Integration of hooks provided by extensions.

[fa-stable.git] / includes / session.inc

diff --git a/includes/session.inc b/includes/session.inc
index 97c8e1045158592c4411a1888cba49db3ade227a..5620c78d1af384e68f1e966683808ddc09e616c5 100644 (file)
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -131,6 +131,18 @@ function strip_quotes($data)
        return $data;
 }
 
+function html_cleanup(&$parms)
+{
+       foreach($parms as $name => $value) {
+//             $value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding);
+               if (is_array($value))
+                       html_cleanup($parms[$name]);
+               else
+                       $parms[$name] = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding);
+       }
+       reset($parms); // needed for direct key() usage later throughout the sources
+}
+
 //============================================================================
 //
 //
@@ -165,6 +177,8 @@ include_once($path_to_root . "/includes/ajax.inc");
 include_once($path_to_root . "/includes/ui/ui_msgs.inc");
 include_once($path_to_root . "/includes/prefs/sysprefs.inc");
 
+include_once($path_to_root . "/includes/hooks.inc");
+
 /*
        Uncomment the setting below when using FA on shared hosting
        to avoid unexpeced session timeouts.
@@ -175,6 +189,7 @@ include_once($path_to_root . "/includes/prefs/sysprefs.inc");
 ini_set('session.gc_maxlifetime', 36000); // 10hrs
 
 session_name('FA'.md5(dirname(__FILE__)));
+//include_once($path_to_root.'/modules/www_statistics/includes/db_sessions.inc');
 session_start();
 
 // this is to fix the "back-do-you-want-to-refresh" issue - thanx PHPFreaks
@@ -193,12 +208,6 @@ if (!isset($_SESSION['language']) || !method_exists($_SESSION['language'], 'set_
 
 $_SESSION['language']->set_language($_SESSION['language']->code);
 
-// include $Hooks object if locale file exists
-if (file_exists($path_to_root . "/lang/".$_SESSION['language']->code."/locale.inc"))
-{
-       include_once($path_to_root . "/lang/".$_SESSION['language']->code."/locale.inc");
-       $Hooks = new Hooks();
-}
 
 include_once($path_to_root . "/includes/access_levels.inc");
 include_once($path_to_root . "/version.php");
@@ -226,6 +235,10 @@ set_error_handler('error_handler' /*, errtypes */);
 if (!isset($_SESSION["wa_current_user"]))
        $_SESSION["wa_current_user"] = new current_user();
 
+html_cleanup($_GET);
+html_cleanup($_POST);
+html_cleanup($_REQUEST);
+
 // logout.php is the only page we should have always 
 // accessable regardless of access level and current login status.
 if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
@@ -239,7 +252,7 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
                {
                        // strip ajax marker from uri, to force synchronous page reload
                        $_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s',
-                                       '', @$_SERVER['REQUEST_URI']), 
+                                       '', @htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES, $_SESSION['language']->encoding)), 
                                'post' => $_POST);
 
                        include($path_to_root . "/access/login.php");
@@ -267,6 +280,8 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
        if (!$_SESSION["wa_current_user"]->old_db)
                include_once($path_to_root . '/company/'.user_company().'/installed_extensions.php');
 
+       install_hooks();
+
        if (!isset($_SESSION["App"])) {
                $_SESSION["App"] = new front_accounting();
                $_SESSION["App"]->init();
@@ -277,6 +292,6 @@ $SysPrefs = &$_SESSION['SysPrefs'];
 
 // POST vars cleanup needed for direct reuse.
 // We quote all values later with db_escape() before db update.
-       $_POST = strip_quotes($_POST);
+$_POST = strip_quotes($_POST);
 
 ?>
\ No newline at end of file