rev.76

Removed support for IE 6-8
Fixed security bug

admin_loader.php

@@ -19,7 +19,7 @@ if (!$pun_user['is_admmod'])
 
 // The plugin to load should be supplied via GET
 $plugin = isset($_GET['plugin']) ? $_GET['plugin'] : '';
-if (!preg_match('%^AM?P_(\w*?)\.php$%i', $plugin))
+if (!preg_match('%^AM?P_(\w*?)\.php$%iD', $plugin))
 	message($lang_common['Bad request'], false, '404 Not Found');
 
 // AP_ == Admins only, AMP_ == admins and moderators

db_update.php

@@ -9,7 +9,7 @@
 // The FluxBB version this script updates to
 define('UPDATE_TO', '1.5.10');
 
-define('UPDATE_TO_VER_REVISION', 75);	// номер сборки - Visman
+define('UPDATE_TO_VER_REVISION', 76);	// номер сборки - Visman
 
 define('UPDATE_TO_DB_REVISION', 21);
 define('UPDATE_TO_SI_REVISION', 2.1);

include/common.php

@@ -12,7 +12,7 @@ if (!defined('PUN_ROOT'))
 // Define the version and database revision that this code was written for
 define('FORUM_VERSION', '1.5.10');
 
-define('FORUM_VER_REVISION', 75);	// номер сборки - Visman
+define('FORUM_VER_REVISION', 76);	// номер сборки - Visman
 
 $page_js = array();
 

include/email.php

@@ -24,7 +24,7 @@ function is_valid_email($email)
 	if (strlen($email) > 80)
 		return false;
 
-	return preg_match('%^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|("[^"]+"))@((\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\])|(([a-zA-Z\d\-]+\.)+[a-zA-Z]{2,}))$%', $email);
+	return preg_match('%^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|("[^"]+"))@((\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\])|(([a-zA-Z\d\-]+\.)+[a-zA-Z]{2,}))$%D', $email);
 }
 
 

include/functions.php

@@ -424,7 +424,10 @@ function check_bans()
 	// Add a dot or a colon (depending on IPv4/IPv6) at the end of the IP address to prevent banned address
 	// 192.168.0.5 from matching e.g. 192.168.0.50
 	$user_ip = get_remote_address();
-	$user_ip .= (strpos($user_ip, '.') !== false) ? '.' : ':';
+	$add = strpos($user_ip, '.') !== false ? '.' : ':';
+	$user_ip .= $add;
+
+	$username = utf8_strtolower($pun_user['username']);
 
 	$bans_altered = false;
 	$is_banned = false;
@@ -439,7 +442,7 @@ function check_bans()
 			continue;
 		}
 
-		if ($cur_ban['username'] != '' && utf8_strtolower($pun_user['username']) == utf8_strtolower($cur_ban['username']))
+		if ($cur_ban['username'] != '' && $username == utf8_strtolower($cur_ban['username']))
 			$is_banned = true;
 
 		if ($cur_ban['ip'] != '')
@@ -450,10 +453,7 @@ function check_bans()
 			for ($i = 0; $i < $num_ips; ++$i)
 			{
 				// Add the proper ending to the ban
-				if (strpos($user_ip, '.') !== false)
-					$cur_ban_ips[$i] = $cur_ban_ips[$i].'.';
-				else
-					$cur_ban_ips[$i] = $cur_ban_ips[$i].':';
+				$cur_ban_ips[$i] .= $add;
 
 				if (substr($user_ip, 0, strlen($cur_ban_ips[$i])) == $cur_ban_ips[$i])
 				{
@@ -499,7 +499,7 @@ function check_username($username, $exclude_id = null)
 		$errors[] = $lang_prof_reg['Username too short'];
 	else if (pun_strlen($username) > 25) // This usually doesn't happen since the form element only accepts 25 characters
 		$errors[] = $lang_prof_reg['Username too long'];
-	else if (!preg_match('%^\p{L}[\p{L}\p{N}_ ]+$%u', $username)) // строгая проверка имени пользователя - Visman
+	else if (!preg_match('%^\p{L}[\p{L}\p{N}_ ]+$%uD', $username)) // строгая проверка имени пользователя - Visman
 		$errors[] = $lang_prof_reg['Username Error'];
 	else if (!strcasecmp($username, 'Guest') || !utf8_strcasecmp($username, $lang_common['Guest']))
 		$errors[] = $lang_prof_reg['Username guest'];
@@ -1041,7 +1041,7 @@ function paginate($num_pages, $cur_page, $link)
 //
 function message($message, $no_back_link = false, $http_status = null)
 {
-	global $db, $lang_common, $pun_config, $pun_start, $tpl_main, $pun_user;
+	global $db, $lang_common, $pun_config, $pun_start, $tpl_main, $pun_user, $page_js;
 
 	witt_query(); // MOD Кто в этой теме - Visman
 
@@ -1870,7 +1870,10 @@ function remove_bad_characters($array)
 		return array_map('remove_bad_characters', $array);
 
 	// Strip out any invalid characters
-	$array = utf8_bad_strip($array);
+	if (version_compare(PHP_VERSION, '5.4.0', '>='))
+		$array = htmlspecialchars_decode(htmlspecialchars((string) $array, ENT_SUBSTITUTE, 'UTF-8')); // Visman
+	else
+		$array = utf8_bad_strip($array);
 
 	// Remove control characters
 	$array = preg_replace('%[\x00-\x08\x0b-\x0c\x0e-\x1f]%', '', $array);

include/parser.php

@@ -217,7 +217,7 @@ function preparse_tags($text, &$errors, $is_signature = false)
 	// Inline tags, we do not allow new lines in these
 	$tags_inline = array('b', 'i', 'u', 's', 'ins', 'del', 'em', 'color', 'colour', 'h', 'topic', 'post', 'forum', 'user');
 	// Tags we trim interior space
-	$tags_trim = array('img', 'imgl', 'imgr');
+	$tags_trim = array('img', 'imgl', 'imgr', 'url', 'email');
 	// Tags we remove quotes from the argument
 	$tags_quotes = array('url', 'email', 'img', 'imgl', 'imgr', 'topic', 'post', 'forum', 'user');
 	// Tags we limit bbcode in
@@ -796,6 +796,7 @@ function do_bbcode($text, $is_signature = false)
 	if (strpos($text, '[quote') !== false)
 	{
 		$text = preg_replace('%\[quote\]\s*%', '</p><div class="quotebox"><blockquote><div><p>', $text);
+//		$text = preg_replace('%\[quote=(?P<quote>(?:&quot;|&\#039;|"|\'))?((?(quote)[^\r\n]+?|[^\r\n\]]++))(?(quote)(?P=quote))\]\s*%', '</p><div class="quotebox"><cite>$2 '.$lang_common['wrote'].'</cite><blockquote><div><p>', $text);
 		$text = preg_replace_callback('%\[quote=(&quot;|&\#039;|"|\'|)([^\r\n]*?)\\1\]%s', create_function('$matches', 'global $lang_common; return "</p><div class=\"quotebox\"><cite>".str_replace(array(\'[\', \'\\"\'), array(\'&#91;\', \'"\'), $matches[2])." ".$lang_common[\'wrote\']."</cite><blockquote><div><p>";'), $text);
 		$text = preg_replace('%\s*\[\/quote\]%S', '</p></div></blockquote></div><p>', $text);
 	}
@@ -804,7 +805,7 @@ function do_bbcode($text, $is_signature = false)
 	if (strpos($text, '[spoiler') !== false)
 	{
 		$text = str_replace('[spoiler]', "</p><div class=\"quotebox\" style=\"padding: 0px;\"><div onclick=\"var e,d,c=this.parentNode,a=c.getElementsByTagName('div')[1],b=this.getElementsByTagName('span')[0];if(a.style.display!=''){while(c.parentNode&&(!d||!e||d==e)){e=d;d=(window.getComputedStyle?getComputedStyle(c, null):c.currentStyle)['backgroundColor'];if(d=='transparent'||d=='rgba(0, 0, 0, 0)')d=e;c=c.parentNode;}a.style.display='';a.style.backgroundColor=d;b.innerHTML='&#9650;';}else{a.style.display='none';b.innerHTML='&#9660;';}\" style=\"font-weight: bold; cursor: pointer; font-size: 0.9em;\"><span style=\"padding: 0 5px;\">&#9660;</span>".$lang_common['Hidden text']."</div><div style=\"padding: 6px; margin: 0; display: none;\"><p>", $text);
-		$text = preg_replace('%\[spoiler=([^\r\n]*?)\]%s', '</p><div class="quotebox" style="padding: 0px;"><div onclick="var e,d,c=this.parentNode,a=c.getElementsByTagName(\'div\')[1],b=this.getElementsByTagName(\'span\')[0];if(a.style.display!=\'\'){while(c.parentNode&&(!d||!e||d==e)){e=d;d=(window.getComputedStyle?getComputedStyle(c, null):c.currentStyle)[\'backgroundColor\'];if(d==\'transparent\'||d==\'rgba(0, 0, 0, 0)\')d=e;c=c.parentNode;}a.style.display=\'\';a.style.backgroundColor=d;b.innerHTML=\'&#9650;\';}else{a.style.display=\'none\';b.innerHTML=\'&#9660;\';}" style="font-weight: bold; cursor: pointer; font-size: 0.9em;"><span style="padding: 0 5px;">&#9660;</span>$1</div><div style="padding: 6px; margin: 0; display: none;"><p>', $text);
+		$text = preg_replace('%\[spoiler=(?P<quote>(?:&quot;|&\#039;|"|\'))?((?(quote)[^\r\n]+?|[^\r\n\]]++))(?(quote)(?P=quote))\]%', '</p><div class="quotebox" style="padding: 0px;"><div onclick="var e,d,c=this.parentNode,a=c.getElementsByTagName(\'div\')[1],b=this.getElementsByTagName(\'span\')[0];if(a.style.display!=\'\'){while(c.parentNode&&(!d||!e||d==e)){e=d;d=(window.getComputedStyle?getComputedStyle(c, null):c.currentStyle)[\'backgroundColor\'];if(d==\'transparent\'||d==\'rgba(0, 0, 0, 0)\')d=e;c=c.parentNode;}a.style.display=\'\';a.style.backgroundColor=d;b.innerHTML=\'&#9650;\';}else{a.style.display=\'none\';b.innerHTML=\'&#9660;\';}" style="font-weight: bold; cursor: pointer; font-size: 0.9em;"><span style="padding: 0 5px;">&#9660;</span>$2</div><div style="padding: 6px; margin: 0; display: none;"><p>', $text);
 		$text = str_replace('[/spoiler]', '</p></div></div><p>', $text);
 	}
 
@@ -814,22 +815,22 @@ function do_bbcode($text, $is_signature = false)
 		$replace_callback[] = 'handle_list_tag($matches[2], $matches[1])';
 	}
 
-	$pattern[] = '%\[b\](.*?)\[/b\]%ms';
-	$pattern[] = '%\[i\](.*?)\[/i\]%ms';
-	$pattern[] = '%\[u\](.*?)\[/u\]%ms';
-	$pattern[] = '%\[s\](.*?)\[/s\]%ms';
-	$pattern[] = '%\[del\](.*?)\[/del\]%ms';
-	$pattern[] = '%\[ins\](.*?)\[/ins\]%ms';
-	$pattern[] = '%\[em\](.*?)\[/em\]%ms';
-	$pattern[] = '%\[colou?r=([a-zA-Z]{3,20}|\#[0-9a-fA-F]{6}|\#[0-9a-fA-F]{3})](.*?)\[/colou?r\]%ms';
-	$pattern[] = '%\[h\](.*?)\[/h\]%ms';
+	$pattern[] = '%\[b\](.*?)\[/b\]%s';
+	$pattern[] = '%\[i\](.*?)\[/i\]%s';
+	$pattern[] = '%\[u\](.*?)\[/u\]%s';
+	$pattern[] = '%\[s\](.*?)\[/s\]%s';
+	$pattern[] = '%\[del\](.*?)\[/del\]%s';
+	$pattern[] = '%\[ins\](.*?)\[/ins\]%s';
+	$pattern[] = '%\[em\](.*?)\[/em\]%s';
+	$pattern[] = '%\[colou?r=([a-zA-Z]{3,20}|\#[0-9a-fA-F]{6}|\#[0-9a-fA-F]{3})](.*?)\[/colou?r\]%s';
+	$pattern[] = '%\[h\](.*?)\[/h\]%s';
 	// дополнительные ббкоды - Visman
 	$pattern[] = '%\[hr\]%';
-	$pattern[] = '%\[size=([0-9]*)](.*?)\[/size\]%s';
-	$pattern[] = '%\[right\](.*?)\[/right\]%ms';
-	$pattern[] = '%\[center\](.*?)\[/center\]%ms';
-	$pattern[] = '%\[justify\](.*?)\[/justify\]%ms';
-	$pattern[] = '%\[mono\](.*?)\[/mono\]%ms';
+	$pattern[] = '%\[size=([1-9]\d{0,2})](.*?)\[/size\]%s';
+	$pattern[] = '%\[right\](.*?)\[/right\]%s';
+	$pattern[] = '%\[center\](.*?)\[/center\]%s';
+	$pattern[] = '%\[justify\](.*?)\[/justify\]%s';
+	$pattern[] = '%\[mono\](.*?)\[/mono\]%s';
 
 	$replace[] = '<strong>$1</strong>';
 	$replace[] = '<em>$1</em>';
@@ -874,11 +875,11 @@ function do_bbcode($text, $is_signature = false)
 		}
 	}
 
-	$pattern_callback[] = '%\[after=(\d*)\]%';
-	$pattern_callback[] = '%\[url\]([^\[]*?)\[/url\]%';
-	$pattern_callback[] = '%\[url=([^\[]+?)\](.*?)\[/url\]%';
-	$pattern[] = '%\[email\]([^\[]*?)\[/email\]%';
-	$pattern[] = '%\[email=([^\[]+?)\](.*?)\[/email\]%';
+	$pattern_callback[] = '%\[after=(\d+)\]%';
+	$pattern_callback[] = '%\[url\]([^\[\r\n\t]*?)\[/url\]%';
+	$pattern_callback[] = '%\[url=([^\[\r\n\t]+?)\](.*?)\[/url\]%';
+	$pattern[] = '%\[email\]([^\[\r\n\t]+?@[^\[\r\n\t]+?)\[/email\]%';
+	$pattern[] = '%\[email=([^\[\r\n\t]+?@[^\[\r\n\t]+?)\](.*?)\[/email\]%';
 	$pattern_callback[] = '%\[topic\]([1-9]\d*)\[/topic\]%';
 	$pattern_callback[] = '%\[topic=([1-9]\d*)\](.*?)\[/topic\]%';
 	$pattern_callback[] = '%\[post\]([1-9]\d*)\[/post\]%';

include/pms_new/common_pmsn.php

@@ -167,7 +167,7 @@ function pmsn_user_delete($user, $mflag, $topics = array())
 		pmsn_user_update($user_up[$i]);
 }
 
-function pmsn_get_var($name, $default = NULL)
+function pmsn_get_var($name, $default = null)
 {
 	if (isset($_POST[$name]))
 		return $_POST[$name];

include/pms_new/mdl/topic.php

@@ -196,7 +196,7 @@ while ($cur_post = $db->fetch_assoc($result))
 	{
 		$cur_post['g_id'] = PUN_GUEST;
 		// мод пола - Visman
-		$cur_post['gender'] = NULL;
+		$cur_post['gender'] = null;
 	}
 
 	// мод пола - Visman
@@ -205,7 +205,7 @@ while ($cur_post = $db->fetch_assoc($result))
 	else if ($cur_post['gender'] == 2)
 		$cur_post['gender'] = 'female';
 	else
-		$cur_post['gender'] = NULL;
+		$cur_post['gender'] = null;
 
 	if ($pun_user['id'] != $cur_post['poster_id'])
 	{

include/poll.php

@@ -66,7 +66,7 @@ function poll_can_vote($tid, $uid)
 }
 
 // получение информации по опросу **********************************************
-function poll_info($tid, $uid = NULL)
+function poll_info($tid, $uid = null)
 {
 	global $db;
 
@@ -599,7 +599,7 @@ function poll_display($tid, $uid, $info, $top, $prev = false)
 
 	if (is_null($info)) return;
 	
-	$can_vote = ($info['canVote'] && $top[0] != 2 && poll_post('poll_view') == null);
+	$can_vote = ($info['canVote'] && $top[0] != 2 && poll_post('poll_view') === null);
 	$can_visi = ((($info['isGuest'] && $pun_config['o_poll_guest'] == '1') || !$info['isGuest']) && $top[2] <= $top[3]);
 	$fmess = '';
 	if ($prev)
@@ -612,7 +612,7 @@ function poll_display($tid, $uid, $info, $top, $prev = false)
 		$fmess = $lang_poll['M3'];
 	else if ($info['isGuest'])
 		$fmess = $lang_poll['M4'];
-	else if (poll_post('poll_view') != null)
+	else if (poll_post('poll_view') !== null)
 		$fmess = '<a href="javascript:history.go(-1)">'.$lang_common['Go back'].'</a>';
 	else if (!$can_vote)
 		$fmess = $lang_poll['M0'];

install.php

@@ -9,7 +9,7 @@
 // The FluxBB version this script installs
 define('FORUM_VERSION', '1.5.10');
 
-define('FORUM_VER_REVISION', 75);	// номер сборки - Visman
+define('FORUM_VER_REVISION', 76);	// номер сборки - Visman
 
 define('FORUM_DB_REVISION', 21);
 define('FORUM_SI_REVISION', 2.1);

js/collapse.js

@@ -1,36 +1,23 @@
-// collapse.js v2.0.1 Copyright (C) 2014-2015 Visman (mio.visman@yandex.ru)
+// collapse.js v2.0.2 Copyright (C) 2014-2016 Visman (mio.visman@yandex.ru)
 if (typeof FluxBB === 'undefined' || !FluxBB) {var FluxBB = {};}
 
 FluxBB.collapse = (function (doc) {
 	'use strict';
 
+	var dd;
+
 	function get(e) {
 		return doc.getElementById(e);
 	}
 	
 	function getCN(classname, node) {
 		node = node || doc;
-		if (node.querySelectorAll)
-		{
+		if (node.querySelectorAll) {
 			return node.querySelectorAll('.' + classname);
-		}
-		else if (node.getElementsByClassName)
-		{
+		} else if (node.getElementsByClassName) {
 			return node.getElementsByClassName(classname);
 		}
-		else
-		{
-			var list = node.all || node.getElementsByTagName('*');
-			var result = [];
-			for (var index = 0, elem; elem = list[index++];)
-			{
-				if (elem.className && (' ' + elem.className + ' ').indexOf(' ' + classname + ' ') > -1)
-				{
-					result[result.length] = elem;
-				}
-			}
-			return result;
-		}
+		return [];
 	}
 	
 	function setCookie(name, value, expires, path, domain, secure) {
@@ -47,46 +34,46 @@ FluxBB.collapse = (function (doc) {
 	}
 
 	function getCookie(name) {
-		var pattern = "(?:; )?" + FluxBB.vars.collapse_cookieid + name + "=([^;]*);?";
-		var regexp  = new RegExp(pattern);
-
-		if (regexp.test(doc.cookie))
-			return decodeURIComponent(RegExp["$1"]);
-
-		return false;
+		if (!name) return false;
+		name = (FluxBB.vars.collapse_cookieid + name).replace(/([\.\$\?\*\|\{\}\(\)\[\]\\\/\+\^])/g, '\\$1');
+		var m = doc.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));
+		return m ? decodeURIComponent(m[1]) : false;
 	}
 	
 	function getCSS(element, property) {
-		return (typeof getComputedStyle == "undefined" ? element.currentStyle : getComputedStyle(element, null))[property];
+		return (typeof getComputedStyle === 'undefined' ? element.currentStyle : getComputedStyle(element, null))[property];
 	}
 
 	return {
 		init: function () {
-			var i, tmp, old = true, f = true, saved = [],
-					brdmain = get('brdmain'),
-					blocktables = getCN('blocktable', brdmain);
+			var i, tmp, cur, saved, old = true, f = true,
+					blocktables = getCN('blocktable', get('brdmain'));
+
+			dd = new Date();
+			dd.setFullYear(dd.getFullYear() + 1);
+
 			for (i in blocktables) {
-				if (blocktables[i].id) {
+				cur = blocktables[i];
+				if (cur.id) {
 				  if (f) {
-						if (getCSS(blocktables[i].getElementsByTagName('h2')[0], 'position') == 'absolute' || getCSS(blocktables[i].getElementsByTagName('thead')[0], 'display') == 'none')
+						if (getCSS(cur.getElementsByTagName('h2')[0], 'position') == 'absolute' || getCSS(cur.getElementsByTagName('thead')[0], 'display') == 'none')
 						  old = false;
 				    f = false;
 					}
-					var id = blocktables[i].id.replace('idx', '');
-					if (old) { // FluxBB.vars.collapse_old == '1'
-						var h2 = blocktables[i].getElementsByTagName('h2')[0];
-						h2.insertAdjacentHTML('afterBegin', '<span class="conr"><img src="' + FluxBB.vars.collapse_folder + 'exp_up.png" onclick="FluxBB.collapse.toggle(' + id + ')" alt="-" id="collapse_img_' + id + '" /></span>');
-						getCN('box', blocktables[i])[0].setAttribute('id', 'collapse_box_' + id);
+					var id = cur.id.replace('idx', '');
+					if (old) {
+						cur.getElementsByTagName('h2')[0].insertAdjacentHTML('afterBegin', '<span class="conr"><img src="' + FluxBB.vars.collapse_folder + 'exp_up.png" onclick="FluxBB.collapse.toggle(' + id + ')" alt="-" id="collapse_img_' + id + '" /></span>');
+						getCN('box', cur)[0].setAttribute('id', 'collapse_box_' + id);
 					} else {
-						blocktables[i].getElementsByTagName('tbody')[0].setAttribute('id', 'collapse_box_' + id);
-						var ths = blocktables[i].getElementsByTagName('thead')[0].getElementsByTagName('th'), th = ths[ths.length-1];
+						cur.getElementsByTagName('tbody')[0].setAttribute('id', 'collapse_box_' + id);
+						var ths = cur.getElementsByTagName('thead')[0].getElementsByTagName('th'), th = ths[ths.length-1];
 						th.insertAdjacentHTML('beforeEnd', '<span class="conr"><img src="' + FluxBB.vars.collapse_folder + 'exp_up.png" onclick="FluxBB.collapse.toggle(' + id + ')" alt="-" id="collapse_img_' + id + '" /></span>');
 					}
 				}
 			}
 			
 			if (tmp = getCookie('collaps')) {
-				saved = tmp.split(",");
+				saved = tmp.split(',');
 
 				for(i = 0 ; i < saved.length; i++) {
 					FluxBB.collapse.toggle(saved[i]);
@@ -96,38 +83,34 @@ FluxBB.collapse = (function (doc) {
 		},
 		
 		toggle: function (id) {
-			var saved = [], clean = [], i, tmp;
+			var saved, clean = [], i, tmp;
 
 			if (tmp = getCookie('collaps')) {
-				saved = tmp.split(",");
+				saved = tmp.split(',');
 
 				for(i = 0 ; i < saved.length; i++) {
-					if (saved[i] != id && saved[i] != "") {
+					if (saved[i] != id && saved[i] != '') {
 						clean[clean.length] = saved[i];
 					}
 				}
 			}
 
-			if (get('collapse_box_'+id).style.display == "")
-			{
+			if (get('collapse_box_'+id).style.display == '') {
 				clean[clean.length] = id;
-				get('collapse_box_'+id).style.display = "none";
+				get('collapse_box_'+id).style.display = 'none';
 				get('collapse_img_'+id).src = get('collapse_img_'+id).src.replace('up','down');
 				get('collapse_img_'+id).setAttribute('alt', '+');
-
-			}
-			else
-			{
-				get('collapse_box_'+id).style.display = "";
+			} else {
+				get('collapse_box_'+id).style.display = '';
 				get('collapse_img_'+id).src = get('collapse_img_'+id).src.replace('down','up');
 				get('collapse_img_'+id).setAttribute('alt', '-');
 			}
 
 			if (clean.length == 0) {
-      	setCookie('collaps', null, new Date(0));
-      } else {
-				setCookie('collaps', clean.join(","), new Date("January 01, 2020 12:00:00"));
+				setCookie('collaps', null, new Date(0));
+			} else {
+				setCookie('collaps', clean.join(','), dd);
 			}
 		}
 	};
-}(document));
+}(document));

js/post.js

@@ -1,4 +1,4 @@
-// post.js v2.1.0 Copyright (C) 2014-2015 Visman (mio.visman@yandex.ru)
+// post.js v2.1.1 Copyright (C) 2014-2016 Visman (mio.visman@yandex.ru)
 if (typeof FluxBB === 'undefined' || !FluxBB) {var FluxBB = {};}
 
 FluxBB.post = (function (doc, win) {
@@ -27,16 +27,8 @@ FluxBB.post = (function (doc, win) {
 			return node.querySelectorAll('.' + classname);
 		} else if (node.getElementsByClassName) {
 			return node.getElementsByClassName(classname);
-		} else {
-			var list = node.all || node.getElementsByTagName('*');
-			var result = [];
-			for (var index = 0, elem; elem = list[index++];) {
-				if (elem.className && (' ' + elem.className + ' ').indexOf(' ' + classname + ' ') > -1) {
-					result[result.length] = elem;
-				}
-			}
-			return result;
 		}
+		return [];
 	}
 
 	function createElement(elem) {
@@ -81,47 +73,26 @@ FluxBB.post = (function (doc, win) {
 		}
 	}
 
-  function SmileysMapBB() {
-		var html = "";
+	function SmileysMapBB() {
+		var html = '';
 		for (var i = 0; i < FluxBB.vars.bbSmImg.length; i++) {
-			html += "<img src=\"img/smilies/" + FluxBB.vars.bbSmImg[i] + "\" alt=\"" + FluxBB.vars.bbSmTxt[i] + "\" onclick=\"return FluxBB.post.insText('', ' " + FluxBB.vars.bbSmTxt[i].replace(/\\/g, '\\\\').replace(/&#039;/g, '\\\'') + " ');\" />"
+			html += '<img src="img/smilies/' + FluxBB.vars.bbSmImg[i] + '" alt="' + FluxBB.vars.bbSmTxt[i] + '" onclick="return FluxBB.post.insText(\'\', \' ' + FluxBB.vars.bbSmTxt[i].replace(/\\/g, '\\\\').replace(/&#039;/g, '\\\'') + ' \');" />';
 		}
 		return html;
 	}
 	
 	function ColorMapBB() {
-		var colors = [
-		"#000000","#000033","#000066","#000099","#0000cc","#0000ff","#330000","#330033",
-		"#330066","#330099","#3300cc","#3300ff","#660000","#660033","#660066","#660099",
-		"#6600cc","#6600ff","#990000","#990033","#990066","#990099","#9900cc","#9900ff",
-		"#cc0000","#cc0033","#cc0066","#cc0099","#cc00cc","#cc00ff","#ff0000","#ff0033",
-		"#ff0066","#ff0099","#ff00cc","#ff00ff","#003300","#003333","#003366","#003399",
-		"#0033cc","#0033ff","#333300","#333333","#333366","#333399","#3333cc","#3333ff",
-		"#663300","#663333","#663366","#663399","#6633cc","#6633ff","#993300","#993333",
-		"#993366","#993399","#9933cc","#9933ff","#cc3300","#cc3333","#cc3366","#cc3399",
-		"#cc33cc","#cc33ff","#ff3300","#ff3333","#ff3366","#ff3399","#ff33cc","#ff33ff",
-		"#006600","#006633","#006666","#006699","#0066cc","#0066ff","#336600","#336633",
-		"#336666","#336699","#3366cc","#3366ff","#666600","#666633","#666666","#666699",
-		"#6666cc","#6666ff","#996600","#996633","#996666","#996699","#9966cc","#9966ff",
-		"#cc6600","#cc6633","#cc6666","#cc6699","#cc66cc","#cc66ff","#ff6600","#ff6633",
-		"#ff6666","#ff6699","#ff66cc","#ff66ff","#009900","#009933","#009966","#009999",
-		"#0099cc","#0099ff","#339900","#339933","#339966","#339999","#3399cc","#3399ff",
-		"#669900","#669933","#669966","#669999","#6699cc","#6699ff","#999900","#999933",
-		"#999966","#999999","#9999cc","#9999ff","#cc9900","#cc9933","#cc9966","#cc9999",
-		"#cc99cc","#cc99ff","#ff9900","#ff9933","#ff9966","#ff9999","#ff99cc","#ff99ff",
-		"#00cc00","#00cc33","#00cc66","#00cc99","#00cccc","#00ccff","#33cc00","#33cc33",
-		"#33cc66","#33cc99","#33cccc","#33ccff","#66cc00","#66cc33","#66cc66","#66cc99",
-		"#66cccc","#66ccff","#99cc00","#99cc33","#99cc66","#99cc99","#99cccc","#99ccff",
-		"#cccc00","#cccc33","#cccc66","#cccc99","#cccccc","#ccccff","#ffcc00","#ffcc33",
-		"#ffcc66","#ffcc99","#ffcccc","#ffccff","#00ff00","#00ff33","#00ff66","#00ff99",
-		"#00ffcc","#00ffff","#33ff00","#33ff33","#33ff66","#33ff99","#33ffcc","#33ffff",
-		"#66ff00","#66ff33","#66ff66","#66ff99","#66ffcc","#66ffff","#99ff00","#99ff33",
-		"#99ff66","#99ff99","#99ffcc","#99ffff","#ccff00","#ccff33","#ccff66","#ccff99",
-		"#ccffcc","#ccffff","#ffff00","#ffff33","#ffff66","#ffff99","#ffffcc","#ffffff"];
+		var colors = [], a = ['00', '33', '66', '99', 'cc', 'ff'];
+		for (var x = 0; x < 6; x++) {
+			for (var y = 0; y < 6; y++) {
+				for (var z = 0; z < 6; z++) {
+					colors.push('#' +  a[y] + a[x] + a[z]);
+				}
+			}
+		}
 		var html = '<table class="tbl"><tr>';
 		for (var i=0; i<colors.length; i++) {
-			html += "<td style='background-color:" + colors[i] + "' onclick=\"return FluxBB.post.insText('[color=" + colors[i] + "]', '[/color]');\" onfocus=\"FluxBB.post.showMapColor('" + colors[i] +  "');\" onmouseover=\"FluxBB.post.showMapColor('" + colors[i] + "');\">"
-			html += '</td>';
+			html += '<td style="background-color:' + colors[i] + '" onclick="return FluxBB.post.insText(\'[color=' + colors[i] + ']\', \'[/color]\');" onfocus="FluxBB.post.showMapColor(\'' + colors[i] +  '\');" onmouseover="FluxBB.post.showMapColor(\'' + colors[i] + '\');"></td>';
 			if ((i+1) % 18 == 0)	html += '</tr><tr>';
 		}
 		html += '<td colspan="9" id="selectedMapColor" height="16"></td>'
@@ -137,7 +108,7 @@ FluxBB.post = (function (doc, win) {
 			fls = true;
 			
 			textarea = doc.getElementsByName('req_message')[0];
-			if (typeof(textarea) === 'undefined') return false;
+			if (typeof textarea === 'undefined') return false;
 
 			bbcode = [{i:'b.png', a:'[b]', s:'[b]', e:'[/b]'},
 				{i:'i.png', a:'[i]', s:'[i]', e:'[/i]'},
@@ -199,22 +170,22 @@ FluxBB.post = (function (doc, win) {
 				if (blockposts[i].id) {
 					var id = blockposts[i].id.replace('p', '');
 					var dt = blockposts[i].getElementsByTagName('dt')[0];
-					if (typeof(dt) !== 'undefined') {
+					if (typeof dt !== 'undefined') {
 						var a = dt.innerHTML;
 						var n = a.replace(/<[^>]+>/g, '');
 						
 						// Decode html special chars
-						n = n.replace(/&lt;/g, '<');
-						n = n.replace(/&gt;/g, '>');
-						n = n.replace(/&quot;/g, '"');
-						n = n.replace(/&#039;/g, '\'');
-						n = n.replace(/&nbsp;/g, ' ');
-						n = n.replace(/&#160;/g, ' ');
-						nameusers[id] = n.replace(/&amp;/g, '&');
+						nameusers[id] = n.replace(/&lt;/g, '<')
+							.replace(/&gt;/g, '>')
+							.replace(/&quot;/g, '"')
+							.replace(/&#039;/g, '\'')
+							.replace(/&nbsp;/g, ' ')
+							.replace(/&#160;/g, ' ')
+							.replace(/&amp;/g, '&');
 						dt.insertAdjacentHTML('afterBegin', '<strong><a href="#req_message" onclick="return FluxBB.post.insName(' + id + ');">@ </a></strong>');
 
 						var quote = getCN('postquote', blockposts[i])[0];
-						if (typeof(quote) !== 'undefined') {
+						if (typeof quote !== 'undefined') {
 							a = quote.getElementsByTagName('a')[0];
 							p = quote.parentNode;
 							p.insertAdjacentHTML('beforeEnd', '<li class="postquote"><span id="pq' + id + '"><a href="' + a.href.replace(/&/g, '&amp;') + '" onmousedown="FluxBB.post.getText();" onclick="return FluxBB.post.quote(' + id + ');">' + lang['QQ'] + '</a></span></li>');
@@ -224,10 +195,10 @@ FluxBB.post = (function (doc, win) {
 			}
 			
 			if (!!FluxBB.vars.bbFlagUp && !FluxBB.vars.bbGuest) {
-				var all_ul = doc.getElementsByTagName("ul"),
+				var all_ul = doc.getElementsByTagName('ul'),
 						i = all_ul.length - 1;
 				while (i > -1) {
-					if (all_ul[i].className == "bblinks") {
+					if (all_ul[i].className == 'bblinks') {
 						all_ul[i].insertAdjacentHTML('beforeEnd', '<li><span><a href="upfiles.php" onclick="return FluxBB.post.popUp(this.href);"><strong>' + lang['upfiles'] + '</strong></a></span></li>');
 						i = 0;
 					}
@@ -240,33 +211,31 @@ FluxBB.post = (function (doc, win) {
 			get('bbcode_color_map').style.display = 'none';
 			get('bbcode_smileys').style.display = 'none';
 			textarea.focus();
-			// IE support
-			if (doc.selection && doc.selection.createRange) {
-				sel = doc.selection.createRange();
-				sel.text = open + sel.text + close;
-			}
-			// Moz support
-			else if (textarea.selectionStart || textarea.selectionStart == '0') {
-				var startPos = textarea.selectionStart;
-				var endPos = textarea.selectionEnd;
-				textarea.value = textarea.value.substring(0, startPos) + open + textarea.value.substring(startPos, endPos) + close + textarea.value.substring(endPos);
-				if (startPos == endPos && open == '') {
-					textarea.selectionStart = startPos + close.length;
-					textarea.selectionEnd = endPos + close.length;
+			// all and IE9+
+			if ('selectionStart' in textarea) {
+				var len = textarea.value.length,
+					sp = Math.min(textarea.selectionStart, len), // IE bug
+					ep = Math.min(textarea.selectionEnd, len); // IE bug
+
+				textarea.value = textarea.value.substring(0, sp) + open + textarea.value.substring(sp, ep) + close + textarea.value.substring(ep);
+				if (sp == ep && open == '') {
+					textarea.selectionStart = sp + close.length;
+					textarea.selectionEnd = ep + close.length;
 				} else {
-					textarea.selectionStart = startPos + open.length;
-					textarea.selectionEnd = endPos + open.length;
+					textarea.selectionStart = sp + open.length;
+					textarea.selectionEnd = ep + open.length;
 				}
 			}
-			// Fallback support for other browsers
-			else {
-				textarea.value += open + close;
+			// IE9-
+			else if (doc.selection && doc.selection.createRange) {
+				var sel = doc.selection.createRange();
+				sel.text = open + sel.text + close;
 			}
 			textarea.focus();
 			return false;
 		},
 		
-    insName: function (id) {
+		insName: function (id) {
 			return FluxBB.post.insText('', '[b]@' + nameusers[id] + '[/b], ');
 		},
 		
@@ -276,8 +245,8 @@ FluxBB.post = (function (doc, win) {
 		},
 		
 		quote: function (id) {
-		  if (typeof(id) !== 'number' || id < 1) return false;
-			if (quote_text != "") {
+			if (typeof id !== 'number' || id < 1) return false;
+			if (quote_text != '') {
 				return FluxBB.post.insText('', '[quote="' + nameusers[id] + '"]\n' + quote_text + '\n[/quote]\n');
 			} else if (!FluxBB.vars.bbGuest){
 				check_apq();
@@ -289,8 +258,8 @@ FluxBB.post = (function (doc, win) {
 					get('pq' + apq_id).innerHTML = '<img src="img/loading.gif" />&#160;<a href="#">' + lang['Loading'] + '</a>';
 
 					req.onreadystatechange=function(){orsc(req);};
-					req.open("POST", 'pjq.php?' + id, true);
-					req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+					req.open('POST', 'pjq.php?' + id, true);
+					req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
 					req.send('action=' + typepost + '&id=' + id);
 				}
 			} else {
@@ -304,7 +273,7 @@ FluxBB.post = (function (doc, win) {
 		  w = Math.min(820, screen.width),
 			t = Math.max((screen.height - h) / 3, 0),
 			l = (screen.width - w) / 2;
-			win.open(url, 'gest', "top=" + t + ",left=" + l + ",width=" + w + ",height=" + h + ",resizable=yes,location=no,menubar=no,status=no,scrollbars=yes");
+			win.open(url, 'gest', 'top=' + t + ',left=' + l + ',width=' + w + ',height=' + h + ',resizable=yes,location=no,menubar=no,status=no,scrollbars=yes');
 			return false;
 		},
 		
@@ -341,13 +310,13 @@ FluxBB.post = (function (doc, win) {
 		},
 		
 		showMapColor : function (color) {
-			get("selectedMapColor").style.backgroundColor = color;
-			get("selectedMapColorBox").value = color;
+			get('selectedMapColor').style.backgroundColor = color;
+			get('selectedMapColorBox').value = color;
 		}
 	};
 }(document, window));
 
-if (typeof(jQuery) !== "undefined") {
+if (typeof jQuery !== 'undefined') {
 	(function($){var textarea,staticOffset;var iLastMousePos=0;var iMin=64;var grip;$.fn.TextAreaResizer=function(){return this.each(function(){textarea=$(this).addClass('processed'),staticOffset=null;$(this).wrap('<div class="resizable-textarea"><span></span></div>').parent().append($('<div class="grippie"></div>').bind("mousedown",{el:this},startDrag));var grippie=$('div.grippie',$(this).parent())[0];grippie.style.marginRight=(grippie.offsetWidth-$(this)[0].offsetWidth)+'px'})};function startDrag(e){textarea=$(e.data.el);textarea.blur();iLastMousePos=mousePosition(e).y;staticOffset=textarea.height()-iLastMousePos;if(!window.ActiveXObject){textarea.css('opacity',0.25)}$(document).mousemove(performDrag).mouseup(endDrag);return false}function performDrag(e){var iThisMousePos=mousePosition(e).y;var iMousePos=staticOffset+iThisMousePos;if(iLastMousePos>=(iThisMousePos)){iMousePos-=5}iLastMousePos=iThisMousePos;iMousePos=Math.max(iMin,iMousePos);textarea.height(iMousePos+'px');if(iMousePos<iMin){endDrag(e)}return false}function endDrag(e){$(document).unbind('mousemove',performDrag).unbind('mouseup',endDrag);if(!window.ActiveXObject){textarea.css('opacity',1)}textarea.focus();textarea=null;staticOffset=null;iLastMousePos=0}function mousePosition(e){return{x:e.clientX+document.documentElement.scrollLeft,y:e.clientY+document.documentElement.scrollTop}}})(jQuery);
 	$(document).ready(function() {$('textarea:not(.processed)').TextAreaResizer();});
-}
+}

login.php

@@ -121,6 +121,7 @@ else if ($action == 'out')
 		exit;
 	}
 
+    unset($errors);
 	confirm_referrer('login.php');
 
 	// Remove user from "users online" list

moderate.php

@@ -18,7 +18,7 @@ if (isset($_GET['get_host']))
 		message($lang_common['No permission'], false, '403 Forbidden');
 
 	// Is get_host an IP address or a post ID?
-	if (@preg_match('%^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$%', $_GET['get_host']) || @preg_match('%^((([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){6}:[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){5}:([0-9A-Fa-f]{1,4}:)?[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){4}:([0-9A-Fa-f]{1,4}:){0,2}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){3}:([0-9A-Fa-f]{1,4}:){0,3}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){2}:([0-9A-Fa-f]{1,4}:){0,4}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){6}((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))|(([0-9A-Fa-f]{1,4}:){0,5}:((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))|(::([0-9A-Fa-f]{1,4}:){0,5}((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))|([0-9A-Fa-f]{1,4}::([0-9A-Fa-f]{1,4}:){0,5}[0-9A-Fa-f]{1,4})|(::([0-9A-Fa-f]{1,4}:){0,6}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){1,7}:))$%', $_GET['get_host']))
+	if (@preg_match('%^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$%D', $_GET['get_host']) || @preg_match('%^((([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){6}:[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){5}:([0-9A-Fa-f]{1,4}:)?[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){4}:([0-9A-Fa-f]{1,4}:){0,2}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){3}:([0-9A-Fa-f]{1,4}:){0,3}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){2}:([0-9A-Fa-f]{1,4}:){0,4}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){6}((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))|(([0-9A-Fa-f]{1,4}:){0,5}:((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))|(::([0-9A-Fa-f]{1,4}:){0,5}((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))|([0-9A-Fa-f]{1,4}::([0-9A-Fa-f]{1,4}:){0,5}[0-9A-Fa-f]{1,4})|(::([0-9A-Fa-f]{1,4}:){0,6}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){1,7}:))$%D', $_GET['get_host']))
 		$ip = $_GET['get_host'];
 	else
 	{

plugins/AP_Upload.php

@@ -1,7 +1,7 @@
 <?php
 
 /**
- * Copyright (C) 2011-2015 Visman (mio.visman@yandex.ru)
+ * Copyright (C) 2011-2016 Visman (mio.visman@yandex.ru)
  * Copyright (C) 2007 BN (bnmaster@la-bnbox.info)
  * License: http://www.gnu.org/licenses/gpl.html GPL version 2 or higher
  */
@@ -12,7 +12,7 @@ if (!defined('PUN'))
 
 // Tell admin_loader.php that this is indeed a plugin and that it is loaded
 define('PUN_PLUGIN_LOADED', 1);
-define('PLUGIN_VERSION', '2.0.3');
+define('PLUGIN_VERSION', '2.0.4');
 define('PLUGIN_URL', pun_htmlspecialchars('admin_loader.php?plugin='.$plugin));
 define('PLUGIN_EXTS', 'jpg,jpeg,png,gif,mp3,zip,rar,7z');
 define('PLUGIN_NF', 25);
@@ -72,7 +72,7 @@ else if (isset($_POST['update']))
 			{
 				$g_ext = str_replace(' ', '', $g_up_ext[$cur_group['g_id']]);
 				$g_ext = preg_replace('%[,]+%u', ',', $g_ext);
-				if (preg_match('%^[0-9a-zA-Z][0-9a-zA-Z,]*[0-9a-zA-Z]$%u', $g_ext) == 0)
+				if (preg_match('%^[0-9a-zA-Z][0-9a-zA-Z,]*[0-9a-zA-Z]$%uD', $g_ext) == 0)
 					$g_ext = PLUGIN_EXTS;
 				$g_ext = strtolower($g_ext);
 			}
@@ -501,7 +501,7 @@ else
 		$dir = $mem.$fi[1].'/';
 		$size_file = file_size(filesize(PUN_ROOT.$file));
 		$miniature = $dir.'mini_'.$fi[2].'.'.$fi[3];
-		if (isset($_POST['update_thumb']) && $_POST['update_thumb'] != NULL && $aconf['thumb'] == 1 && array_key_exists(strtolower($fi[3]),$extimageGD))
+		if (isset($_POST['update_thumb']) && $aconf['thumb'] == 1 && array_key_exists(strtolower($fi[3]),$extimageGD))
 			img_resize(PUN_ROOT.$file, $dir, 'mini_'.$fi[2], $fi[3], 0, $aconf['thumb_size'], $aconf['thumb_perc']);
 
 ?>

pmsnew.php

@@ -86,7 +86,7 @@ else
 }
 
 // проверка модуля
-if (!preg_match('%^[a-z]+$%', $pmsn_modul))
+if (preg_match('%[^a-z]%', $pmsn_modul))
 	message($lang_common['Bad request'], false, '404 Not Found');
 
 if (!file_exists(PUN_ROOT.'include/pms_new/mdl/'.$pmsn_modul.'.php'))

robots.txt

@@ -11,6 +11,20 @@ Disallow: /r
 Disallow: /s
 Disallow: /u
 Disallow: /*pid=
+
+User-agent: Yandex
+Disallow: /a
+Disallow: /d
+Disallow: /c
+Disallow: /e
+Disallow: /j
+Disallow: /l
+Disallow: /m
+Disallow: /p
+Disallow: /r
+Disallow: /s
+Disallow: /u
+Disallow: /*pid=
 Crawl-delay: 5
 Clean-param: search_hl
 Clean-param: csrf_hash

upfiles.php

@@ -1,7 +1,7 @@
 <?php
 
 /**
- * Copyright (C) 2011-2013 Visman (mio.visman@yandex.ru)
+ * Copyright (C) 2011-2016 Visman (mio.visman@yandex.ru)
  * License: http://www.gnu.org/licenses/gpl.html GPL version 2 or higher
  */
 
@@ -436,7 +436,7 @@ if (typeof FluxBB === 'undefined' || !FluxBB) {var FluxBB = {};}
 FluxBB.upfile = (function (doc, win) {
 	'use strict';
 
-	var url, src;
+	var url, src, par, area;
 
 	function get(elem) {
 		return doc.getElementById(elem);
@@ -453,12 +453,12 @@ FluxBB.upfile = (function (doc, win) {
 	function get_us(li) {
 		url = '';
 		src = '';
-		var div = li.getElementsByTagName("div")[1];
+		var div = li.getElementsByTagName('div')[1];
 		if (!!div) {
-			var a = div.getElementsByTagName("a")[0];
+			var a = div.getElementsByTagName('a')[0];
 			if (!!a) {
 				url = a.href;
-				var	img = a.getElementsByTagName("img")[0];
+				var	img = a.getElementsByTagName('img')[0];
 				if (!!img) src = img.src;
 			}
 		}
@@ -468,15 +468,15 @@ FluxBB.upfile = (function (doc, win) {
 		get_us(li);
 		
 		if (!!url) {
-			var div = createElement("div");
-			div.className = "upf-but upf-insert";
-			div.innerHTML = "<a title=\"<?php echo $lang_up['insert'] ?>\" href=\"#\" onclick=\"return FluxBB.upfile.ins(this);\"><span></span></a>";
+			var div = createElement('div');
+			div.className = 'upf-but upf-insert';
+			div.innerHTML = '<a title="<?php echo $lang_up['insert'] ?>" href="#" onclick="return FluxBB.upfile.ins(this);"><span></span></a>';
 			li.appendChild(div);
 
 			if (is_img(src) && src != url) {
-				div = createElement("div");
-				div.className = "upf-but upf-insert-t";
-				div.innerHTML = "<a title=\"<?php echo $lang_up['insert_thumb'] ?>\" href=\"#\" onclick=\"return FluxBB.upfile.ins(this, 1);\"><span></span></a>";
+				div = createElement('div');
+				div.className = 'upf-but upf-insert-t';
+				div.innerHTML = '<a title="<?php echo $lang_up['insert_thumb'] ?>" href="#" onclick="return FluxBB.upfile.ins(this, 1);"><span></span></a>';
 				li.appendChild(div);
 			}
 		}
@@ -484,23 +484,18 @@ FluxBB.upfile = (function (doc, win) {
 
 	function insr(s, e, t)
 	{
-		var par = win.opener.document,
-				area = par.getElementsByName("req_message")[0];
-		if (!area) return;
-
 		area.focus();
-		if (par.selection && par.selection.createRange) { // IE
-			var sel = par.selection.createRange();
-			sel.text = s + (!sel.text ? t : sel.text) + e;
-			sel.select();
-		} else if ("selectionStart" in area) { // all new
-			var sp = area.selectionStart,
-					ep = area.selectionEnd;
+		if ('selectionStart' in area) { // all new
+			var len = area.value.length,
+				sp = Math.min(area.selectionStart, len), // IE bug
+				ep = Math.min(area.selectionEnd, len); // IE bug
 			area.value = area.value.substring(0, sp) + s + (sp == ep ? t : area.value.substring(sp, ep)) + e + area.value.substring(ep);
 			area.selectionStart = ep + e.length + s.length + (sp == ep ? t.length : 0);
 			area.selectionEnd = area.selectionStart;
-		} else { // other
-			area.value += s + t + e;
+		} else if (par.selection && par.selection.createRange) { // IE
+			var sel = par.selection.createRange();
+			sel.text = s + (!sel.text ? t : sel.text) + e;
+			sel.select();
 		}
 		win.focus();
 	}
@@ -519,11 +514,11 @@ FluxBB.upfile = (function (doc, win) {
 	function orsc(req, ref) {
 		if (req.readyState == 4)
 		{
-			ref.className = "";
+			ref.className = '';
 			
-			if (req.status == 200 && req.responseText == "ok") {
+			if (req.status == 200 && req.responseText == 'ok') {
 				ref.parentNode.parentNode.parentNode.removeChild(ref.parentNode.parentNode);
-				if (get("upf-list").getElementsByTagName("li").length == 0) {
+				if (get('upf-list').getElementsByTagName('li').length == 0) {
 					win.location.reload(true);
 				}
 			}
@@ -534,12 +529,12 @@ FluxBB.upfile = (function (doc, win) {
 
 		del : function (ref) {
 			if (ref.className) return !1;
-			ref.className = "upf-loading";
+			ref.className = 'upf-loading';
 			
 			var req = cr_req();
 			if (req) {
 				req.onreadystatechange=function(){orsc(req, ref);};
-				req.open("GET", ref.href + "&ajx=1", true);
+				req.open('GET', ref.href + '&ajx=1', true);
 				req.send();
 
 				return !1;
@@ -553,21 +548,26 @@ FluxBB.upfile = (function (doc, win) {
 			get_us(ref.parentNode.parentNode);
 
 			if (f && is_img(src) && src != url) {
-				insr("", "[url=" + url + "][img]" + src + "[/img][/url]", "");
+				insr('', '[url=' + url + '][img]' + src + '[/img][/url]', '');
 			} else if (is_img(url)) {
-				insr("", "[img]" + url + "[/img]", "");
+				insr('', '[img]' + url + '[/img]', '');
 			} else {
 				if (f = url.match(/.*\/img\/members\/\d+\/(.+)$/)) f = f[1];
-				else f = "<?php echo $lang_up['texte'] ?>";
+				else f = '<?php echo $lang_up['texte'] ?>';
 
-				insr("[url=" + url + "]", "[/url]", f);
+				insr('[url=' + url + ']', '[/url]', f);
 			}
 			return !1;
 		},
 
 		run : function () {
 			if (!win.opener) return;
-			var li = get("upf-list").getElementsByTagName("li");
+
+			par = win.opener.document;
+			area = par.getElementsByName('req_message')[0];
+			if (!area) return;
+
+			var li = get('upf-list').getElementsByTagName('li');
 			for (var i in li) {
 				if (!!li[i].getElementsByTagName) set_button(li[i]);
 			}
@@ -576,7 +576,7 @@ FluxBB.upfile = (function (doc, win) {
 		init : function () {
 			if (!doc.addEventListener) {
 				/in/.test(doc.readyState) ? setTimeout(FluxBB.upfile.init, 100) : FluxBB.upfile.run();
-			} else doc.addEventListener("DOMContentLoaded", FluxBB.upfile.run(), false);
+			} else doc.addEventListener('DOMContentLoaded', FluxBB.upfile.run(), false);
 		}
 	};
 }(document, window));