"assessment.pstpl");
$files[]=array("name"=>"clearall.pstpl");
$files[]=array("name"=>"completed.pstpl");
$files[]=array("name"=>"endgroup.pstpl");
$files[]=array("name"=>"endpage.pstpl");
$files[]=array("name"=>"groupdescription.pstpl");
$files[]=array("name"=>"load.pstpl");
$files[]=array("name"=>"navigator.pstpl");
$files[]=array("name"=>"printanswers.pstpl");
$files[]=array("name"=>"privacy.pstpl");
$files[]=array("name"=>"question.pstpl");
$files[]=array("name"=>"register.pstpl");
$files[]=array("name"=>"save.pstpl");
$files[]=array("name"=>"surveylist.pstpl");
$files[]=array("name"=>"startgroup.pstpl");
$files[]=array("name"=>"startpage.pstpl");
$files[]=array("name"=>"survey.pstpl");
$files[]=array("name"=>"welcome.pstpl");
//Standard Screens
//Only these may be viewed
$screens[]=array("name"=>$clang->gT("Survey List Page", "unescaped"));
$screens[]=array("name"=>$clang->gT("Welcome Page", "unescaped"));
$screens[]=array("name"=>$clang->gT("Question Page", "unescaped"));
$screens[]=array("name"=>$clang->gT("Completed Page", "unescaped"));
$screens[]=array("name"=>$clang->gT("Clear All Page", "unescaped"));
$screens[]=array("name"=>$clang->gT("Register Page", "unescaped"));
$screens[]=array("name"=>$clang->gT("Load Page", "unescaped"));
$screens[]=array("name"=>$clang->gT("Save Page", "unescaped"));
$screens[]=array("name"=>$clang->gT("Print Answers Page", "unescaped"));
// Set this so common.php doesn't throw notices about undefined variables
$thissurvey['active']='N';
$file_version="LimeSurvey Template Editor ".$versionnumber;
$_SESSION['s_lang']=$_SESSION['adminlang'];
if (!isset($templatename)) {$templatename = sanitize_paranoid_string(returnglobal('templatename'));}
if (!isset($templatedir)) {$templatedir = sanitize_paranoid_string(returnglobal('templatedir'));}
if (!isset($editfile)) {$editfile = sanitize_paranoid_string(returnglobal('editfile'));}
if (!isset($screenname)) {$screenname=auto_unescape(returnglobal('screenname'));}
// Checks if screen name is in the list of allowed screen names
if ( isset($screenname) && (multiarray_search($screens,'name',$screenname)===false)) {die('Invalid screen name');} // Die you sneaky bastard!
if (!isset($action)) {$action=sanitize_paranoid_string(returnglobal('action'));}
if (!isset($otherfile)) {$otherfile = sanitize_paranoid_string(returnglobal('otherfile'));}
if (!isset($newname)) {$newname = sanitize_paranoid_string(returnglobal('newname'));}
if (!isset($copydir)) {$copydir = sanitize_paranoid_string(returnglobal('copydir'));}
if (file_exists($publicdir."/templates/".$templatename."/template.css")) { $files[]=array("name"=>"template.css"); }
if (isset ($_POST['changes'])) {
$changedtext=$_POST['changes'];
if(get_magic_quotes_gpc())
{
$changedtext = str_replace("\'", stripslashes("'"), $changedtext);
$changedtext = str_replace('\"', stripslashes('"'), $changedtext);
}
}
if ($action != "newtemplate" && !$templatename) {$templatename = "default";}
$template_a=gettemplatelist();
foreach ($template_a as $tp) {
$templates[]=array("name"=>$tp, "dir"=>$publicdir."/templates/".$tp);
}
unset($template_a);
//Save Changes if necessary
if ($action=="templatesavechanges" && $changedtext) {
$changedtext=str_replace("\r\n", "\n", $changedtext);
if ($editfile) {
// Check if someone tries to submit a file other than one of the allowed filenames
if (multiarray_search($files,'name',$editfile)===false) {die('Invalid template filename');} // Die you sneaky bastard!
$savefilename=$publicdir."/templates/".$templatename."/".$editfile;
if (is_writable($savefilename)) {
if (!$handle = fopen($savefilename, 'w')) {
echo "Could not open file ($savefilename)";
exit;
}
if (!fwrite($handle, $changedtext)) {
echo "Cannot write to file ($savefilename)";
exit;
}
fclose($handle);
} else {
echo "The file $savefilename is not writable";
}
}
}
if ($action == "templatecopy" && isset($newname) && isset($copydir)) {
//Copies all the files from one template directory to a new one
//This is a security issue because it is allowing copying from get variables...
$newdirname=$publicdir."/templates/".$newname;
$copydirname=$publicdir."/templates/".$copydir;
$mkdirresult=mkdir_p($newdirname);
if ($mkdirresult == 1) {
$copyfiles=getListOfFiles($copydirname);
foreach ($copyfiles as $file) {
$copyfile=$copydirname."/".$file;
$newfile=$newdirname."/".$file;
if (!copy($copyfile, $newfile)) {
echo "";
}
}
$templates[]=array("name"=>$newname, "dir"=>$newdirname);
$templatename=$newname;
} elseif($mkdirresult == 2) {
echo "";
} else {
echo "";
}
}
if ($action == "templaterename" && isset($newname) && isset($copydir)) {
$newdirname=$publicdir."/templates/".$newname;
$olddirname=$publicdir."/templates/".$copydir;
if (rename($olddirname, $newdirname)==false) {
echo "";
} else {
$templates[]=array("name"=>$newname, "dir"=>$newdirname);
$templatename=$newname;
}
}
if ($action == "templateupload")
{
$the_full_file_path = $publicdir."/templates/".$templatename . "/" . $_FILES['the_file']['name']; //This is where the temp file is
if ($extfile = strrchr($_FILES['the_file']['name'], '.'))
{
if (!(stripos(','.$allowedtemplateuploads.',',','. substr($extfile,1).',') === false))
{
//Uploads the file into the appropriate directory
if (!@move_uploaded_file($_FILES['the_file']['tmp_name'], $the_full_file_path)) {
echo "".$clang->gT("Error")." \n";
echo sprintf ($clang->gT("An error occurred uploading your file. This may be caused by incorrect permissions in your %s folder."),$tempdir)."