[geeklog-cvs] geeklog-1.3/public_html comment.php,1.38.4.3,1.38.4.4
dhaun at geeklog.net
dhaun at geeklog.net
Fri Jan 23 16:29:01 EST 2004
Update of /usr/cvs/geeklog/geeklog-1.3/public_html
In directory geeklog_prod:/tmp/cvs-serv20708
Modified Files:
Tag: geeklog_1_3_7sr2_1
comment.php
Log Message:
Added parameter checking and rewrote comment encoding.
Index: comment.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/comment.php,v
retrieving revision 1.38.4.3
retrieving revision 1.38.4.4
diff -C2 -d -r1.38.4.3 -r1.38.4.4
*** comment.php 19 Jan 2004 20:10:30 -0000 1.38.4.3
--- comment.php 23 Jan 2004 21:28:58 -0000 1.38.4.4
***************
*** 73,80 ****
global $_TABLES, $HTTP_POST_VARS, $REMOTE_ADDR, $_CONF, $LANG03, $LANG12, $LANG_LOGIN, $_USER;
- if ($uid > 1) {
- $sig = DB_getItem($_TABLES['users'], 'sig', "uid='$uid'");
- }
-
if (empty($_USER['username']) &&
(($_CONF['loginrequired'] == 1) || ($_CONF['commentsloginrequired'] == 1))) {
--- 73,76 ----
***************
*** 106,127 ****
. COM_endBlock();
} else {
- if ($postmode == 'html') {
- $commenttext = stripslashes($comment);
- $commenttext = str_replace('$','$',$commenttext);
! $comment = COM_checkHTML(COM_checkWords($comment));
! $title = COM_checkHTML(htmlspecialchars(COM_checkWords($title)));
} else {
! $title = stripslashes(htmlspecialchars(COM_checkWords($title)));
! $comment = stripslashes(htmlspecialchars(COM_checkWords($comment)));
! $commenttext = str_replace('$','$',$comment);
! $title = str_replace('$','$',$title);
}
! // Replace { and } with special HTML equivalents
$commenttext = str_replace('{','{',$commenttext);
$commenttext = str_replace('}','}',$commenttext);
! $title = strip_tags(COM_checkWords($title));
! $HTTP_POST_VARS['title'] = $title;
$newcomment = $comment;
if (!empty ($sig)) {
--- 102,133 ----
. COM_endBlock();
} else {
! if (empty ($postmode)) {
! $postmode = $_CONF['postmode'];
! }
!
! $sig = '';
! if ($uid > 1) {
! $sig = DB_getItem ($_TABLES['users'], 'sig', "uid='$uid'");
! }
!
! $commenttext = htmlspecialchars (COM_stripslashes ($comment));
!
! if ($postmode == 'html') {
! $comment = COM_checkWords (COM_checkHTML (addslashes (COM_stripslashes ($comment))));
} else {
! $comment = htmlspecialchars (COM_checkWords (COM_stripslashes ($comment)));
}
! // Replace $, {, and } with special HTML equivalents
! $commenttext = str_replace('$','$',$commenttext);
$commenttext = str_replace('{','{',$commenttext);
$commenttext = str_replace('}','}',$commenttext);
! $title = htmlspecialchars (COM_checkWords (strip_tags (COM_stripslashes ($title))));
! // $title = str_replace('$','$',$title); done in COM_getComment
! $title = str_replace('{','{',$title);
! $title = str_replace('}','}',$title);
!
! $HTTP_POST_VARS['title'] = addslashes ($title);
$newcomment = $comment;
if (!empty ($sig)) {
***************
*** 224,227 ****
--- 230,240 ----
}
+ // Clean 'em up a bit!
+ if ($postmode == 'html') {
+ $comment = COM_checkWords (COM_checkHTML (addslashes (COM_stripslashes ($comment))));
+ } else {
+ $comment = htmlspecialchars (COM_checkWords (COM_stripslashes ($comment)));
+ }
+
// Get signature
$sig = '';
***************
*** 237,247 ****
}
- // Clean 'em up a bit!
- if ($postmode == 'html') {
- $comment = addslashes(COM_checkHTML(COM_checkWords($comment)));
- } else {
- $comment = addslashes(htmlspecialchars(COM_checkWords($comment)));
- }
-
// check again for non-int pid's
// this should just create a top level comment that is a reply to the original item
--- 250,253 ----
***************
*** 250,256 ****
}
! $title = addslashes(strip_tags(COM_checkWords($title)));
if (!empty($title) && !empty($comment)) {
DB_save($_TABLES['commentspeedlimit'],'ipaddress, date',"'$REMOTE_ADDR',unix_timestamp()");
DB_save($_TABLES['comments'],'sid,uid,comment,date,title,pid,type',"'$sid',$uid,'$comment',now(),'$title',$pid,'$type'");
--- 256,264 ----
}
! $title = htmlspecialchars (COM_checkWords (strip_tags (COM_stripslashes ($title))));
if (!empty($title) && !empty($comment)) {
+ $title = addslashes ($title);
+ $comment = addslashes ($comment);
DB_save($_TABLES['commentspeedlimit'],'ipaddress, date',"'$REMOTE_ADDR',unix_timestamp()");
DB_save($_TABLES['comments'],'sid,uid,comment,date,title,pid,type',"'$sid',$uid,'$comment',now(),'$title',$pid,'$type'");
***************
*** 389,392 ****
--- 397,403 ----
switch ($mode) {
case $LANG03[14]: //Preview
+ if (!is_numeric ($pid)) {
+ $pid = 0;
+ }
$display .= COM_siteHeader()
. commentform($uid,$save,$anon,$title,$comment,$sid,$pid,$type,$mode,$postmode)
***************
*** 394,397 ****
--- 405,411 ----
break;
case $LANG03[11]: //Submit Comment
+ if (!is_numeric ($pid)) {
+ $pid = 0;
+ }
$display .= savecomment($uid,$save,$anon,$title,$comment,$sid,$pid,$type,$postmode);
break;
***************
*** 401,404 ****
--- 415,421 ----
case 'display':
if (!empty ($sid) && !empty ($type)) {
+ if (!is_numeric ($pid)) {
+ $pid = 0;
+ }
$allowed = 1;
if ($type == 'article') {
More information about the geeklog-cvs
mailing list