checkLogin(); if(!admin()) { die('Access denied.'); } // Don't attempt to process the upload on an OPTIONS request if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') { header('Access-Control-Allow-Methods: POST, OPTIONS'); return; } $imageFolder = BASE . EDITOR_IMAGES_DIR; reset ($_FILES); $temp = current($_FILES); if (is_uploaded_file($temp['tmp_name'])) { header('Access-Control-Allow-Credentials: true'); header('P3P: CP="There is no P3P policy."'); // Sanitize input if (preg_match("/([^\w\s\d\-_~,;:\[\]\(\).])|([\.]{2,})/", $temp['name'])) { header('HTTP/1.1 400 Invalid file name.'); return; } // Verify extension $ext = strtolower(pathinfo($temp['name'], PATHINFO_EXTENSION)); if (!in_array($ext, ['gif', 'jpg', 'png'])) { header('HTTP/1.1 400 Invalid extension.'); return; } do { $randomName = generateRandomString(8). ".$ext"; $fileToWrite = $imageFolder . $randomName; } while (file_exists($fileToWrite)); move_uploaded_file($temp['tmp_name'], $fileToWrite); $returnPathToImage = BASE_URL . EDITOR_IMAGES_DIR . $randomName; echo json_encode(['location' => $returnPathToImage]); } else { // Notify editor that the upload failed header('HTTP/1.1 500 Server Error'); }