthRequest($http_method, $http_url, $_POST);
+    }
+    return $req;
+  }/*}}}*/
+
+  /**
+   * pretty much a helper function to set up the request
+   */
+  public static function from_consumer_and_token($consumer, $token, $http_method, $http_url, $parameters=NULL) {/*{{{*/
+    @$parameters or $parameters = array();
+    $defaults = array("oauth_version" => OAuthRequest::$version,
+                      "oauth_nonce" => OAuthRequest::generate_nonce(),
+                      "oauth_timestamp" => OAuthRequest::generate_timestamp(),
+                      "oauth_consumer_key" => $consumer->key);
+    $parameters = array_merge($defaults, $parameters);
+
+    if ($token) {
+      $parameters['oauth_token'] = $token->key;
+    }
+
+    // oauth v1.0a
+    /*if (isset($_REQUEST['oauth_verifier'])) {
+      $parameters['oauth_verifier'] = $_REQUEST['oauth_verifier'];
+    }*/
+
+
+    return new OAuthRequest($http_method, $http_url, $parameters);
+  }/*}}}*/
+
+  public function set_parameter($name, $value) {/*{{{*/
+    $this->parameters[$name] = $value;
+  }/*}}}*/
+
+  public function get_parameter($name) {/*{{{*/
+    return $this->parameters[$name];
+  }/*}}}*/
+
+  public function get_parameters() {/*{{{*/
+    return $this->parameters;
+  }/*}}}*/
+
+  /**
+   * Returns the normalized parameters of the request
+   * 
+   * This will be all (except oauth_signature) parameters,
+   * sorted first by key, and if duplicate keys, then by
+   * value.
+   *
+   * The returned string will be all the key=value pairs
+   * concated by &.
+   * 
+   * @return string
+   */
+  public function get_signable_parameters() {/*{{{*/
+    // Grab all parameters
+    $params = $this->parameters;
+		
+    // Remove oauth_signature if present
+    if (isset($params['oauth_signature'])) {
+      unset($params['oauth_signature']);
+    }
+		
+    // Urlencode both keys and values
+    $keys = array_map(array('OAuthUtil', 'urlencodeRFC3986'), array_keys($params));
+    $values = array_map(array('OAuthUtil', 'urlencodeRFC3986'), array_values($params));
+    $params = array_combine($keys, $values);
+
+    // Sort by keys (natsort)
+    uksort($params, 'strnatcmp');
+
+if(isset($params['title']) && isset($params['title-exact'])) {
+    $temp = $params['title-exact'];
+    $title = $params['title'];
+
+    unset($params['title']);
+    unset($params['title-exact']);
+
+    $params['title-exact'] = $temp;
+    $params['title'] = $title;
+}
+
+    // Generate key=value pairs
+    $pairs = array();
+    foreach ($params as $key=>$value ) {
+      if (is_array($value)) {
+        // If the value is an array, it's because there are multiple 
+        // with the same key, sort them, then add all the pairs
+        natsort($value);
+        foreach ($value as $v2) {
+          $pairs[] = $key . '=' . $v2;
+        }
+      } else {
+        $pairs[] = $key . '=' . $value;
+      }
+    }
+		
+    // Return the pairs, concated with &
+    return implode('&', $pairs);
+  }/*}}}*/
+
+  /**
+   * Returns the base string of this request
+   *
+   * The base string defined as the method, the url
+   * and the parameters (normalized), each urlencoded
+   * and the concated with &.
+   */
+  public function get_signature_base_string() {/*{{{*/
+    $parts = array(
+      $this->get_normalized_http_method(),
+      $this->get_normalized_http_url(),
+      $this->get_signable_parameters()
+    );
+
+    $parts = array_map(array('OAuthUtil', 'urlencodeRFC3986'), $parts);
+
+    return implode('&', $parts);
+  }/*}}}*/
+
+  /**
+   * just uppercases the http method
+   */
+  public function get_normalized_http_method() {/*{{{*/
+    return strtoupper($this->http_method);
+  }/*}}}*/
+
+/**
+   * parses the url and rebuilds it to be
+   * scheme://host/path
+   */
+  public function get_normalized_http_url() {
+    $parts = parse_url($this->http_url);
+
+    $scheme = (isset($parts['scheme'])) ? $parts['scheme'] : 'http';
+    $port = (isset($parts['port'])) ? $parts['port'] : (($scheme == 'https') ? '443' : '80');
+    $host = (isset($parts['host'])) ? strtolower($parts['host']) : '';
+    $path = (isset($parts['path'])) ? $parts['path'] : '';
+
+    if (($scheme == 'https' && $port != '443')
+        || ($scheme == 'http' && $port != '80')) {
+      $host = "$host:$port";
+    }
+    return "$scheme://$host$path";
+  }
+
+  /**
+   * builds a url usable for a GET request
+   */
+  public function to_url() {/*{{{*/
+    $out = $this->get_normalized_http_url() . "?";
+    $out .= $this->to_postdata();
+    return $out;
+  }/*}}}*/
+
+  /**
+   * builds the data one would send in a POST request
+   */
+  public function to_postdata() {/*{{{*/
+    $total = array();
+    foreach ($this->parameters as $k => $v) {
+      $total[] = OAuthUtil::urlencodeRFC3986($k) . "=" . OAuthUtil::urlencodeRFC3986($v);
+    }
+    $out = implode("&", $total);
+    return $out;
+  }/*}}}*/
+
+  /**
+   * builds the Authorization: header
+   */
+  public function to_header() {/*{{{*/
+    $out ='Authorization: OAuth ';
+    $total = array();
+    
+    /*
+    $sig = $this->parameters['oauth_signature'];  
+    unset($this->parameters['oauth_signature']); 
+    uksort($this->parameters, 'strnatcmp');  
+    $this->parameters['oauth_signature'] = $sig;
+    */
+    
+    foreach ($this->parameters as $k => $v) {
+      if (substr($k, 0, 5) != "oauth") continue;
+      $out .= OAuthUtil::urlencodeRFC3986($k) . '="' . OAuthUtil::urlencodeRFC3986($v) . '", ';
+    }
+    $out = substr_replace($out, '', strlen($out) - 2);
+    
+    return $out;
+  }/*}}}*/
+
+  public function __toString() {/*{{{*/
+    return $this->to_url();
+  }/*}}}*/
+
+
+  public function sign_request($signature_method, $consumer, $token, $privKey=NULL) {/*{{{*/
+    $this->set_parameter("oauth_signature_method", $signature_method->get_name());
+    $signature = $this->build_signature($signature_method, $consumer, $token, $privKey);
+    $this->set_parameter("oauth_signature", $signature);
+  }/*}}}*/
+
+  public function build_signature($signature_method, $consumer, $token, $privKey=NULL) {/*{{{*/
+    $signature = $signature_method->build_signature($this, $consumer, $token, $privKey);
+    return $signature;
+  }/*}}}*/
+
+  /**
+   * util function: current timestamp
+   */
+  private static function generate_timestamp() {/*{{{*/
+    return time();
+  }/*}}}*/
+
+  /**
+   * util function: current nonce
+   */
+  private static function generate_nonce() {/*{{{*/
+    $mt = microtime();
+    $rand = mt_rand();
+
+    return md5($mt . $rand); // md5s look nicer than numbers
+  }/*}}}*/
+
+  /**
+   * util function for turning the Authorization: header into
+   * parameters, has to do some unescaping
+   */
+  private static function split_header($header) {/*{{{*/
+    // this should be a regex
+    // error cases: commas in parameter values
+    $parts = explode(",", $header);
+    $out = array();
+    foreach ($parts as $param) {
+      $param = ltrim($param);
+      // skip the "realm" param, nobody ever uses it anyway
+      if (substr($param, 0, 5) != "oauth") continue;
+
+      $param_parts = explode("=", $param);
+
+      // rawurldecode() used because urldecode() will turn a "+" in the
+      // value into a space
+      $out[$param_parts[0]] = rawurldecode(substr($param_parts[1], 1, -1));
+    }
+    return $out;
+  }/*}}}*/
+
+  /**
+   * helper to try to sort out headers for people who aren't running apache
+   */
+  private static function get_headers() {/*{{{*/
+    if (function_exists('apache_request_headers')) {
+      // we need this to get the actual Authorization: header
+      // because apache tends to tell us it doesn't exist
+      return apache_request_headers();
+    }
+    // otherwise we don't have apache and are just going to have to hope
+    // that $_SERVER actually contains what we need
+    $out = array();
+    foreach ($_SERVER as $key => $value) {
+      if (substr($key, 0, 5) == "HTTP_") {
+        // this is chaos, basically it is just there to capitalize the first
+        // letter of every word that is not an initial HTTP and strip HTTP
+        // code from przemek
+        $key = str_replace(" ", "-", ucwords(strtolower(str_replace("_", " ", substr($key, 5)))));
+        $out[$key] = $value;
+      }
+    }
+    return $out;
+  }/*}}}*/
+}/*}}}*/
+
+class OAuthServer {/*{{{*/
+  protected $timestamp_threshold = 300; // in seconds, five minutes
+  protected $version = 1.0;             // hi blaine
+  protected $signature_methods = array();
+
+  protected $data_store;
+
+  function __construct($data_store) {/*{{{*/
+    $this->data_store = $data_store;
+  }/*}}}*/
+
+  public function add_signature_method($signature_method) {/*{{{*/
+    $this->signature_methods[$signature_method->get_name()] = 
+        $signature_method;
+  }/*}}}*/
+
+  // high level functions
+
+  /**
+   * process a request_token request
+   * returns the request token on success
+   */
+  public function fetch_request_token(&$request) {/*{{{*/
+    $this->get_version($request);
+
+    $consumer = $this->get_consumer($request);
+
+    // no token required for the initial token request
+    $token = NULL;
+
+    $this->check_signature($request, $consumer, $token);
+
+    $new_token = $this->data_store->new_request_token($consumer);
+
+    return $new_token;
+  }/*}}}*/
+
+  /**
+   * process an access_token request
+   * returns the access token on success
+   */
+  public function fetch_access_token(&$request) {/*{{{*/
+    $this->get_version($request);
+
+    $consumer = $this->get_consumer($request);
+
+    // requires authorized request token
+    $token = $this->get_token($request, $consumer, "request");
+
+    $this->check_signature($request, $consumer, $token);
+
+    $new_token = $this->data_store->new_access_token($token, $consumer);
+
+    return $new_token;
+  }/*}}}*/
+
+  /**
+   * verify an api call, checks all the parameters
+   */
+  public function verify_request(&$request) {/*{{{*/
+    $this->get_version($request);
+    $consumer = $this->get_consumer($request);
+    $token = $this->get_token($request, $consumer, "access");
+    $this->check_signature($request, $consumer, $token);
+    return array($consumer, $token);
+  }/*}}}*/
+
+  // Internals from here
+  /**
+   * version 1
+   */
+  private function get_version(&$request) {/*{{{*/
+    $version = $request->get_parameter("oauth_version");
+    if (!$version) {
+      $version = 1.0;
+    }
+    if ($version && $version != $this->version) {
+      throw new OAuthException("OAuth version '$version' not supported");
+    }
+    return $version;
+  }/*}}}*/
+
+  /**
+   * figure out the signature with some defaults
+   */
+  private function get_signature_method(&$request) {/*{{{*/
+    $signature_method =  
+        @$request->get_parameter("oauth_signature_method");
+    if (!$signature_method) {
+      $signature_method = "PLAINTEXT";
+    }
+    if (!in_array($signature_method, 
+                  array_keys($this->signature_methods))) {
+      throw new OAuthException(
+        "Signature method '$signature_method' not supported try one of the following: " . implode(", ", array_keys($this->signature_methods))
+      );      
+    }
+    return $this->signature_methods[$signature_method];
+  }/*}}}*/
+
+  /**
+   * try to find the consumer for the provided request's consumer key
+   */
+  private function get_consumer(&$request) {/*{{{*/
+    $consumer_key = @$request->get_parameter("oauth_consumer_key");
+    if (!$consumer_key) {
+      throw new OAuthException("Invalid consumer key");
+    }
+
+    $consumer = $this->data_store->lookup_consumer($consumer_key);
+    if (!$consumer) {
+      throw new OAuthException("Invalid consumer");
+    }
+
+    return $consumer;
+  }/*}}}*/
+
+  /**
+   * try to find the token for the provided request's token key
+   */
+  private function get_token(&$request, $consumer, $token_type="access") {/*{{{*/
+    $token_field = @$request->get_parameter('oauth_token');
+    $token = $this->data_store->lookup_token(
+      $consumer, $token_type, $token_field
+    );
+    if (!$token) {
+      throw new OAuthException("Invalid $token_type token: $token_field");
+    }
+    return $token;
+  }/*}}}*/
+
+  /**
+   * all-in-one function to check the signature on a request
+   * should guess the signature method appropriately
+   */
+  private function check_signature(&$request, $consumer, $token) {/*{{{*/
+    // this should probably be in a different method
+    $timestamp = @$request->get_parameter('oauth_timestamp');
+    $nonce = @$request->get_parameter('oauth_nonce');
+
+    $this->check_timestamp($timestamp);
+    $this->check_nonce($consumer, $token, $nonce, $timestamp);
+
+    $signature_method = $this->get_signature_method($request);
+
+    $signature = $request->get_parameter('oauth_signature');    
+    $valid_sig = $signature_method->check_signature(
+      $request, 
+      $consumer, 
+      $token, 
+      $signature
+    );
+
+    if (!$valid_sig) {
+      throw new OAuthException("Invalid signature");
+    }
+  }/*}}}*/
+
+  /**
+   * check that the timestamp is new enough
+   */
+  private function check_timestamp($timestamp) {/*{{{*/
+    // verify that timestamp is recentish
+    $now = time();
+    if ($now - $timestamp > $this->timestamp_threshold) {
+      throw new OAuthException("Expired timestamp, yours $timestamp, ours $now");
+    }
+  }/*}}}*/
+
+  /**
+   * check that the nonce is not repeated
+   */
+  private function check_nonce($consumer, $token, $nonce, $timestamp) {/*{{{*/
+    // verify that the nonce is uniqueish
+    $found = $this->data_store->lookup_nonce($consumer, $token, $nonce, $timestamp);
+    if ($found) {
+      throw new OAuthException("Nonce already used: $nonce");
+    }
+  }/*}}}*/
+
+
+
+}/*}}}*/
+
+class OAuthDataStore {/*{{{*/
+  function lookup_consumer($consumer_key) {/*{{{*/
+    // implement me
+  }/*}}}*/
+
+  function lookup_token($consumer, $token_type, $token) {/*{{{*/
+    // implement me
+  }/*}}}*/
+
+  function lookup_nonce($consumer, $token, $nonce, $timestamp) {/*{{{*/
+    // implement me
+  }/*}}}*/
+
+  function fetch_request_token($consumer) {/*{{{*/
+    // return a new token attached to this consumer
+  }/*}}}*/
+
+  function fetch_access_token($token, $consumer) {/*{{{*/
+    // return a new access token attached to this consumer
+    // for the user associated with this token if the request token
+    // is authorized
+    // should also invalidate the request token
+  }/*}}}*/
+
+}/*}}}*/
+
+
+/*  A very naive dbm-based oauth storage
+ */
+class SimpleOAuthDataStore extends OAuthDataStore {/*{{{*/
+  private $dbh;
+
+  function __construct($path = "oauth.gdbm") {/*{{{*/
+    $this->dbh = dba_popen($path, 'c', 'gdbm');
+  }/*}}}*/
+
+  function __destruct() {/*{{{*/
+    dba_close($this->dbh);
+  }/*}}}*/
+
+  function lookup_consumer($consumer_key) {/*{{{*/
+    $rv = dba_fetch("consumer_$consumer_key", $this->dbh);
+    if ($rv === FALSE) {
+      return NULL;
+    }
+    $obj = unserialize($rv);
+    if (!($obj instanceof OAuthConsumer)) {
+      return NULL;
+    }
+    return $obj;
+  }/*}}}*/
+
+  function lookup_token($consumer, $token_type, $token) {/*{{{*/
+    $rv = dba_fetch("${token_type}_${token}", $this->dbh);
+    if ($rv === FALSE) {
+      return NULL;
+    }
+    $obj = unserialize($rv);
+    if (!($obj instanceof OAuthToken)) {
+      return NULL;
+    }
+    return $obj;
+  }/*}}}*/
+
+  function lookup_nonce($consumer, $token, $nonce, $timestamp) {/*{{{*/
+    return dba_exists("nonce_$nonce", $this->dbh);
+  }/*}}}*/
+
+  function new_token($consumer, $type="request") {/*{{{*/
+    $key = md5(time());
+    $secret = time() + time();
+    $token = new OAuthToken($key, md5(md5($secret)));
+    if (!dba_insert("${type}_$key", serialize($token), $this->dbh)) {
+      throw new OAuthException("doooom!");
+    }
+    return $token;
+  }/*}}}*/
+
+  function new_request_token($consumer) {/*{{{*/
+    return $this->new_token($consumer, "request");
+  }/*}}}*/
+
+  function new_access_token($token, $consumer) {/*{{{*/
+
+    $token = $this->new_token($consumer, 'access');
+    dba_delete("request_" . $token->key, $this->dbh);
+    return $token;
+  }/*}}}*/
+}/*}}}*/
+
+class OAuthUtil {/*{{{*/
+  public static function urlencodeRFC3986($string) {/*{{{*/
+    return str_replace('%7E', '~', rawurlencode($string));
+  }/*}}}*/
+    
+  public static function urldecodeRFC3986($string) {/*{{{*/
+    return rawurldecode($string);
+  }/*}}}*/
+}/*}}}*/
+
+?>

3rdparty/Google/common.inc.php

@@ -0,0 +1,185 @@
+<?php
+/* Copyright (c) 2009 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Author: Eric Bidelman <e.bidelman@google.com>
+ */
+
+$PRIV_KEY_FILE = '/path/to/your/rsa_private_key.pem';
+
+// OAuth library - http://oauth.googlecode.com/svn/code/php/
+require_once('OAuth.php');
+
+// Google's accepted signature methods
+$hmac_method = new OAuthSignatureMethod_HMAC_SHA1();
+$rsa_method = new OAuthSignatureMethod_RSA_SHA1();
+$SIG_METHODS = array($rsa_method->get_name() => $rsa_method,
+                     $hmac_method->get_name() => $hmac_method);
+
+/**
+ * Makes an HTTP request to the specified URL
+ *
+ * @param string $http_method The HTTP method (GET, POST, PUT, DELETE)
+ * @param string $url Full URL of the resource to access
+ * @param array $extraHeaders (optional) Additional headers to include in each
+ *     request. Elements are header/value pair strings ('Host: example.com')
+ * @param string $postData (optional) POST/PUT request body
+ * @param bool $returnResponseHeaders True if resp. headers should be returned.
+ * @return string Response body from the server
+ */
+function send_signed_request($http_method, $url, $extraHeaders=null,
+                             $postData=null, $returnResponseHeaders=true) {
+  $curl = curl_init($url);
+  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+  curl_setopt($curl, CURLOPT_FAILONERROR, false);
+  curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
+
+  // Return request headers in the reponse
+//   curl_setopt($curl, CURLINFO_HEADER_OUT, true);
+
+  // Return response headers ni the response?
+  if ($returnResponseHeaders) {
+    curl_setopt($curl, CURLOPT_HEADER, true);
+  }
+
+  $headers = array();
+  //$headers[] = 'GData-Version: 2.0';  // use GData v2 by default
+  if (is_array($extraHeaders)) {
+    $headers = array_merge($headers, $extraHeaders);
+  }
+
+  // Setup default curl options for each type of HTTP request.
+  // This is also a great place to add additional headers for each request.
+  switch($http_method) {
+    case 'GET':
+      curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
+      break;
+    case 'POST':
+      curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
+      curl_setopt($curl, CURLOPT_POST, 1);
+      curl_setopt($curl, CURLOPT_POSTFIELDS, $postData);
+      break;
+    case 'PUT':
+      $headers[] = 'If-Match: *';
+      curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
+      curl_setopt($curl, CURLOPT_CUSTOMREQUEST, $http_method);
+      curl_setopt($curl, CURLOPT_POSTFIELDS, $postData);
+      break;
+    case 'DELETE':
+      $headers[] = 'If-Match: *';
+      curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
+      curl_setopt($curl, CURLOPT_CUSTOMREQUEST, $http_method);
+      break;
+    default:
+      curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
+  }
+
+  // Execute the request.  If an error occures, fill the response body with it.
+  $response = curl_exec($curl);
+  if (!$response) {
+    $response = curl_error($curl);
+  }
+
+  // Add server's response headers to our response body
+ $response = curl_getinfo($curl, CURLINFO_HEADER_OUT) . $response;
+
+  curl_close($curl);
+
+  return $response;
+}
+
+/**
+* Takes XML as a string and returns it nicely indented
+*
+* @param string $xml The xml to beautify
+* @param boolean $html_output True if returned XML should be escaped for HTML.
+* @return string The beautified xml
+*/
+function xml_pretty_printer($xml, $html_output=false) {
+  $xml_obj = new SimpleXMLElement($xml);
+  $level = 2;
+
+  // Get an array containing each XML element
+  $xml = explode("\n", preg_replace('/>\s*</', ">\n<", $xml_obj->asXML()));
+
+  // Hold current indentation level
+  $indent = 0;
+
+  $pretty = array();
+
+  // Shift off opening XML tag if present
+  if (count($xml) && preg_match('/^<\?\s*xml/', $xml[0])) {
+    $pretty[] = array_shift($xml);
+  }
+
+  foreach ($xml as $el) {
+    if (preg_match('/^<([\w])+[^>\/]*>$/U', $el)) {
+      // opening tag, increase indent
+      $pretty[] = str_repeat(' ', $indent) . $el;
+      $indent += $level;
+    } else {
+      if (preg_match('/^<\/.+>$/', $el)) {
+        $indent -= $level;  // closing tag, decrease indent
+      }
+      if ($indent < 0) {
+        $indent += $level;
+      }
+      $pretty[] = str_repeat(' ', $indent) . $el;
+    }
+  }
+
+  $xml = implode("\n", $pretty);
+  return $html_output ? htmlentities($xml) : $xml;
+}
+
+/**
+ * Joins key/value pairs by $inner_glue and each pair together by $outer_glue.
+ *
+ * Example: implode_assoc('=', '&', array('a' => 1, 'b' => 2)) === 'a=1&b=2'
+ *
+ * @param string $inner_glue What to implode each key/value pair with
+ * @param string $outer_glue What to impode each key/value string subset with
+ * @param array $array Associative array of query parameters
+ * @return string Urlencoded string of query parameters
+ */
+function implode_assoc($inner_glue, $outer_glue, $array) {
+  $output = array();
+  foreach($array as $key => $item) {
+    $output[] = $key . $inner_glue . urlencode($item);
+  }
+  return implode($outer_glue, $output);
+}
+
+/**
+ * Explodes a string of key/value url parameters into an associative array.
+ * This method performs the compliment operations of implode_assoc().
+ *
+ * Example: explode_assoc('=', '&', 'a=1&b=2') === array('a' => 1, 'b' => 2)
+ *
+ * @param string $inner_glue What each key/value pair is joined with
+ * @param string $outer_glue What each set of key/value pairs is joined with.
+ * @param array $array Associative array of query parameters
+ * @return array Urlencoded string of query parameters
+ */
+function explode_assoc($inner_glue, $outer_glue, $params) {
+  $tempArr = explode($outer_glue, $params);
+  foreach($tempArr as $val) {
+    $pos = strpos($val, $inner_glue);
+    $key = substr($val, 0, $pos);
+    $array2[$key] = substr($val, $pos + 1, strlen($val));
+  }
+  return $array2;
+}
+
+?>

apps/calendar/index.php

@@ -54,9 +54,9 @@ OCP\Util::addscript('contacts','jquery.multi-autocomplete');
 OCP\Util::addscript('','oc-vcategories');
 OCP\App::setActiveNavigationEntry('calendar_index');
 $tmpl = new OCP\Template('calendar', 'calendar', 'user');
-$tmpl->assign('eventSources', $eventSources);
+$tmpl->assign('eventSources', $eventSources,false);
 $tmpl->assign('categories', $categories);
 if(array_key_exists('showevent', $_GET)){
-	$tmpl->assign('showevent', $_GET['showevent']);
+	$tmpl->assign('showevent', $_GET['showevent'], false);
 }
 $tmpl->printPage();

apps/calendar/templates/part.choosecalendar.rowfields.php

@@ -1,8 +1,8 @@
 <?php
 echo '<td width="20px"><input id="active_' . $_['calendar']['id'] . '" type="checkbox" onClick="Calendar.UI.Calendar.activation(this,' . $_['calendar']['id'] . ')"' . ($_['calendar']['active'] ? ' checked="checked"' : '') . '></td>';
-echo '<td  id="' . OCP\USER::getUser() . '_' . $_['calendar']['id'] . '"><label for="active_' . $_['calendar']['id'] . '">' . htmlspecialchars($_['calendar']['displayname']) . '</label></td>';
+echo '<td  id="' . OCP\USER::getUser() . '_' . $_['calendar']['id'] . '"><label for="active_' . $_['calendar']['id'] . '">' . $_['calendar']['displayname'] . '</label></td>';
 echo '<td width="20px"><a href="#" onclick="Calendar.UI.Share.dropdown(\'' . OCP\USER::getUser() . '\', \'' . $_['calendar']['id'] . '\');" title="' . $l->t("Share Calendar") . '" class="action"><img  class="svg action" src="' . ((!$_['shared']) ? OCP\Util::imagePath('core', 'actions/share.svg') : OCP\Util::imagePath('core', 'actions/shared.svg')) . '"></a></td>';
-echo '<td width="20px"><a href="#" onclick="Calendar.UI.showCalDAVUrl(\'' . OCP\USER::getUser() . '\', \'' . htmlentities($_['calendar']['uri']) . '\');" title="' . $l->t("CalDav Link") . '" class="action"><img  class="svg action" src="'.OCP\Util::imagePath('core', 'actions/public.svg').'"></a></td>';
+echo '<td width="20px"><a href="#" onclick="Calendar.UI.showCalDAVUrl(\'' . OCP\USER::getUser() . '\', \'' . $_['calendar']['uri'] . '\');" title="' . $l->t("CalDav Link") . '" class="action"><img  class="svg action" src="'.OCP\Util::imagePath('core', 'actions/public.svg').'"></a></td>';
 echo '<td width="20px"><a href="?app=calendar&getfile=export.php?calid=' . $_['calendar']['id'] . '" title="' . $l->t('Download') . '" class="action"><img class="svg action" src="'.OCP\Util::imagePath('core', 'actions/download.svg').'"></a></td>';
 echo '<td width="20px"><a  href="#" title="' . $l->t('Edit') . '" class="action" onclick="Calendar.UI.Calendar.edit(this, ' . $_['calendar']['id'] . ');"><img class="svg action" src="'.OCP\Util::imagePath('core', 'actions/rename.svg').'"></a></td>';
 echo '<td width="20px"><a href="#" onclick="Calendar.UI.Calendar.deleteCalendar(\'' . $_['calendar']['id'] . '\');" title="' . $l->t('Delete') . '" class="action"><img  class="svg action" src="'.OCP\Util::imagePath('core', 'actions/delete.svg').'"></a></td>';

apps/calendar/templates/part.choosecalendar.rowfields.shared.php

@@ -1,4 +1,4 @@
 <?php
 echo '<td width="20px"><input id="active_' . $_['share']['owner'] . '_' . $_['share']['calendar']['id'] . '" type="checkbox" onClick="Calendar.UI.Share.activation(this,\'' . $_['share']['owner'] . '\',' . $_['share']['calendar']['id'] . ')"' . ($_['share']['active'] ? ' checked="checked"' : '') . '></td>';
-echo '<td><label for="active_' . $_['share']['owner'] . '_' . $_['share']['calendar']['id'] . '">' . htmlspecialchars($_['share']['calendar']['displayname']) . '</label></td>';
+echo '<td><label for="active_' . $_['share']['owner'] . '_' . $_['share']['calendar']['id'] . '">' . $_['share']['calendar']['displayname'] . '</label></td>';
 echo '<td style="font-style: italic;">' .  $l->t('shared with you by') . ' ' . $_['share']['owner'] . '</td>';

apps/calendar/templates/part.eventform.php

@@ -18,7 +18,7 @@ echo 'Calendar.UI.Share.idtype = "event";' . "\n" . 'Calendar.UI.Share.currentid
 		<tr>
 			<th width="75px"><?php echo $l->t("Title");?>:</th>
 			<td>
-				<input type="text" style="width:350px;" size="100" placeholder="<?php echo $l->t("Title of the Event");?>" value="<?php echo isset($_['title']) ? htmlspecialchars($_['title']) : '' ?>" maxlength="100" name="title"/>
+				<input type="text" style="width:350px;" size="100" placeholder="<?php echo $l->t("Title of the Event");?>" value="<?php echo isset($_['title']) ? $_['title'] : '' ?>" maxlength="100" name="title"/>
 			</td>
 		</tr>
 	</table>
@@ -26,7 +26,7 @@ echo 'Calendar.UI.Share.idtype = "event";' . "\n" . 'Calendar.UI.Share.currentid
 		<tr>
 			<th width="75px"><?php echo $l->t("Category");?>:</th>
 			<td>
-				<input id="category" name="categories" type="text" placeholder="<?php echo $l->t('Separate categories with commas'); ?>" value="<?php echo isset($_['categories']) ? htmlspecialchars($_['categories']) : '' ?>">
+				<input id="category" name="categories" type="text" placeholder="<?php echo $l->t('Separate categories with commas'); ?>" value="<?php echo isset($_['categories']) ? $_['categories'] : '' ?>">
 				<a class="action edit" onclick="$(this).tipsy('hide');OCCategories.edit();" title="<?php echo $l->t('Edit categories'); ?>"><img alt="<?php echo $l->t('Edit categories'); ?>" src="<?php echo OCP\image_path('core','actions/rename.svg')?>" class="svg action" style="width: 16px; height: 16px;"></a>
 			</td>
 			<?php if(count($_['calendar_options']) > 1) { ?>
@@ -80,7 +80,7 @@ echo 'Calendar.UI.Share.idtype = "event";' . "\n" . 'Calendar.UI.Share.currentid
 			<tr>
 				<th width="85px"><?php echo $l->t("Location");?>:</th>
 				<td>
-					<input type="text" style="width:350px;" size="100" placeholder="<?php echo $l->t("Location of the Event");?>" value="<?php echo isset($_['location']) ? htmlspecialchars($_['location']) : '' ?>" maxlength="100"  name="location" />
+					<input type="text" style="width:350px;" size="100" placeholder="<?php echo $l->t("Location of the Event");?>" value="<?php echo isset($_['location']) ? $_['location'] : '' ?>" maxlength="100"  name="location" />
 				</td>
 			</tr>
 		</table>
@@ -88,7 +88,7 @@ echo 'Calendar.UI.Share.idtype = "event";' . "\n" . 'Calendar.UI.Share.currentid
 			<tr>
 				<th width="85px" style="vertical-align: top;"><?php echo $l->t("Description");?>:</th>
 				<td>
-					<textarea style="width:350px;height: 150px;" placeholder="<?php echo $l->t("Description of the Event");?>" name="description"><?php echo isset($_['description']) ? htmlspecialchars($_['description']) : '' ?></textarea>
+					<textarea style="width:350px;height: 150px;" placeholder="<?php echo $l->t("Description of the Event");?>" name="description"><?php echo isset($_['description']) ? $_['description'] : '' ?></textarea>
 				</td>
 			</tr>
 		</table>

apps/calendar/templates/part.import.php

@@ -9,7 +9,7 @@
 $calendar_options = OC_Calendar_Calendar::allCalendars(OCP\USER::getUser());
 $calendar_options[] = array('id'=>'newcal', 'displayname'=>$l->t('create a new calendar'));
 for($i = 0;$i<count($calendar_options);$i++){
-	$calendar_options[$i]['displayname'] = htmlspecialchars($calendar_options[$i]['displayname']);
+	$calendar_options[$i]['displayname'] = $calendar_options[$i]['displayname'];
 }
 echo OCP\html_select_options($calendar_options, $calendar_options[0]['id'], array('value'=>'id', 'label'=>'displayname'));
 ?>

apps/calendar/templates/part.showevent.php

@@ -10,7 +10,7 @@
 		<tr>
 			<th width="75px"><?php echo $l->t("Title");?>:</th>
 			<td>
-				<?php echo isset($_['title']) ? htmlspecialchars($_['title']) : '' ?>
+				<?php echo isset($_['title']) ? $_['title'] : '' ?>
 			</td>
 		</tr>
 	</table>
@@ -79,7 +79,7 @@
 			<tr>
 				<th width="85px"><?php echo $l->t("Location");?>:</th>
 				<td>
-					<?php echo isset($_['location']) ? htmlspecialchars($_['location']) : '' ?>
+					<?php echo isset($_['location']) ? $_['location'] : '' ?>
 				</td>
 			</tr>
 		</table>
@@ -87,7 +87,7 @@
 			<tr>
 				<th width="85px" style="vertical-align: top;"><?php echo $l->t("Description");?>:</th>
 				<td>
-					<?php echo isset($_['description']) ? htmlspecialchars($_['description']) : '' ?></textarea>
+					<?php echo isset($_['description']) ? $_['description'] : '' ?></textarea>
 			</tr>
 		</table>
 	</div>

apps/contacts/ajax/activation.php

@@ -10,6 +10,7 @@
  
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 $bookid = $_POST['bookid'];
 $book = OC_Contacts_App::getAddressbook($bookid);// is owner access check

apps/contacts/ajax/addcontact.php

@@ -23,6 +23,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 $aid = isset($_POST['aid'])?$_POST['aid']:null;
 if(!$aid) {

apps/contacts/ajax/addproperty.php

@@ -23,6 +23,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 function bailOut($msg) {
 	OCP\JSON::error(array('data' => array('message' => $msg)));

apps/contacts/ajax/createaddressbook.php

@@ -11,6 +11,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 $userid = OCP\USER::getUser();
 $name = trim(strip_tags($_POST['name']));

apps/contacts/ajax/cropphoto.php

@@ -25,10 +25,12 @@ OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
 
 $tmpkey = $_GET['tmpkey'];
+$requesttoken = $_GET['requesttoken'];
 $id = $_GET['id'];
 $tmpl = new OCP\Template("contacts", "part.cropphoto");
 $tmpl->assign('tmpkey', $tmpkey);
 $tmpl->assign('id', $id);
+$tmpl->assign('requesttoken', $requesttoken);
 $page = $tmpl->fetchPage();
 
 OCP\JSON::success(array('data' => array( 'page' => $page )));

apps/contacts/ajax/deletebook.php

@@ -23,6 +23,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 //$id = $_GET['id'];
 $id = $_POST['id'];

apps/contacts/ajax/deletecard.php

@@ -28,6 +28,17 @@ function bailOut($msg) {
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
+
+// foreach($_SERVER as $key=>$value) {
+// 	OCP\Util::writeLog('contacts','ajax/saveproperty.php: _SERVER: '.$key.'=>'.$value, OCP\Util::DEBUG);
+// }
+foreach($_POST as $key=>$value) {
+	OCP\Util::writeLog('contacts','ajax/saveproperty.php: _POST: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}
+foreach($_GET as $key=>$value) {
+	OCP\Util::writeLog('contacts','ajax/saveproperty.php: _GET: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}
 
 $id = isset($_POST['id'])?$_POST['id']:null;
 if(!$id) {

apps/contacts/ajax/deleteproperty.php

@@ -23,6 +23,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 $id = $_POST['id'];
 $checksum = $_POST['checksum'];

apps/contacts/ajax/savecrop.php

@@ -22,6 +22,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 // Firefox and Konqueror tries to download application/json for me.  --Arthur
 OCP\JSON::setContentTypeHeader('text/plain');

apps/contacts/ajax/saveproperty.php

@@ -20,10 +20,6 @@
  *
  */
 
-// Check if we are a user
-OCP\JSON::checkLoggedIn();
-OCP\JSON::checkAppEnabled('contacts');
-
 function bailOut($msg) {
 	OCP\JSON::error(array('data' => array('message' => $msg)));
 	OCP\Util::writeLog('contacts','ajax/saveproperty.php: '.$msg, OCP\Util::DEBUG);
@@ -33,6 +29,11 @@ function debug($msg) {
 	OCP\Util::writeLog('contacts','ajax/saveproperty.php: '.$msg, OCP\Util::DEBUG);
 }
 
+// Check if we are a user
+OCP\JSON::checkLoggedIn();
+OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
+
 $id = isset($_POST['id'])?$_POST['id']:null;
 $name = isset($_POST['name'])?$_POST['name']:null;
 $value = isset($_POST['value'])?$_POST['value']:null;

apps/contacts/ajax/uploadphoto.php

@@ -23,6 +23,8 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
+
 // Firefox and Konqueror tries to download application/json for me.  --Arthur
 OCP\JSON::setContentTypeHeader('text/plain');
 function bailOut($msg) {

apps/contacts/js/contacts.js

@@ -622,7 +622,7 @@ Contacts={
 				q = q + '&id=' + this.id + '&name=' + name;
 				if(checksum != undefined && checksum != '') { // save
 					q = q + '&checksum=' + checksum;
-					//console.log('Saving: ' + q);
+					console.log('Saving: ' + q);
 					$(obj).attr('disabled', 'disabled');
 					$.post(OC.filePath('contacts', 'ajax', 'saveproperty.php'),q,function(jsondata){
 						if(jsondata.status == 'success'){
@@ -640,7 +640,7 @@ Contacts={
 						}
 					},'json');
 				} else { // add
-					//console.log('Adding: ' + q);
+					console.log('Adding: ' + q);
 					$(obj).attr('disabled', 'disabled');
 					$.post(OC.filePath('contacts', 'ajax', 'addproperty.php'),q,function(jsondata){
 						if(jsondata.status == 'success'){

apps/contacts/templates/part.contact.php

@@ -3,6 +3,7 @@ $id = isset($_['id']) ? $_['id'] : '';
 ?>
 <div id="card">
 	<form class="float" id="file_upload_form" action="<?php echo OCP\Util::linkTo('contacts', 'ajax/uploadphoto.php'); ?>" method="post" enctype="multipart/form-data" target="file_upload_target">
+		<input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>">
 		<input type="hidden" name="id" value="<?php echo $_['id'] ?>">
 		<input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $_['uploadMaxFilesize'] ?>" id="max_upload">
 		<input type="hidden" class="max_human_file_size" value="(max <?php echo $_['uploadMaxHumanFilesize']; ?>)">
@@ -23,6 +24,7 @@ $id = isset($_['id']) ? $_['id'] : '';
 	<div id="contact_identity" class="contactsection">
 	<form method="post">
 	<input type="hidden" name="id" value="<?php echo $_['id'] ?>">
+	<input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>">
 	<fieldset id="ident" class="contactpart">
 	<span class="propertycontainer" data-element="N"><input type="hidden" id="n" class="contacts_property" name="value" value="" /></span>
 	<span id="name" class="propertycontainer" data-element="FN">

apps/contacts/templates/part.contacts.php

@@ -8,5 +8,5 @@
 		}
 	}
 ?>
-	<li role="button" book-id="<?php echo $contact['addressbookid']; ?>" data-id="<?php echo $contact['id']; ?>"><a href="index.php?id=<?php echo $contact['id']; ?>"><?php echo htmlspecialchars($display); ?></a></li>
+	<li role="button" book-id="<?php echo $contact['addressbookid']; ?>" data-id="<?php echo $contact['id']; ?>"><a href="index.php?id=<?php echo $contact['id']; ?>"><?php echo $display; ?></a></li>
 <?php endforeach; ?>

apps/contacts/templates/part.cropphoto.php

@@ -1,6 +1,7 @@
 <?php 
 $id = $_['id'];
 $tmpkey = $_['tmpkey'];
+$csrf_token = $_GET['csrf_token'];
 OCP\Util::writeLog('contacts','templates/part.cropphoto.php: tmpkey: '.$tmpkey, OCP\Util::DEBUG);
 ?>
 <script language="Javascript">
@@ -48,6 +49,7 @@ OCP\Util::writeLog('contacts','templates/part.cropphoto.php: tmpkey: '.$tmpkey,
 	action="<?php echo OCP\Util::linkToAbsolute('contacts', 'ajax/savecrop.php'); ?>">
 
 	<input type="hidden" id="id" name="id" value="<?php echo $id; ?>" />
+	<input type="hidden" name="requesttoken" value="<?php echo $csrf_token; ?>">
 	<input type="hidden" id="tmpkey" name="tmpkey" value="<?php echo $tmpkey; ?>" />
 	<fieldset id="coords">
 	<input type="hidden" id="x1" name="x1" value="" />

apps/contacts/templates/part.importaddressbook.php

@@ -7,10 +7,6 @@
  */
 ?>
 <td id="importaddressbook_dialog" colspan="6">
-<?php 
-if(OCP\App::isEnabled('files_encryption')) { 
-	echo '<strong>'.$l->t('Currently this import function doesn\'t work while encryption is enabled.<br />Please upload your VCF file with the file manager and click on it to import.').'</strong>';
-} else { ?>
 <table>
 <tr>
 	<th><?php echo $l->t('Select address book to import to:') ?></th>
@@ -33,7 +29,6 @@ if(OCP\App::isEnabled('files_encryption')) {
 
 <input id="close_button" style="float: left;" type="button" onclick="Contacts.UI.Addressbooks.cancel(this);" value="<?php echo $l->t("Cancel"); ?>">
 <iframe name="import_upload_target" id='import_upload_target' src=""></iframe>
-<?php } ?>
 </td>
 <script type="text/javascript">
 $(document).ready(function(){

apps/files/ajax/list.php

@@ -38,7 +38,7 @@ foreach( OC_Files::getdirectorycontent( $dir ) as $i ){
 }
 
 $list = new OCP\Template( "files", "part.list", "" );
-$list->assign( "files", $files );
+$list->assign( "files", $files, false );
 $data = array('files' => $list->fetchPage());
 
 OCP\JSON::success(array('data' => $data));

apps/files/index.php

@@ -73,12 +73,12 @@ foreach( explode( '/', $dir ) as $i ){
 
 // make breadcrumb und filelist markup
 $list = new OCP\Template( 'files', 'part.list', '' );
-$list->assign( 'files', $files );
+$list->assign( 'files', $files, false );
-$list->assign( 'baseURL', OCP\Util::linkTo('files', 'index.php').'&dir=');
+$list->assign( 'baseURL', OCP\Util::linkTo('files', 'index.php').'&dir=', false);
-$list->assign( 'downloadURL', OCP\Util::linkTo('files', 'download.php').'?file=');
+$list->assign( 'downloadURL', OCP\Util::linkTo('files', 'download.php').'?file=', false);
 $breadcrumbNav = new OCP\Template( 'files', 'part.breadcrumb', '' );
-$breadcrumbNav->assign( 'breadcrumb', $breadcrumb );
+$breadcrumbNav->assign( 'breadcrumb', $breadcrumb, false );
-$breadcrumbNav->assign( 'baseURL', OCP\Util::linkTo('files', 'index.php').'&dir=');
+$breadcrumbNav->assign( 'baseURL', OCP\Util::linkTo('files', 'index.php').'&dir=', false);
 
 $upload_max_filesize = OCP\Util::computerFileSize(ini_get('upload_max_filesize'));
 $post_max_size = OCP\Util::computerFileSize(ini_get('post_max_size'));
@@ -89,8 +89,8 @@ $freeSpace=max($freeSpace,0);
 $maxUploadFilesize = min($maxUploadFilesize ,$freeSpace);
 
 $tmpl = new OCP\Template( 'files', 'index', 'user' );
-$tmpl->assign( 'fileList', $list->fetchPage() );
+$tmpl->assign( 'fileList', $list->fetchPage(), false );
-$tmpl->assign( 'breadcrumb', $breadcrumbNav->fetchPage() );
+$tmpl->assign( 'breadcrumb', $breadcrumbNav->fetchPage(), false );
 $tmpl->assign( 'dir', $dir);
 $tmpl->assign( 'readonly', !OC_Filesystem::is_writable($dir.'/'));
 $tmpl->assign( 'files', $files );

apps/files/templates/index.php

@@ -15,7 +15,7 @@
 				<form data-upload-id='1' class="file_upload_form" action="<?php echo OCP\Util::linkTo('files', 'ajax/upload.php'); ?>" method="post" enctype="multipart/form-data" target="file_upload_target_1">
 					<input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $_['uploadMaxFilesize'] ?>" id="max_upload">
 					<input type="hidden" class="max_human_file_size" value="(max <?php echo $_['uploadMaxHumanFilesize']; ?>)">
-					<input type="hidden" name="dir" value="<?php echo htmlentities($_['dir'],ENT_COMPAT,'utf-8') ?>" id="dir">
+					<input type="hidden" name="dir" value="<?php echo $_['dir'] ?>" id="dir">
 					<button class="file_upload_filename">&nbsp;<img class='svg action' alt="Upload" src="<?php echo OCP\image_path("core", "actions/upload-white.svg"); ?>" /></button>
 					<input class="file_upload_start" type="file" name='files[]'/>
 						<a href="#" class="file_upload_button_wrapper" onclick="return false;" title="<?php echo $l->t('Upload'); echo  ' max. '.$_['uploadMaxHumanFilesize'] ?>"></a>

apps/files_external/ajax/google.php

@@ -0,0 +1,51 @@
+<?php
+
+require_once 'Google/common.inc.php';
+
+OCP\JSON::checkAppEnabled('files_external');
+OCP\JSON::checkLoggedIn();
+$consumer = new OAuthConsumer('anonymous', 'anonymous');
+$sigMethod = new OAuthSignatureMethod_HMAC_SHA1();
+if (isset($_POST['step'])) {
+	switch ($_POST['step']) {
+		case 1:
+			if (isset($_POST['callback'])) {
+				$callback = $_POST['callback'];
+			} else {
+				$callback = null;
+			}
+			$scope = 'https://docs.google.com/feeds/ https://docs.googleusercontent.com/ https://spreadsheets.google.com/feeds/';
+			$url = 'https://www.google.com/accounts/OAuthGetRequestToken?scope='.urlencode($scope);
+			$params = array('scope' => $scope, 'oauth_callback' => $callback);
+			$request = OAuthRequest::from_consumer_and_token($consumer, null, 'GET', $url, $params);
+			$request->sign_request($sigMethod, $consumer, null);
+			$response = send_signed_request('GET', $url, array($request->to_header()), null, false);
+			$token = array();
+			parse_str($response, $token);
+			if (isset($token['oauth_token']) && isset($token['oauth_token_secret'])) {
+				$authUrl = 'https://www.google.com/accounts/OAuthAuthorizeToken?oauth_token='.$token['oauth_token'];
+				OCP\JSON::success(array('data' => array('url' => $authUrl, 'request_token' => $token['oauth_token'], 'request_token_secret' => $token['oauth_token_secret'])));
+			} else {
+				OCP\JSON::error(array('data' => array('message' => 'Fetching request tokens failed. Error: '.$response)));
+			}
+			break;
+		case 2:
+			if (isset($_POST['oauth_verifier']) && isset($_POST['request_token']) && isset($_POST['request_token_secret'])) {
+				$token = new OAuthToken($_POST['request_token'], $_POST['request_token_secret']);
+				$url = 'https://www.google.com/accounts/OAuthGetAccessToken';
+				$request = OAuthRequest::from_consumer_and_token($consumer, $token, 'GET', $url, array('oauth_verifier' => $_POST['oauth_verifier']));
+				$request->sign_request($sigMethod, $consumer, $token);
+				$response = send_signed_request('GET', $url, array($request->to_header()), null, false);
+				$token = array();
+				parse_str($response, $token);
+				if (isset($token['oauth_token']) && isset($token['oauth_token_secret'])) {
+					OCP\JSON::success(array('access_token' => $token['oauth_token'], 'access_token_secret' => $token['oauth_token_secret']));
+				} else {
+					OCP\JSON::error(array('data' => array('message' => 'Fetching access tokens failed. Error: '.$response)));
+				}
+			}
+			break;
+	}
+}
+
+?>

apps/files_external/js/google.js

@@ -0,0 +1,48 @@
+$(document).ready(function() {
+	
+	$('#externalStorage tbody tr').each(function() {
+		if ($(this).find('.backend').data('class') == 'OC_Filestorage_Google') {
+			var token = $(this).find('[data-parameter="token"]');
+			var token_secret = $(this).find('[data-parameter="token_secret"]');
+			if ($(token).val() == '' && $(token).val() == '') {
+				$(this).find('.configuration').append('<a class="button google">Grant access</a>');
+			} else  {
+				var params = {};
+				window.location.href.replace(/[?&]+([^=&]+)=([^&]*)/gi, function(m, key, value) {
+					params[key] = value;
+				});
+				if (params['oauth_token'].length > 1 && decodeURIComponent(params['oauth_token']) == $(token).val() && params['oauth_verifier'].length > 1) {
+					var tr = $(this);
+					$.post(OC.filePath('files_external', 'ajax', 'google.php'), { step: 2, oauth_verifier: params['oauth_verifier'], request_token: $(token).val(), request_token_secret: $(token_secret).val() }, function(result) {
+						if (result && result.status == 'success') {
+							$(token).val(result.access_token);
+							$(token_secret).val(result.access_token_secret);
+							OC.MountConfig.saveStorage(tr);
+						} else {
+							OC.dialogs.alert(result.data.message, 'Error configuring Google Drive storage');
+						}
+					});
+				}
+			}
+			return false;
+		}
+	});
+	
+	$('.google').live('click', function(event) {
+		event.preventDefault();
+		var tr = $(this).parent().parent();
+		var token = $(this).parent().find('[data-parameter="token"]');
+		var token_secret = $(this).parent().find('[data-parameter="token_secret"]');
+		$.post(OC.filePath('files_external', 'ajax', 'google.php'), { step: 1, callback: window.location.href }, function(result) {
+			if (result && result.status == 'success') {
+				$(token).val(result.data.request_token);
+				$(token_secret).val(result.data.request_token_secret);
+				OC.MountConfig.saveStorage(tr);
+				window.location = result.data.url;
+			} else {
+				OC.dialogs.alert(result.data.message, 'Error configuring Google Drive storage');
+			}
+		});
+	});
+	
+});

apps/files_external/lib/config.php

@@ -43,6 +43,7 @@ class OC_Mount_Config {
 			'OC_Filestorage_AmazonS3' => array('backend' => 'Amazon S3', 'configuration' => array('key' => 'Key', 'secret' => '*Secret', 'bucket' => 'Bucket')),
 			'OC_Filestorage_Dropbox' => array('backend' => 'Dropbox', 'configuration' => array('app_key' => 'App key', 'app_secret' => 'App secret', 'token' => '#token', 'token_secret' => '#token_secret'), 'custom' => 'dropbox'),
 			'OC_Filestorage_FTP' => array('backend' => 'FTP', 'configuration' => array('host' => 'URL', 'user' => 'Username', 'password' => '*Password', 'root' => '&Root', 'secure' => '!Secure ftps://')),
+			'OC_Filestorage_Google' => array('backend' => 'Google Drive', 'configuration' => array('token' => '#token', 'token_secret' => '#token secret'), 'custom' => 'google'),
 			'OC_Filestorage_SWIFT' => array('backend' => 'OpenStack Swift', 'configuration' => array('host' => 'URL', 'user' => 'Username', 'token' => '*Token', 'root' => '&Root', 'secure' => '!Secure ftps://')),
 			'OC_Filestorage_SMB' => array('backend' => 'SMB', 'configuration' => array('host' => 'URL', 'user' => 'Username', 'password' => '*Password', 'root' => '&Root')),
 			'OC_Filestorage_DAV' => array('backend' => 'WebDAV', 'configuration' => array('host' => 'URL', 'user' => 'Username', 'password' => '*Password', 'root' => '&Root', 'secure' => '!Secure https://'))

apps/files_external/lib/google.php

@@ -20,7 +20,7 @@
 * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-require_once 'common.inc.php';
+require_once 'Google/common.inc.php';
 
 class OC_Filestorage_Google extends OC_Filestorage_Common {
 

apps/files_external/templates/settings.php

@@ -16,7 +16,7 @@
 			<?php $_['mounts'] = array_merge($_['mounts'], array('' => array())); ?>
 			<?php foreach ($_['mounts'] as $mountPoint => $mount): ?>
 				<tr <?php if ($mountPoint == '') echo 'id="addMountPoint"'; ?>>
-					<td class="mountPoint"><input type="text" name="mountPoint" value="<?php echo htmlentities($mountPoint); ?>" placeholder="<?php echo $l->t('Mount point'); ?>" /></td>
+					<td class="mountPoint"><input type="text" name="mountPoint" value="<?php echo $mountPoint; ?>" placeholder="<?php echo $l->t('Mount point'); ?>" /></td>
 					<?php if ($mountPoint == ''): ?>
 						<td class="backend">
 							<select id="selectBackend" data-configurations='<?php echo json_encode($_['backends']); ?>'>

apps/gallery/lib/tiles.php

@@ -141,7 +141,7 @@ class TileStack extends TileBase {
 	}
 
 	public function get() {
-		$r = '<div class="title gallery_div">'.htmlentities($this->stack_name).'</div>';
+		$r = '<div class="title gallery_div">'.$this->stack_name.'</div>';
 		for ($i = 0; $i < count($this->tiles_array); $i++) {
 			$top = rand(-5, 5);
 			$left = rand(-5, 5);
@@ -168,7 +168,7 @@ class TileStack extends TileBase {
 	}
 	
 	public function getOnClickAction() {
-		return 'javascript:openNewGal(\''.htmlentities($this->stack_name).'\');';
+		return 'javascript:openNewGal(\''.$this->stack_name.'\');';
 	}
 
 	private $tiles_array;

apps/tasks/templates/part.taskform.php

@@ -5,7 +5,7 @@
 	<input type="text" id="location" name="location" placeholder="<?php echo $l->t('Location of the task');?>" value="<?php echo isset($_['details']->LOCATION) ? $_['details']->LOCATION[0]->value : '' ?>">
 	<br>
 	<label for="categories"><?php echo $l->t('Categories'); ?></label>
-	<input id="categories" name="categories" type="text" placeholder="<?php echo $l->t('Separate categories with commas'); ?>" value="<?php echo isset($_['categories']) ? htmlspecialchars($_['categories']) : '' ?>">
+	<input id="categories" name="categories" type="text" placeholder="<?php echo $l->t('Separate categories with commas'); ?>" value="<?php echo isset($_['categories']) ? $_['categories'] : '' ?>">
 	<a class="action edit" onclick="$(this).tipsy('hide');OCCategories.edit();" title="<?php echo $l->t('Edit categories'); ?>"><img alt="<?php echo $l->t('Edit categories'); ?>" src="<?php echo OCP\image_path('core','actions/rename.svg')?>" class="svg action" style="width: 16px; height: 16px;"></a>
 	<br>
 	<label for="due"><?php echo $l->t('Due'); ?></label>

apps/user_ldap/settings.php

@@ -47,7 +47,7 @@ if ($_POST) {
 // fill template
 $tmpl = new OCP\Template( 'user_ldap', 'settings');
 foreach($params as $param){
-		$value = htmlentities(OCP\Config::getAppValue('user_ldap', $param,''));
+		$value = OCP\Config::getAppValue('user_ldap', $param,'');
 		$tmpl->assign($param, $value);
 }
 

apps/user_openid/settings.php

@@ -2,7 +2,7 @@
 
 $tmpl = new OCP\Template( 'user_openid', 'settings');
 $identity=OCP\Config::getUserValue(OCP\USER::getUser(),'user_openid','identity','');
-$tmpl->assign('identity',htmlentities($identity));
+$tmpl->assign('identity',$identity);
 
 OCP\Util::addscript('user_openid','settings');
 

core/lostpassword/index.php

@@ -17,7 +17,7 @@ if (isset($_POST['user'])) {
 		OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
 		$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
 		if (!empty($email) and isset($_POST['sectoken']) and isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) {
-			$link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php').'?user='.$_POST['user'].'&token='.$token;
+			$link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php').'?user='.urlencode($_POST['user']).'&token='.$token;
 			$tmpl = new OC_Template('core/lostpassword', 'email');
 			$tmpl->assign('link', $link);
 			$msg = $tmpl->fetchPage();

core/templates/404.php

@@ -10,6 +10,6 @@ if(!isset($_)){//also provide standalone error page
 <ul>
 	<li class='error'>
 		<?php echo $l->t( 'Cloud not found' ); ?><br/>
-		<p class='hint'><?php if(isset($_['file'])) echo htmlentities($_['file'])?></p>
+		<p class='hint'><?php if(isset($_['file'])) echo $_['file']?></p>
 	</li>
 </ul>

core/templates/layout.user.php

@@ -30,6 +30,16 @@
 				echo '/>';
 			?>
 		<?php endforeach; ?>
+		<script type="text/javascript">
+			$(function() {
+				var requesttoken = '<?php echo $_['requesttoken']; ?>';
+				$(document).bind('ajaxSend', function(elm, xhr, s){
+					if(requesttoken) {
+						xhr.setRequestHeader('requesttoken', requesttoken);
+					}
+				});
+			});
+		</script>
 	</head>
 
 	<body id="<?php echo $_['bodyid'];?>">

core/templates/login.php

@@ -1,7 +1,7 @@
 <!--[if IE 8]><style>input[type="checkbox"]{padding:0;}</style><![endif]-->
 <form action="index.php" method="post">
 	<fieldset>
-		<?php if(!empty($_['redirect'])) { echo '<input type="hidden" name="redirect_url" value="'.htmlentities($_['redirect']).'" />'; } ?>
+		<?php if(!empty($_['redirect'])) { echo '<input type="hidden" name="redirect_url" value="'.$_['redirect'].'" />'; } ?>
 		<?php if($_['error']): ?>
 			<a href="./core/lostpassword/"><?php echo $l->t('Lost your password?'); ?></a>
 		<?php endif; ?>

lib/json.php

@@ -41,6 +41,18 @@ class OC_JSON{
 		}
 	}
 
+	/**
+	 * @brief Check an ajax get/post call if the request token is valid.
+	 * @return json Error msg if not valid.
+	 */
+	public static function callCheck(){
+		if( !OC_Util::isCallRegistered()){
+			$l = OC_L10N::get('core');
+			self::error(array( 'data' => array( 'message' => $l->t('Token expired. Please reload page.') )));
+			exit();
+		}
+	}
+        
 	/**
 	* Check if the user is a admin, send json error msg if not
 	*/

lib/public/json.php

@@ -53,6 +53,13 @@ class JSON {
 		return(\OC_JSON::checkLoggedIn());
 	}
 
+	/**
+	 * @brief Check an ajax get/post call if the request token is valid.
+	 * @return json Error msg if not valid.
+	 */
+	public static function callCheck(){
+		return(\OC_JSON::callCheck());
+	}
 
 	/**
 	* @brief Send json success msg

lib/template.php

@@ -155,6 +155,9 @@ class OC_Template{
 		$this->renderas = $renderas;
 		$this->application = $app;
 		$this->vars = array();
+		if($renderas == 'user') {
+			$this->vars['requesttoken'] = OC_Util::callRegister();
+		}
 		$this->l10n = OC_L10N::get($app);
                 header('X-Frame-Options: Sameorigin');
                 header('X-XSS-Protection: 1; mode=block');
@@ -259,6 +262,7 @@ class OC_Template{
 	 * @brief Assign variables
 	 * @param $key key
 	 * @param $value value
+	 * @param $sanitizeHTML false, if data shouldn't get passed through htmlentities
 	 * @returns true
 	 *
 	 * This function assigns a variable. It can be accessed via $_[$key] in
@@ -266,11 +270,29 @@ class OC_Template{
 	 *
 	 * If the key existed before, it will be overwritten
 	 */
-	public function assign( $key, $value ){
+		public function assign( $key, $value, $sanitizeHTML=true ){
+		if($sanitizeHTML == true) {
+			if(is_array($value)) {
+				array_walk_recursive($value,'OC_Template::sanitizeHTML');
+			} else {
+				$value = OC_Template::sanitizeHTML($value);
+			}
+		}
 		$this->vars[$key] = $value;
 		return true;
 	}
 
+
+	/**
+	 * @brief Internaly used to sanitze HTML
+	 *
+	 * This function is internally used to sanitize HTML.
+	 */
+ 	private static function sanitizeHTML( &$value ){
+ 			$value = htmlentities( $value );
+ 			return $value;
+    }
+
 	/**
 	 * @brief Appends a variable
 	 * @param $key key
@@ -354,20 +376,21 @@ class OC_Template{
 			// Decide which page we show
 			if( $this->renderas == "user" ){
 				$page = new OC_Template( "core", "layout.user" );
-				$page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' ));
+				$page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' ), false);
+				$page->assign('requesttoken', $this->vars['requesttoken']);
 				if(array_search(OC_APP::getCurrentApp(),array('settings','admin','help'))!==false){
-					$page->assign('bodyid','body-settings');
+					$page->assign('bodyid','body-settings', false);
 				}else{
-					$page->assign('bodyid','body-user');
+					$page->assign('bodyid','body-user', false);
 				}
 
 				// Add navigation entry
 				$navigation = OC_App::getNavigation();
-				$page->assign( "navigation", $navigation);
+				$page->assign( "navigation", $navigation, false);
-				$page->assign( "settingsnavigation", OC_App::getSettingsNavigation());
+				$page->assign( "settingsnavigation", OC_App::getSettingsNavigation(), false);
 				foreach($navigation as $entry) {
 					if ($entry['active']) {
-						$page->assign( 'application', $entry['name'] );
+						$page->assign( 'application', $entry['name'], false );
 						break;
 					}
 				}
@@ -381,7 +404,7 @@ class OC_Template{
 			// Read the detected formfactor and use the right file name.
 			$fext = self::getFormFactorExtension();
 
-			$page->assign('jsfiles', array());
+			$page->assign('jsfiles', array(), false);
 			// Add the core js files or the js files provided by the selected theme
 			foreach(OC_Util::$scripts as $script){
 				// Is it in 3rd party?
@@ -456,13 +479,13 @@ class OC_Template{
 			}
 
 			// Add custom headers
-			$page->assign('headers',$this->headers);
+			$page->assign('headers',$this->headers, false);
 			foreach(OC_Util::$headers as $header){
 				$page->append('headers',$header);
 			}
 
 			// Add css files and js files
-			$page->assign( "content", $data );
+			$page->assign( "content", $data, false );
 			return $page->fetchPage();
 		}
 		else{
@@ -507,13 +530,13 @@ class OC_Template{
 			$_ = array_merge( $additionalparams, $this->vars );
 		}
 
-		// Einbinden
+		// Include
 		ob_start();
 		include( $this->path.$file.'.php' );
 		$data = ob_get_contents();
 		@ob_end_clean();
 
-		// Daten zurückgeben
+		// Return data
 		return $data;
 	}
 
@@ -527,7 +550,7 @@ class OC_Template{
 	public static function printUserPage( $application, $name, $parameters = array() ){
 		$content = new OC_Template( $application, $name, "user" );
 		foreach( $parameters as $key => $value ){
-			$content->assign( $key, $value );
+			$content->assign( $key, $value, false );
 		}
 		print $content->printPage();
 	}
@@ -542,7 +565,7 @@ class OC_Template{
 	public static function printAdminPage( $application, $name, $parameters = array() ){
 		$content = new OC_Template( $application, $name, "admin" );
 		foreach( $parameters as $key => $value ){
-			$content->assign( $key, $value );
+			$content->assign( $key, $value, false );
 		}
 		return $content->printPage();
 	}
@@ -557,7 +580,7 @@ class OC_Template{
 	public static function printGuestPage( $application, $name, $parameters = array() ){
 		$content = new OC_Template( $application, $name, "guest" );
 		foreach( $parameters as $key => $value ){
-			$content->assign( $key, $value );
+			$content->assign( $key, $value,false );
 		}
 		return $content->printPage();
 	}

lib/util.php

@@ -355,8 +355,9 @@ class OC_Util {
 	}
 
 	/**
-	 * Register an get/post call. This is important to prevent CSRF attacks
+	 * @brief Register an get/post call. This is important to prevent CSRF attacks
 	 * Todo: Write howto
+	 * @return $token Generated token.
 	 */
 	public static function callRegister(){
 		//mamimum time before token exires
@@ -381,50 +382,48 @@ class OC_Util {
 				}	
 			}
 		}
-
-
 		// return the token
 		return($token);
 	}
 
 
 	/**
-	 * Check an ajax get/post call if the request token is valid. exit if not.
+	 * @brief Check an ajax get/post call if the request token is valid.
-	 * Todo: Write howto
+	 * @return boolean False if request token is not set or is invalid.
 	 */
-	public static function callCheck(){
+	public static function isCallRegistered(){
 		//mamimum time before token exires
 		$maxtime=(60*60);  // 1 hour
-
-		// searches in the get and post arrays for the token.
 		if(isset($_GET['requesttoken'])) {
 			$token=$_GET['requesttoken'];
 		}elseif(isset($_POST['requesttoken'])){
 			$token=$_POST['requesttoken'];
+		}elseif(isset($_SERVER['HTTP_REQUESTTOKEN'])){
+			$token=$_SERVER['HTTP_REQUESTTOKEN'];
 		}else{
-			//no token found. exiting
+			//no token found.
-			exit;
+			return false;
 		}
-
-		// check if the token is in the user session and if the timestamp is from the last hour.
 		if(isset($_SESSION['requesttoken-'.$token])) {
 			$timestamp=$_SESSION['requesttoken-'.$token];
-			if($timestamp+$maxtime<time){
+			if($timestamp+$maxtime<time()){
-				//token exired. exiting
+				return false;
-				exit;
-
 			}else{
 				//token valid
-				return;
+				return true;
 			}
 		}else{
-			//no token found. exiting
+			return false;
+		}
+	}
+
+	/**
+	 * @brief Check an ajax get/post call if the request token is valid. exit if not.
+	 * Todo: Write howto
+	 */
+	public static function callCheck(){
+		if(!OC_Util::isCallRegistered()) {
 			exit;
 		}
 	}
-
-
-
-
-
 }

settings/admin.php

@@ -23,7 +23,7 @@ function compareEntries($a,$b){
 usort($entries, 'compareEntries');
 
 $tmpl->assign('loglevel',OC_Config::getValue( "loglevel", 2 ));
-$tmpl->assign('entries',$entries);
+$tmpl->assign('entries',$entries,false);
 $tmpl->assign('forms',array());
 foreach($forms as $form){
 	$tmpl->append('forms',$form);

settings/apps.php

@@ -92,7 +92,7 @@ usort($apps, 'app_sort');
 
 
 $tmpl = new OC_Template( "settings", "apps", "user" );
-$tmpl->assign('apps',$apps);
+$tmpl->assign('apps',$apps, false);
 
 $tmpl->printPage();
 

settings/templates/admin.php

@@ -29,7 +29,7 @@ $levels=array('Debug','Info','Warning','Error','Fatal');
 				<?php echo $entry->app;?>
 			</td>
 			<td>
-				<?php echo htmlentities($entry->message);?>
+				<?php echo $entry->message;?>
 			</td>
 			<td>
 				<?php echo OC_Util::formatDate($entry->time);?>

settings/templates/help.php

@@ -26,9 +26,9 @@
 	<?php foreach($_["kbe"] as $kb): ?>
 	<div class="helpblock">
 		<?php if($kb["preview1"] <> "") { echo('<img class="preview" src="'.$kb["preview1"].'" />'); } ?>
-		<?php if($kb['detailpage']<>'') echo('<p><a target="_blank" href="'.$kb['detailpage'].'"><strong>'.htmlentities($kb["name"]).'</strong></a></p>');?>
+		<?php if($kb['detailpage']<>'') echo('<p><a target="_blank" href="'.$kb['detailpage'].'"><strong>'.$kb["name"].'</strong></a></p>');?>
-		<p><?php echo htmlentities($kb['description']);?></p>
+		<p><?php echo $kb['description'];?></p>
-		<?php if($kb['answer']<>'') echo('<p><strong>'.$l->t('Answer').':</strong><p>'.htmlentities($kb['answer']).'</p>');?>
+		<?php if($kb['answer']<>'') echo('<p><strong>'.$l->t('Answer').':</strong><p>'.$kb['answer'].'</p>');?>
 	</div>
 	<?php endforeach;
 endif?>