[geeklog-cvs] geeklog-1.3/public_html comment.php,1.38.4.3,1.38.4.4

dhaun at geeklog.net dhaun at geeklog.net
Fri Jan 23 16:29:01 EST 2004 

Update of /usr/cvs/geeklog/geeklog-1.3/public_html
In directory geeklog_prod:/tmp/cvs-serv20708

Modified Files:
      Tag: geeklog_1_3_7sr2_1
	comment.php 
Log Message:
Added parameter checking and rewrote comment encoding.


Index: comment.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/comment.php,v
retrieving revision 1.38.4.3
retrieving revision 1.38.4.4
diff -C2 -d -r1.38.4.3 -r1.38.4.4
*** comment.php	19 Jan 2004 20:10:30 -0000	1.38.4.3
--- comment.php	23 Jan 2004 21:28:58 -0000	1.38.4.4
***************
*** 73,80 ****
      global $_TABLES, $HTTP_POST_VARS, $REMOTE_ADDR, $_CONF, $LANG03, $LANG12, $LANG_LOGIN, $_USER;
  
- 	if ($uid > 1) {
-         $sig = DB_getItem($_TABLES['users'], 'sig', "uid='$uid'");
-     }
- 
      if (empty($_USER['username']) &&
          (($_CONF['loginrequired'] == 1) || ($_CONF['commentsloginrequired'] == 1))) {
--- 73,76 ----
***************
*** 106,127 ****
                  . COM_endBlock();
          } else {
-             if ($postmode == 'html') {
-                 $commenttext = stripslashes($comment);
-                 $commenttext = str_replace('$','$',$commenttext);
  
!                 $comment = COM_checkHTML(COM_checkWords($comment));
!                 $title = COM_checkHTML(htmlspecialchars(COM_checkWords($title)));
              } else {
!                 $title = stripslashes(htmlspecialchars(COM_checkWords($title)));
!                 $comment = stripslashes(htmlspecialchars(COM_checkWords($comment)));
!                 $commenttext = str_replace('$','$',$comment);
!                 $title = str_replace('$','$',$title);
              }
!             // Replace { and } with special HTML equivalents
              $commenttext = str_replace('{','{',$commenttext);
              $commenttext = str_replace('}','}',$commenttext);
  
!             $title = strip_tags(COM_checkWords($title));
!             $HTTP_POST_VARS['title'] = $title;
              $newcomment = $comment;
              if (!empty ($sig)) {
--- 102,133 ----
                  . COM_endBlock();
          } else {
  
!             if (empty ($postmode)) {
!                 $postmode = $_CONF['postmode'];
!             }
! 
!             $sig = '';
!             if ($uid > 1) {
!                 $sig = DB_getItem ($_TABLES['users'], 'sig', "uid='$uid'");
!             }
! 
!             $commenttext = htmlspecialchars (COM_stripslashes ($comment));
! 
!             if ($postmode == 'html') {
!                 $comment = COM_checkWords (COM_checkHTML (addslashes (COM_stripslashes ($comment))));
              } else {
!                 $comment = htmlspecialchars (COM_checkWords (COM_stripslashes ($comment)));
              }
!             // Replace $, {, and } with special HTML equivalents
!             $commenttext = str_replace('$','$',$commenttext);
              $commenttext = str_replace('{','{',$commenttext);
              $commenttext = str_replace('}','}',$commenttext);
  
!             $title = htmlspecialchars (COM_checkWords (strip_tags (COM_stripslashes ($title))));
!             // $title = str_replace('$','$',$title); done in COM_getComment
!             $title = str_replace('{','{',$title);
!             $title = str_replace('}','}',$title);
! 
!             $HTTP_POST_VARS['title'] = addslashes ($title);
              $newcomment = $comment;
              if (!empty ($sig)) {
***************
*** 224,227 ****
--- 230,240 ----
      }
  
+     // Clean 'em up a bit!
+     if ($postmode == 'html') {
+         $comment = COM_checkWords (COM_checkHTML (addslashes (COM_stripslashes ($comment))));
+     } else {
+         $comment = htmlspecialchars (COM_checkWords (COM_stripslashes ($comment)));
+     }
+ 
      // Get signature
      $sig = '';
***************
*** 237,247 ****
      }
  
-     // Clean 'em up a bit!
-     if ($postmode == 'html') {
-         $comment = addslashes(COM_checkHTML(COM_checkWords($comment)));
-     } else {
-         $comment = addslashes(htmlspecialchars(COM_checkWords($comment)));
-     } 
- 
      // check again for non-int pid's
      // this should just create a top level comment that is a reply to the original item
--- 250,253 ----
***************
*** 250,256 ****
      }
  
!     $title = addslashes(strip_tags(COM_checkWords($title)));
  
      if (!empty($title) && !empty($comment)) {
          DB_save($_TABLES['commentspeedlimit'],'ipaddress, date',"'$REMOTE_ADDR',unix_timestamp()");
          DB_save($_TABLES['comments'],'sid,uid,comment,date,title,pid,type',"'$sid',$uid,'$comment',now(),'$title',$pid,'$type'");
--- 256,264 ----
      }
  
!     $title = htmlspecialchars (COM_checkWords (strip_tags (COM_stripslashes ($title))));
  
      if (!empty($title) && !empty($comment)) {
+         $title = addslashes ($title);
+         $comment = addslashes ($comment);
          DB_save($_TABLES['commentspeedlimit'],'ipaddress, date',"'$REMOTE_ADDR',unix_timestamp()");
          DB_save($_TABLES['comments'],'sid,uid,comment,date,title,pid,type',"'$sid',$uid,'$comment',now(),'$title',$pid,'$type'");
***************
*** 389,392 ****
--- 397,403 ----
  switch ($mode) {
  case $LANG03[14]: //Preview
+     if (!is_numeric ($pid)) {
+         $pid = 0;
+     }
      $display .= COM_siteHeader()
          . commentform($uid,$save,$anon,$title,$comment,$sid,$pid,$type,$mode,$postmode)
***************
*** 394,397 ****
--- 405,411 ----
      break;
  case $LANG03[11]: //Submit Comment
+     if (!is_numeric ($pid)) {
+         $pid = 0;
+     }
      $display .= savecomment($uid,$save,$anon,$title,$comment,$sid,$pid,$type,$postmode);
      break;
***************
*** 401,404 ****
--- 415,421 ----
  case 'display':
      if (!empty ($sid) && !empty ($type)) {
+         if (!is_numeric ($pid)) {
+             $pid = 0;
+         }
          $allowed = 1;
          if ($type == 'article') {

More information about the geeklog-cvs mailing list