// Improve performance and bug fixes

2012-06-06 16:22:48 +00:00
parent e636665621
commit 99b22fbbb8
32 changed files with 97 additions and 66 deletions
@@ -29,7 +29,8 @@ include_once(dirname(__FILE__).'/../config/config.inc.php');

 /* Getting cookie or logout */
 require_once(dirname(__FILE__).'/init.php');
-
+if (Tools::getValue('token') != Tools::getAdminTokenLite('AdminEmails'))
+	die(Tools::displayError());
 $smtpChecked = (trim($_POST['mailMethod']) ==  'smtp');
 $smtpServer = $_POST['smtpSrv'];
 $content = urldecode($_POST['testMsg']);
@@ -29,6 +29,7 @@
 	var textSubject = "{l s='Test message - Prestashop'}";
 	var textSendOk = "{l s='A test e-mail has been sent to the e-mail address you specified'}";
 	var textSendError= "{l s='Error: please check your configuration'}";
+	var token_mail = '{$token}';
 	var errorMail = "{l s='This e-mail address is invalid'}";
 	$(document).ready(function() {
 		if ($('input[name=PS_MAIL_METHOD]:checked').val() == 2)
@@ -851,7 +851,7 @@ abstract class AdminTabCore
 					{
 						$type = (array_key_exists('filter_type', $field) ? $field['filter_type'] : (array_key_exists('type', $field) ? $field['type'] : false));
 						if (($type == 'date' || $type == 'datetime') && is_string($value))
-							$value = unserialize($value);
+							$value = Tools::unSerialize($value);
 						$key = isset($tmpTab[1]) ? $tmpTab[0].'.`'.bqSQL($tmpTab[1]).'`' : '`'.bqSQL($tmpTab[0]).'`';
 						if (array_key_exists('tmpTableFilter', $field))
 							$sqlFilter = & $this->_tmpTableFilter;
@@ -1511,7 +1511,7 @@ abstract class AdminTabCore
 				case 'date':
 				case 'datetime':
 					if (is_string($value))
-						$value = unserialize($value);
+						$value = Tools::unSerialize($value);
 					if (!Validate::isCleanHtml($value[0]) || !Validate::isCleanHtml($value[1]))
 						$value = '';
 					$name = $this->table.'Filter_'.(isset($params['filter_key']) ? $params['filter_key'] : $key);
@@ -2190,7 +2190,7 @@ class CartCore extends ObjectModel
 		// The delivery option was selected
 		if (isset($this->delivery_option) && $this->delivery_option != '')
 		{
-			$delivery_option = unserialize($this->delivery_option);
+			$delivery_option = Tools::unSerialize($this->delivery_option);
 			$validated = true;
 			foreach ($delivery_option as $id_address => $key)
 				if (!isset($delivery_option_list[$id_address][$key]))
@@ -108,8 +108,8 @@ class SpecificPriceRuleCore extends ObjectModel
 			$result = Db::getInstance()->insert('specific_price_rule_condition', array(
 				'id_specific_price_rule_condition' => '',
 				'id_specific_price_rule_condition_group' => (int)$id_specific_price_rule_condition_group,
-				'type' => $condition['type'],
-				'value' => $condition['value'],
+				'type' => pSQL($condition['type']),
+				'value' => (float)$condition['value'],
 			));
 			if (!$result)
 				return false;
@@ -122,7 +122,7 @@ class StoreCore extends ObjectModel

 	public function getWsHours()
 	{
-		return implode(';', unserialize($this->hours));
+		return implode(';', Tools::unSerialize($this->hours));
 	}

 	public function setWsHours($hours)
@@ -2125,6 +2125,14 @@ FileETag INode MTime Size
 	{
 		return Tools::apacheModExists('mod_rewrite');
 	}
+	
+	public static function unSerialize($serialized, $object = false)
+	{
+		if (is_string($serialized) && ((strpos($serialized, 'O:') !== false && !preg_match('/(^|;|{|})O:[0-9]+:"/', $serialized) && !$object) || $object))
+	    return @unserialize($serialized);
+	   
+	   return false;
+	}
 }

 /**
@@ -164,7 +164,7 @@ class UpgraderCore
 	 */
 	public function loadFromConfig()
 	{
-		$last_version_check = @unserialize(Configuration::get('PS_LAST_VERSION'));
+		$last_version_check = Tools::unSerialize(Configuration::get('PS_LAST_VERSION'));
 		if($last_version_check)
 		{
 			if (isset($last_version_check['name']))
@@ -377,14 +377,14 @@ class ValidateCore
 	 */
 	public static function isCleanHtml($html)
 	{
-		$events = 'onmousedown|onmousemove|onmmouseup|onmouseover|onmouseout|onload|onunload|onfocus|onblur|onchange
-						|onsubmit|ondblclick|onclick|onkeydown|onkeyup|onkeypress|onmouseenter|onmouseleave|onerror|onselect|onreset|onabort|ondragdrop|onresize|onactivate|onafterprint|onmoveend
-						|onafterupdate|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditfocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onmove
-						|onbounce|oncellchange|oncontextmenu|oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondeactivate|ondrag|ondragend|ondragenter|onmousewheel
-						|ondragleave|ondragover|ondragstart|ondrop|onerrorupdate|onfilterchange|onfinish|onfocusin|onfocusout|onhashchange|onhelp|oninput|onlosecapture|onmessage|onmouseup|onmovestart
-						|onoffline|ononline|onpaste|onpropertychange|onreadystatechange|onresizeend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onsearch|onselectionchange
-						|onselectstart|onstart|onstop';
-		return (!preg_match('/<[ \t\n]*script/i', $html) && !preg_match('/<?.*('.$events.')[ \t\n]*=/i', $html) && !preg_match('/.*script\:/i', $html));
+		$events = 'onmousedown|onmousemove|onmmouseup|onmouseover|onmouseout|onload|onunload|onfocus|onblur|onchange';
+		$events .= '|onsubmit|ondblclick|onclick|onkeydown|onkeyup|onkeypress|onmouseenter|onmouseleave|onerror|onselect|onreset|onabort|ondragdrop|onresize|onactivate|onafterprint|onmoveend';
+		$events .= '|onafterupdate|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditfocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onmove';
+		$events .= '|onbounce|oncellchange|oncontextmenu|oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondeactivate|ondrag|ondragend|ondragenter|onmousewheel';
+		$events .= '|ondragleave|ondragover|ondragstart|ondrop|onerrorupdate|onfilterchange|onfinish|onfocusin|onfocusout|onhashchange|onhelp|oninput|onlosecapture|onmessage|onmouseup|onmovestart';
+		$events .= '|onoffline|ononline|onpaste|onpropertychange|onreadystatechange|onresizeend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onsearch|onselectionchange';
+		$events .= '|onselectstart|onstart|onstop';
+		return (!preg_match('/<[ \t\n]*script/ims', $html) && !preg_match('/<?.*('.$events.')[ \t\n]*=/ims', $html) && !preg_match('/.*script\:/ims', $html) && !preg_match('/<[ \t\n]*i?frame/ims', $html));
 	}

 	/**
@@ -418,7 +418,7 @@ class AdminControllerCore extends Controller
 				if ($field = $this->filterToField($key, $filter))
 				{
 					$type = (array_key_exists('filter_type', $field) ? $field['filter_type'] : (array_key_exists('type', $field) ? $field['type'] : false));					if (($type == 'date' || $type == 'datetime') && is_string($value))
-						$value = unserialize($value);
+						$value = Tools::unSerialize($value);
 					$key = isset($tmp_tab[1]) ? $tmp_tab[0].'.`'.$tmp_tab[1].'`' : '`'.$tmp_tab[0].'`';

 					// Assignement by reference
@@ -260,7 +260,9 @@ class FrontControllerCore extends Controller
 		/* get page name to display it in body id */

 		// Are we in a payment module
-		$module_name = Tools::getValue('module');
+		$module_name = '';
+		if (Validate::isModuleName(Tools::getValue('module')))
+			$module_name = Tools::getValue('module');
 		if (!empty($this->page_name))
 			$page_name = $this->page_name;
 		elseif (!empty($this->php_self))
@@ -601,7 +603,7 @@ class FrontControllerCore extends Controller
 			$params = array();
 			$excluded_key = array('isolang', 'id_lang', 'controller', 'fc');
 			foreach ($_GET as $key => $value)
-				if (!in_array($key, $excluded_key))
+				if (!in_array($key, $excluded_key) && Validate::isUrl($key) && Validate::isUrl($value))
 					$params[$key] = $value;

 			$str_params = '';
@@ -550,7 +550,7 @@ class HelperListCore extends Helper
 				case 'date':
 				case 'datetime':
 					if (is_string($value))
-						$value = unserialize($value);
+						$value = Tools::unSerialize($value);
 					if (!Validate::isCleanHtml($value[0]) || !Validate::isCleanHtml($value[1]))
 						$value = '';
 					$name = $this->table.'Filter_'.(isset($params['filter_key']) ? $params['filter_key'] : $key);
@@ -837,6 +837,8 @@ abstract class ModuleCore
 	  */
 	public static function getInstanceByName($module_name)
 	{
+		if (!Validate::isModuleName($module_name))
+			die(Tools::displayErrors());
 		if (!isset(self::$_INSTANCE[$module_name]))
 		{
 			if (Tools::file_exists_cache(_PS_MODULE_DIR_.$module_name.'/'.$module_name.'.php'))
@@ -770,6 +770,14 @@ class ShopCore extends ObjectModel
 	{
 		return self::$context_id_shop_group;
 	}
+	
+	public static function getContextShopGroup()
+	{
+		static $context_shop_group = null;
+		if ($context_shop_group === null)
+			$context_shop_group = new ShopGroup((int)self::$context_id_shop_group);
+		return $context_shop_group;
+	}

 	/**
 	 * Add an sql restriction for shops fields
@@ -561,7 +561,7 @@ class StockAvailableCore extends ObjectModel
 			$id_shop = $context->shop->id;

 		// if we are in $shop_group context
-		$shop_group = new ShopGroup((int)Shop::getContextShopGroupID());
+		$shop_group = Shop::getContextShopGroup();

 		// if quantities are shared between shops of the group
 		if ($shop_group->share_stock)
@@ -426,7 +426,7 @@ class AdminCustomerThreadsControllerCore extends AdminController

 	public function initContent()
 	{
-		if (isset($_GET['filename']) && file_exists(_PS_UPLOAD_DIR_.$_GET['filename']))
+		if (isset($_GET['filename']) && file_exists(_PS_UPLOAD_DIR_.$_GET['filename']) && Validate::isFileName($_GET['filename']))
 			AdminCustomerThreadsController::openUploadedFile();

 		return parent::initContent();
@@ -449,7 +449,7 @@ class AdminCustomerThreadsControllerCore extends AdminController
 			'.jpg' => 'image/jpeg',
 		);

-		$extension = '';
+		$extension = false;
 		foreach ($extensions as $key => $val)
 			if (substr($filename, -4) == $key || substr($filename, -5) == $key)
 			{
@@ -457,6 +457,9 @@ class AdminCustomerThreadsControllerCore extends AdminController
 				break;
 			}

+		if (!$extension || !Validate::isFileName($filename))
+			die(Tools::displayError());
+			
 		ob_end_clean();
 		header('Content-Type: '.$extension);
 		header('Content-Disposition:attachment;filename="'.$filename.'"');
@@ -144,29 +144,33 @@ class AdminLocalizationControllerCore extends AdminController
 	{
 		if (Tools::isSubmit('submitLocalizationPack'))
 		{
-            $version = str_replace('.', '', _PS_VERSION_);
-            $version = substr($version, 0, 2);
+			$version = str_replace('.', '', _PS_VERSION_);
+			$version = substr($version, 0, 2);

-			$pack = @Tools::file_get_contents('http://api.prestashop.com/localization/'.$version.'/'.Tools::getValue('iso_localization_pack').'.xml');
-
-			if (!$pack && !($pack = @Tools::file_get_contents(dirname(__FILE__).'/../../localization/'.Tools::getValue('iso_localization_pack').'.xml')))
-				$this->errors[] = Tools::displayError('Cannot load localization pack (from prestashop.com and from your local folder "localization")');
-
-			if (!$selection = Tools::getValue('selection'))
-				$this->errors[] = Tools::displayError('Please select at least one item to import.');
-			else
+			if (Validate::isFileName(Tools::getValue('iso_localization_pack')))
 			{
-				foreach ($selection as $selected)
-					if (!Validate::isLocalizationPackSelection($selected))
-					{
-						$this->errors[] = Tools::displayError('Invalid selection');
-						return;
-					}
-				$localization_pack = new LocalizationPack();
-				if (!$localization_pack->loadLocalisationPack($pack, $selection))
-					$this->errors = array_merge($this->errors, $localization_pack->getErrors());
+			
+				$pack = @Tools::file_get_contents('http://api.prestashop.com/localization/'.$version.'/'.Tools::getValue('iso_localization_pack').'.xml');
+
+				if (!$pack && !($pack = @Tools::file_get_contents(dirname(__FILE__).'/../../localization/'.Tools::getValue('iso_localization_pack').'.xml')))
+					$this->errors[] = Tools::displayError('Cannot load localization pack (from prestashop.com and from your local folder "localization")');
+
+				if (!$selection = Tools::getValue('selection'))
+					$this->errors[] = Tools::displayError('Please select at least one item to import.');
 				else
-					Tools::redirectAdmin(self::$currentIndex.'&conf=23&token='.$this->token);
+				{
+					foreach ($selection as $selected)
+						if (!Validate::isLocalizationPackSelection($selected))
+						{
+							$this->errors[] = Tools::displayError('Invalid selection');
+							return;
+						}
+					$localization_pack = new LocalizationPack();
+					if (!$localization_pack->loadLocalisationPack($pack, $selection))
+						$this->errors = array_merge($this->errors, $localization_pack->getErrors());
+					else
+						Tools::redirectAdmin(self::$currentIndex.'&conf=23&token='.$this->token);
+				}
 			}
 		}

@@ -805,7 +805,7 @@ class AdminOrdersControllerCore extends AdminController
 		}
 		elseif (Tools::isSubmit('submitAddOrder') && ($id_cart = Tools::getValue('id_cart')) &&
 			($module_name = Tools::getValue('payment_module_name')) &&
-			($id_order_state = Tools::getValue('id_order_state')))
+			($id_order_state = Tools::getValue('id_order_state')) && Validate::isModuleName($module_name))
 		{
 			if ($this->tabAccess['edit'] === '1')
 			{
@@ -285,7 +285,8 @@ class AdminRequestSqlControllerCore extends AdminController
 	public function generateExport()
 	{
 		$id = Tools::getValue($this->identifier);
-
+		if (!Validate::isFileName($id))
+			die(Tools::displayError());
 		$file = 'request_sql_'.$id.'.csv';
 		if ($csv = fopen(_PS_ADMIN_DIR_.'/export/'.$file, 'w'))
 		{
@@ -154,7 +154,7 @@ abstract class AdminStatsTabControllerCore extends AdminPreferencesControllerCor
 	{
 		$tpl = $this->createTemplate('stats.tpl');

-		if (!($module_name = Tools::getValue('module')) && ($module_instance = Module::getInstanceByName('statsforecast')) && $module_instance->active)
+		if ((!($module_name = Tools::getValue('module')) || !Validate::isModuleName($module_name)) && ($module_instance = Module::getInstanceByName('statsforecast')) && $module_instance->active)
 			$module_name = 'statsforecast';

 		if ($module_name)
@@ -163,7 +163,7 @@ abstract class AdminStatsTabControllerCore extends AdminPreferencesControllerCor

 			if (!isset($module_instance))
 				$module_instance = Module::getInstanceByName($module_name);
-
+				
 			if ($module_instance && $module_instance->active)
 				$hook = Hook::exec('displayAdminStatsModules', null, $module_instance->id);
 		}
@@ -246,4 +246,4 @@ abstract class AdminStatsTabControllerCore extends AdminPreferencesControllerCor
 		$day = isset($this->context->cookie->stats_day) ? sprintf('%02d', $this->context->cookie->stats_day) : '%';
 		return $year.'-'.$month.'-'.$day;
 	}
-}
+}
@@ -303,7 +303,7 @@ class AdminStoresControllerCore extends AdminController

 		$hours = $this->getFieldValue($obj, 'hours');
 		if (!empty($hours))
-			$hours_unserialized = unserialize($hours);
+			$hours_unserialized = Tools::unSerialize($hours);

 		$this->fields_value = array(
 			'latitude' => $this->getFieldValue($obj, 'latitude') ? $this->getFieldValue($obj, 'latitude') : Configuration::get('PS_STORES_CENTER_LAT'),
@@ -61,7 +61,8 @@ function verifyMail(testMsg, testSubject)
 				"smtpPort"		: $("input[name=PS_MAIL_SMTP_PORT]").val(),
 				"smtpEnc"		: $("select[name=PS_MAIL_SMTP_ENCRYPTION]").val(),
 				"testMsg"		: textMsg,
-				"testSubject"	: textSubject
+				"testSubject"	: textSubject,
+				"token"			: token_mail
 			},
 		   success: function(ret)
 		   {
@@ -1362,7 +1362,7 @@ class BlockLayered extends Module
 		$layered_filter_list = Db::getInstance(_PS_USE_SQL_SLAVE_)->getRow('SELECT * FROM '._DB_PREFIX_.'layered_filter');
 		foreach ($layered_filter_list as $layered_filter)
 		{
-			$data = unserialize($layered_filter_list['filters']);
+			$data = Tools::unSerialize($layered_filter_list['filters']);
 			if (in_array((int)$params['category']->id, $data['categories']))
 			{
 				unset($data['categories'][array_search((int)$params['category']->id, $data['categories'])]);
@@ -2224,7 +2224,7 @@ class BlockLayered extends Module
 						{
 							$data = Db::getInstance()->getValue('SELECT data FROM `'._DB_PREFIX_.'layered_friendly_url` WHERE `url_key` = \''.md5('/'.$attribute_name.'-'.$url_parameter).'\'');
 							if ($data)
-								foreach (unserialize($data) as $key_params => $params)
+								foreach (Tools::unSerialize($data) as $key_params => $params)
 								{
 									if (!isset($selected_filters[$key_params]))
 										$selected_filters[$key_params] = array();
@@ -3457,7 +3457,7 @@ class BlockLayered extends Module
 		{
 			$layered_filter = Db::getInstance(_PS_USE_SQL_SLAVE_)->getRow('SELECT * FROM '._DB_PREFIX_.'layered_filter WHERE id_layered_filter = '.(int)$id_layered_filter);
 			if ($layered_filter && isset($layered_filter['filters']) && !empty($layered_filter['filters']))
-				$layered_values = unserialize($layered_filter['filters']);
+				$layered_values = Tools::unSerialize($layered_filter['filters']);
 			if (isset($layered_values['categories']) && count($layered_values['categories']))
 				foreach ($layered_values['categories'] as $id_category)
 					$category_box[] = (int)$id_category;
@@ -4122,7 +4122,7 @@ class BlockLayered extends Module
 		$values = false;
 		foreach ($res as $filter_template)
 		{
-			$data = unserialize($filter_template['filters']);
+			$data = Tools::unSerialize($filter_template['filters']);
 			foreach ($data['categories'] as  $id_category)
 			{
 				$n = 0;
@@ -327,7 +327,7 @@ class BlockLink extends Module
 					<div class="clear"></div>
 				</div>
 				<label>'.$this->l('URL:').'</label>
-				<div class="margin-form"><input type="text" name="url" id="url" value="'.(isset($links) && isset($links['url']) ? $links['url'] : '').'" /><sup> *</sup></div>
+				<div class="margin-form"><input type="text" name="url" id="url" value="'.(isset($links) && isset($links['url']) ? Tools::safeOutput($links['url']) : '').'" /><sup> *</sup></div>
 				<label>'.$this->l('Open in a new window:').'</label>
 				<div class="margin-form"><input type="checkbox" name="newWindow" id="newWindow" '.((isset($links) && $links['new_window']) ? 'checked="checked"' : '').' /></div>';
 				$shops = Shop::getShops(true, null, true);
@@ -39,7 +39,7 @@
 	</ul>
 	{/if}
 	{if $form_list}
-		<form action="{$smarty.server.SCRIPT_NAME}" method="get">
+		<form action="{$smarty.server.SCRIPT_NAME|escape:'htmlall':'UTF-8'}" method="get">
 			<p>
 				<select id="manufacturer_list" onchange="autoUrl('manufacturer_list', '');">
 					<option value="0">{l s='All manufacturers' mod='blockmanufacturer'}</option>
@@ -34,7 +34,7 @@ class BlockPaymentLogo extends Module
 	{
 		$this->name = 'blockpaymentlogo';
 		$this->tab = 'front_office_features';
-		$this->version = 0.2;
+		$this->version = '0.2';
 		$this->author = 'PrestaShop';
 		$this->need_instance = 0;

@@ -41,7 +41,7 @@
 	</ul>
 	{/if}
 	{if $form_list}
-		<form action="{$smarty.server.SCRIPT_NAME}" method="get">
+		<form action="{$smarty.server.SCRIPT_NAME|escape:'htmlall':'UTF-8'}" method="get">
 			<p>
 				<select id="supplier_list" onchange="autoUrl('supplier_list', '');">
 					<option value="0">{l s='All suppliers' mod='blocksupplier'}</option>
@@ -10,7 +10,7 @@
 					<form id="searchbox" action="search.php" method="get">
 						<input type="hidden" value="position" name="orderby"/>
 						<input type="hidden" value="desc" name="orderway"/>
-						<input type="text" name="search_query" value="{if isset($smarty.get.search_query)}{$smarty.get.search_query}{/if}" />
+						<input type="text" name="search_query" value="{if isset($smarty.get.search_query)}{$smarty.get.search_query|escape:'htmlall':'UTF-8'}{/if}" />
 					</form>
 				</li>
 			{/if}
@@ -164,7 +164,7 @@
 				<td class="history_date">{dateFormat date=$discount->date_to}</td>
 				<td class="history_method bold">{if $discount->quantity > 0}{l s='To use' mod='loyalty'}{else}{l s='Used' mod='loyalty'}{/if}</td>
 				<td class="history_method">
-					<a href="{$smarty.server.SCRIPT_NAME}" onclick="return false" class="tips" title="
+					<a href="{$smarty.server.SCRIPT_NAME|escape:'htmlall':'UTF-8'}" onclick="return false" class="tips" title="
 					{l s='Generated by these following orders' mod='loyalty'}|{foreach from=$discount->orders item=myorder name=myLoop}
 					{l s='Order #%d' sprintf=$myorder.id_order mod='loyalty'}
 					({displayPrice price=$myorder.total_paid currency=$myorder.id_currency}) :
@@ -110,9 +110,9 @@
 					{section name=friends start=0 loop=$nbFriends step=1}
 					<tr class="{if $smarty.section.friends.index % 2}item{else}alternate_item{/if}">
 						<td class="align_right">{$smarty.section.friends.iteration}</td>
-						<td><input type="text" class="text" name="friendsLastName[{$smarty.section.friends.index}]" size="14" value="{if isset($smarty.post.friendsLastName[$smarty.section.friends.index])}{$smarty.post.friendsLastName[$smarty.section.friends.index]}{/if}" /></td>
-						<td><input type="text" class="text" name="friendsFirstName[{$smarty.section.friends.index}]" size="14" value="{if isset($smarty.post.friendsFirstName[$smarty.section.friends.index])}{$smarty.post.friendsFirstName[$smarty.section.friends.index]}{/if}" /></td>
-						<td><input type="text" class="text" name="friendsEmail[{$smarty.section.friends.index}]" size="20" value="{if isset($smarty.post.friendsEmail[$smarty.section.friends.index])}{$smarty.post.friendsEmail[$smarty.section.friends.index]}{/if}" /></td>
+						<td><input type="text" class="text" name="friendsLastName[{$smarty.section.friends.index}]" size="14" value="{if isset($smarty.post.friendsLastName[$smarty.section.friends.index])}{$smarty.post.friendsLastName[$smarty.section.friends.index]|escape:'htmlall':'UTF-8'}{/if}" /></td>
+						<td><input type="text" class="text" name="friendsFirstName[{$smarty.section.friends.index}]" size="14" value="{if isset($smarty.post.friendsFirstName[$smarty.section.friends.index])}{$smarty.post.friendsFirstName[$smarty.section.friends.index]|escape:'htmlall':'UTF-8'}{/if}" /></td>
+						<td><input type="text" class="text" name="friendsEmail[{$smarty.section.friends.index}]" size="20" value="{if isset($smarty.post.friendsEmail[$smarty.section.friends.index])}{$smarty.post.friendsEmail[$smarty.section.friends.index]|escape:'htmlall':'UTF-8'}{/if}" /></td>
 					</tr>
 					{/section}
 				</tbody>
@@ -435,7 +435,7 @@ class shopimporter extends ImportModule
 		if ((sizeof($rules['requiredLang']) || sizeof($rules['sizeLang']) || sizeof($rules['validateLang']) || Tools::isSubmit('syncLang') ||  Tools::isSubmit('syncCurrency')))
 		{
 			$moduleName = Tools::getValue('moduleName');
-			if (file_exists('../../modules/'.$moduleName.'/'.$moduleName.'.php'))
+			if (Validate::isModuleName($moduleName) && Validate::file_exists('../../modules/'.$moduleName.'/'.$moduleName.'.php'))
 			{
 				require_once('../../modules/'.$moduleName.'/'.$moduleName.'.php');
 				$importModule = new $moduleName();
@@ -558,7 +558,7 @@ class shopimporter extends ImportModule
 		if ((sizeof($rules['requiredLang']) || sizeof($rules['sizeLang']) || sizeof($rules['validateLang']) || Tools::isSubmit('syncLangWS') ||  Tools::isSubmit('syncCurrency')))
 		{
 			$moduleName = Tools::getValue('moduleName');
-			if (file_exists('../../modules/'.$moduleName.'/'.$moduleName.'.php'))
+			if (Validate::isModuleName($moduleName) && file_exists('../../modules/'.$moduleName.'/'.$moduleName.'.php'))
 			{

 				require_once('../../modules/'.$moduleName.'/'.$moduleName.'.php');
@@ -256,7 +256,7 @@ abstract class Controller extends ControllerCore
 	private function sizeofvar($var)
 	{
 		$start_memory = memory_get_usage();
-		$tmp = unserialize(serialize($var));
+		$tmp = Tools::unSerialize(serialize($var));
 		$size = memory_get_usage() - $start_memory;
 		return $size;
 	}