[geeklog-cvs] geeklog-1.3/public_html comment.php,1.44.2.3,1.44.2.4
dhaun at geeklog.net
dhaun at geeklog.net
Fri Jan 23 11:55:26 EST 2004
Update of /usr/cvs/geeklog/geeklog-1.3/public_html
In directory geeklog_prod:/tmp/cvs-serv11536
Modified Files:
Tag: geeklog_1_3_8_1_1
comment.php
Log Message:
Added parameter checking and rewrote comment encoding.
Index: comment.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/comment.php,v
retrieving revision 1.44.2.3
retrieving revision 1.44.2.4
diff -C2 -d -r1.44.2.3 -r1.44.2.4
*** comment.php 18 Jan 2004 19:59:09 -0000 1.44.2.3
--- comment.php 23 Jan 2004 16:55:24 -0000 1.44.2.4
***************
*** 9,13 ****
// | Let user comment on a story. |
// +---------------------------------------------------------------------------+
! // | Copyright (C) 2000-2003 by the following authors: |
// | |
// | Authors: Tony Bibbs - tony at tonybibbs.com |
--- 9,13 ----
// | Let user comment on a story. |
// +---------------------------------------------------------------------------+
! // | Copyright (C) 2000-2004 by the following authors: |
// | |
// | Authors: Tony Bibbs - tony at tonybibbs.com |
***************
*** 74,86 ****
$retval = '';
- if (empty ($postmode)) {
- $postmode = $_CONF['postmode'];
- }
-
- $sig = '';
- if ($uid > 1) {
- $sig = DB_getItem ($_TABLES['users'], 'sig', "uid = '$uid'");
- }
-
if (empty($_USER['username']) &&
(($_CONF['loginrequired'] == 1) || ($_CONF['commentsloginrequired'] == 1))) {
--- 74,77 ----
***************
*** 110,131 ****
. COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
} else {
- if ($postmode == 'html') {
- $commenttext = stripslashes($comment);
- $commenttext = str_replace('$','$',$commenttext);
! $comment = COM_checkHTML(COM_checkWords($comment));
! $title = COM_checkHTML(htmlspecialchars(COM_checkWords($title)));
} else {
! $title = stripslashes(htmlspecialchars(COM_checkWords($title)));
! $comment = stripslashes(htmlspecialchars(COM_checkWords($comment)));
! $commenttext = str_replace('$','$',$comment);
! $title = str_replace('$','$',$title);
}
! // Replace { and } with special HTML equivalents
$commenttext = str_replace('{','{',$commenttext);
$commenttext = str_replace('}','}',$commenttext);
! $title = strip_tags(COM_checkWords($title));
! $HTTP_POST_VARS['title'] = $title;
$newcomment = $comment;
if (!empty ($sig)) {
--- 101,132 ----
. COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
} else {
! if (empty ($postmode)) {
! $postmode = $_CONF['postmode'];
! }
!
! $sig = '';
! if ($uid > 1) {
! $sig = DB_getItem ($_TABLES['users'], 'sig', "uid = '$uid'");
! }
!
! $commenttext = htmlspecialchars (COM_stripslashes ($comment));
!
! if ($postmode == 'html') {
! $comment = COM_checkWords (COM_checkHTML (addslashes (COM_stripslashes ($comment))));
} else {
! $comment = htmlspecialchars (COM_checkWords (COM_stripslashes ($comment)));
}
! // Replace $, {, and } with special HTML equivalents
! $commenttext = str_replace('$','$',$commenttext);
$commenttext = str_replace('{','{',$commenttext);
$commenttext = str_replace('}','}',$commenttext);
! $title = htmlspecialchars (COM_checkWords (strip_tags (COM_stripslashes ($title))));
! // $title = str_replace('$','$',$title); done in COM_getComment
! $title = str_replace('{','{',$title);
! $title = str_replace('}','}',$title);
!
! $HTTP_POST_VARS['title'] = addslashes ($title);
$newcomment = $comment;
if (!empty ($sig)) {
***************
*** 236,239 ****
--- 237,247 ----
}
+ // Clean 'em up a bit!
+ if ($postmode == 'html') {
+ $comment = COM_checkWords (COM_checkHTML (addslashes (COM_stripslashes ($comment))));
+ } else {
+ $comment = htmlspecialchars (COM_checkWords (COM_stripslashes ($comment)));
+ }
+
// Get signature
$sig = '';
***************
*** 249,259 ****
}
- // Clean 'em up a bit!
- if ($postmode == 'html') {
- $comment = addslashes(COM_checkHTML(COM_checkWords($comment)));
- } else {
- $comment = addslashes(htmlspecialchars(COM_checkWords($comment)));
- }
-
// check again for non-int pid's
// this should just create a top level comment that is a reply to the original item
--- 257,260 ----
***************
*** 262,269 ****
}
! $title = addslashes(strip_tags(COM_checkWords($title)));
if (!empty ($title) && !empty ($comment)) {
COM_updateSpeedlimit ('comment');
DB_save ($_TABLES['comments'], 'sid,uid,comment,date,title,pid,type',
"'$sid',$uid,'$comment',now(),'$title',$pid,'$type'");
--- 263,272 ----
}
! $title = htmlspecialchars (COM_checkWords (strip_tags (COM_stripslashes ($title))));
if (!empty ($title) && !empty ($comment)) {
COM_updateSpeedlimit ('comment');
+ $title = addslashes ($title);
+ $comment = addslashes ($comment);
DB_save ($_TABLES['comments'], 'sid,uid,comment,date,title,pid,type',
"'$sid',$uid,'$comment',now(),'$title',$pid,'$type'");
***************
*** 364,367 ****
--- 367,373 ----
switch ($mode) {
case $LANG03[14]: //Preview
+ if (!is_numeric ($pid)) {
+ $pid = 0;
+ }
$display .= COM_siteHeader()
. commentform($uid,$title,$comment,$sid,$pid,$type,$mode,$postmode)
***************
*** 369,372 ****
--- 375,381 ----
break;
case $LANG03[11]: //Submit Comment
+ if (!is_numeric ($pid)) {
+ $pid = 0;
+ }
$display .= savecomment($uid,$title,$comment,$sid,$pid,$type,$postmode);
break;
***************
*** 376,379 ****
--- 385,391 ----
case 'display':
if (!empty ($sid) && !empty ($type)) {
+ if (!is_numeric ($pid)) {
+ $pid = 0;
+ }
$allowed = 1;
if ($type == 'article') {
More information about the geeklog-cvs
mailing list