[geeklog-cvs] geeklog-1.3/public_html comment.php,1.50,1.51
dhaun at geeklog.net
dhaun at geeklog.net
Wed Jan 21 15:23:35 EST 2004
Update of /usr/cvs/geeklog/geeklog-1.3/public_html
In directory geeklog_prod:/tmp/cvs-serv25821
Modified Files:
comment.php
Log Message:
An attempt to properly encode HTML within the <textarea> when submitting a comment. Consider this experimental ...
Index: comment.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/comment.php,v
retrieving revision 1.50
retrieving revision 1.51
diff -C2 -d -r1.50 -r1.51
*** comment.php 18 Jan 2004 14:46:17 -0000 1.50
--- comment.php 21 Jan 2004 20:23:33 -0000 1.51
***************
*** 7,13 ****
// | comment.php |
// | |
! // | Let user comment on a story. |
// +---------------------------------------------------------------------------+
! // | Copyright (C) 2000-2003 by the following authors: |
// | |
// | Authors: Tony Bibbs - tony at tonybibbs.com |
--- 7,13 ----
// | comment.php |
// | |
! // | Let user comment on a story, poll, or plugin. |
// +---------------------------------------------------------------------------+
! // | Copyright (C) 2000-2004 by the following authors: |
// | |
// | Authors: Tony Bibbs - tony at tonybibbs.com |
***************
*** 111,132 ****
}
! if ($postmode == 'html') {
! $commenttext = stripslashes($comment);
! $commenttext = str_replace('$','$',$commenttext);
! $comment = COM_checkHTML(COM_checkWords($comment));
! $title = COM_checkHTML(htmlspecialchars(COM_checkWords($title)));
} else {
! $title = stripslashes(htmlspecialchars(COM_checkWords($title)));
! $comment = stripslashes(htmlspecialchars(COM_checkWords($comment)));
! $commenttext = str_replace('$','$',$comment);
! $title = str_replace('$','$',$title);
}
! // Replace { and } with special HTML equivalents
$commenttext = str_replace('{','{',$commenttext);
$commenttext = str_replace('}','}',$commenttext);
! $title = strip_tags(COM_checkWords($title));
! $HTTP_POST_VARS['title'] = $title;
$newcomment = $comment;
if (!empty ($sig)) {
--- 111,138 ----
}
! // Note:
! // $comment / $newcomment is what goes into the preview / is
! // actually stored in the database -> strip HTML
! // $commenttext is what the user entered and goes back into the
! // <textarea> -> don't strip HTML
! $commenttext = htmlspecialchars (COM_stripslashes ($comment));
!
! if ($postmode == 'html') {
! $comment = COM_checkWords (COM_checkHTML (addslashes (COM_stripslashes ($comment))));
} else {
! $comment = htmlspecialchars (COM_checkWords (COM_stripslashes ($comment)));
}
! // Replace $, {, and } with special HTML equivalents
! $commenttext = str_replace('$','$',$commenttext);
$commenttext = str_replace('{','{',$commenttext);
$commenttext = str_replace('}','}',$commenttext);
! $title = htmlspecialchars (COM_checkWords (strip_tags (COM_stripslashes ($title))));
! // $title = str_replace('$','$',$title); done in COM_getComment
! $title = str_replace('{','{',$title);
! $title = str_replace('}','}',$title);
!
! $HTTP_POST_VARS['title'] = addslashes ($title);
$newcomment = $comment;
if (!empty ($sig)) {
***************
*** 245,248 ****
--- 251,261 ----
}
+ // Clean 'em up a bit!
+ if ($postmode == 'html') {
+ $comment = COM_checkWords (COM_checkHTML (addslashes (COM_stripslashes ($comment))));
+ } else {
+ $comment = $comment = htmlspecialchars (COM_checkWords (COM_stripslashes ($comment)));
+ }
+
// Get signature
$sig = '';
***************
*** 258,268 ****
}
- // Clean 'em up a bit!
- if ($postmode == 'html') {
- $comment = addslashes(COM_checkHTML(COM_checkWords($comment)));
- } else {
- $comment = addslashes(htmlspecialchars(COM_checkWords($comment)));
- }
-
// check again for non-int pid's
// this should just create a top level comment that is a reply to the original item
--- 271,274 ----
***************
*** 271,278 ****
}
! $title = addslashes(strip_tags(COM_checkWords($title)));
if (!empty ($title) && !empty ($comment)) {
COM_updateSpeedlimit ('comment');
DB_save ($_TABLES['comments'], 'sid,uid,comment,date,title,pid,type',
"'$sid',$uid,'$comment',now(),'$title',$pid,'$type'");
--- 277,285 ----
}
! $title = htmlspecialchars (COM_checkWords (strip_tags (COM_stripslashes ($title))));
if (!empty ($title) && !empty ($comment)) {
COM_updateSpeedlimit ('comment');
+ $comment = addslashes ($comment);
DB_save ($_TABLES['comments'], 'sid,uid,comment,date,title,pid,type',
"'$sid',$uid,'$comment',now(),'$title',$pid,'$type'");
***************
*** 439,458 ****
$sid = COM_applyFilter ($HTTP_POST_VARS['sid']);
$type = COM_applyFilter ($HTTP_POST_VARS['type']);
} else {
$sid = COM_applyFilter ($HTTP_GET_VARS['sid']);
$type = COM_applyFilter ($HTTP_GET_VARS['type']);
}
if (!empty ($sid)) {
- if (isset ($HTTP_POST_VARS['title'])) {
- $title = COM_applyFilter ($HTTP_POST_VARS['title']);
- $pid = COM_applyFilter ($HTTP_POST_VARS['pid'], true);
- $mode = COM_applyFilter ($HTTP_POST_VARS['mode']);
- $postmode = COM_applyFilter ($HTTP_POST_VARS['postmode']);
- } else {
- $title = COM_applyFilter ($HTTP_GET_VARS['title']);
- $pid = COM_applyFilter ($HTTP_GET_VARS['pid'], true);
- $mode = COM_applyFilter ($HTTP_GET_VARS['mode']);
- $postmode = COM_applyFilter ($HTTP_GET_VARS['postmode']);
- }
if (empty ($title)) {
if ($type == 'article') {
--- 446,462 ----
$sid = COM_applyFilter ($HTTP_POST_VARS['sid']);
$type = COM_applyFilter ($HTTP_POST_VARS['type']);
+ $title = COM_applyFilter ($HTTP_POST_VARS['title']);
+ $pid = COM_applyFilter ($HTTP_POST_VARS['pid'], true);
+ $mode = COM_applyFilter ($HTTP_POST_VARS['mode']);
+ $postmode = COM_applyFilter ($HTTP_POST_VARS['postmode']);
} else {
$sid = COM_applyFilter ($HTTP_GET_VARS['sid']);
$type = COM_applyFilter ($HTTP_GET_VARS['type']);
+ $title = COM_applyFilter ($HTTP_GET_VARS['title']);
+ $pid = COM_applyFilter ($HTTP_GET_VARS['pid'], true);
+ $mode = COM_applyFilter ($HTTP_GET_VARS['mode']);
+ $postmode = COM_applyFilter ($HTTP_GET_VARS['postmode']);
}
if (!empty ($sid)) {
if (empty ($title)) {
if ($type == 'article') {
More information about the geeklog-cvs
mailing list