Quote:
vaughan wrotes:
I understand, and from looking at our uploader class (we don't use xoops uploader class, we use a different class for wfdownloads) the $_FILES['filename']['name'] is sanitized with MyTextSanitizer::stripSlashesGPC($_FILES[$media_name]['name'])
which I presume is safe(r);
Is this a joke?
The code just removes wrong effect from magic_quote_gpc.
It's far from "Sanitizing".
Quote:
we leave the choice of whether the user wants to store the uploads outside of the DocumentRoot to the user, but the option is there for the user to upload to whatever path they choose whether it is inside the DocumentRoot or outside the DocumentRoot, they just have to set the path in preferences.
XOOPS_TRUST_PATH/uploads/ is.
Anyway, I cannot check the class because I'll never use it.
(I don't have such spare time)