[geeklog-cvs] geeklog-1.3/system lib-comment.php,1.9,1.10
vinny at iowaoutdoors.org
vinny at iowaoutdoors.org
Sun Feb 27 18:15:16 EST 2005
Update of /var/cvs/geeklog-1.3/system
In directory www:/tmp/cvs-serv10833/system
Modified Files:
lib-comment.php
Log Message:
Fixed special characters and slashes in comment titles
Index: lib-comment.php
===================================================================
RCS file: /var/cvs/geeklog-1.3/system/lib-comment.php,v
retrieving revision 1.9
retrieving revision 1.10
diff -C2 -d -r1.9 -r1.10
*** lib-comment.php 18 Feb 2005 20:04:22 -0000 1.9
--- lib-comment.php 27 Feb 2005 23:15:14 -0000 1.10
***************
*** 299,308 ****
if ($P['pid'] != 0) {
$plink = $_CONF['site_url'] . '/comment.php?mode=display&sid='
! . $A['sid'] . '&title=' . rawurlencode( $P['title'] )
. '&type=' . $type . '&order=' . $order . '&pid='
! . $P['pid'];
} else {
$plink = $_CONF['site_url'] . '/comment.php?mode=view&sid='
! . $A['sid'] . '&title=' . rawurlencode( $P['title'] )
. '&type=' . $type . '&order=' . $order . '&cid='
. $A['pid'] . '&format=threaded';
--- 299,308 ----
if ($P['pid'] != 0) {
$plink = $_CONF['site_url'] . '/comment.php?mode=display&sid='
! . $A['sid'] . '&title=' . urlencode( htmlspecialchars( $P['title'] ))
. '&type=' . $type . '&order=' . $order . '&pid='
! . $P['pid'] . '&format=threaded';;
} else {
$plink = $_CONF['site_url'] . '/comment.php?mode=view&sid='
! . $A['sid'] . '&title=' . urlencode( htmlspecialchars( $P['title'] ))
. '&type=' . $type . '&order=' . $order . '&cid='
. $A['pid'] . '&format=threaded';
***************
*** 344,353 ****
}
- $A['title'] = stripslashes( $A['title'] );
- $A['title'] = htmlspecialchars( $A['title'] );
- $A['title'] = str_replace( '$', '$', $A['title'] );
-
// and finally: format the actual text of the comment
- $A['comment'] = stripslashes( $A['comment'] );
if( preg_match( '/<.*>/', $A['comment'] ) == 0 ) {
$A['comment'] = nl2br( $A['comment'] );
--- 344,348 ----
***************
*** 366,369 ****
--- 361,373 ----
$A['comment'] = PLG_replaceTags( $A['comment'] );
+ // create a reply to link
+ $reply_link = "{$_CONF['site_url']}/comment.php?sid={$A['sid']}&pid={$A['cid']}"
+ . "&title=" . urlencode($A['title']) . "&type={$A['type']}";
+ $template->set_var( 'reply_link', $reply_link);
+
+ // format title for display, must happen after reply_link is created
+ $A['title'] = htmlspecialchars( $A['title'] );
+ $A['title'] = str_replace( '$', '$', $A['title'] );
+
$template->set_var( 'title', $A['title'] );
$template->set_var( 'comments', $A['comment'] );
***************
*** 641,648 ****
$commenttext = str_replace('}','}',$commenttext);
! $title = htmlspecialchars (COM_checkWords (strip_tags (COM_stripslashes ($title))));
// $title = str_replace('$','$',$title); done in CMT_getComment
- $title = str_replace('{','{',$title);
- $title = str_replace('}','}',$title);
$_POST['title'] = addslashes ($title);
--- 645,650 ----
$commenttext = str_replace('}','}',$commenttext);
! $title = COM_checkWords (strip_tags (COM_stripslashes ($title)));
// $title = str_replace('$','$',$title); done in CMT_getComment
$_POST['title'] = addslashes ($title);
***************
*** 708,712 ****
$comment_template->set_var('lang_title', $LANG03[16]);
! $comment_template->set_var('title', stripslashes($title));
$comment_template->set_var('lang_comment', $LANG03[9]);
$comment_template->set_var('comment', $commenttext);
--- 710,714 ----
$comment_template->set_var('lang_title', $LANG03[16]);
! $comment_template->set_var('title', htmlspecialchars($title));
$comment_template->set_var('lang_comment', $LANG03[9]);
$comment_template->set_var('comment', $commenttext);
***************
*** 771,775 ****
|| ($_CONF['commentsloginrequired'] == 1))) {
COM_errorLog("CMT_saveComment: IP address {$_SERVER['REMOTE_ADDR']} "
! . 'attempted to save acomment with comments diabled for site.');
return $ret = 2;
}
--- 773,777 ----
|| ($_CONF['commentsloginrequired'] == 1))) {
COM_errorLog("CMT_saveComment: IP address {$_SERVER['REMOTE_ADDR']} "
! . 'attempted to save a comment with anonymous comments disabled for site.');
return $ret = 2;
}
***************
*** 838,851 ****
DB_query("LOCK TABLES {$_TABLES['comments']} WRITE");
if ($pid > 0) {
! $result = DB_query("SELECT rht, indent FROM {$_TABLES['comments']} WHERE cid = $pid");
list($rht, $indent) = DB_fetchArray($result);
! DB_query("UPDATE {$_TABLES['comments']} SET lft = lft + 2 "
! . "WHERE sid = '$sid' AND type = '$type' AND lft >= $rht");
! DB_query("UPDATE {$_TABLES['comments']} SET rht = rht + 2 "
! . "WHERE sid = '$sid' AND type = '$type' AND rht >= $rht");
! DB_save ($_TABLES['comments'], 'sid,uid,comment,date,title,pid,lft,rht,indent,type,ipaddress',
! "'$sid',$uid,'$comment',now(),'$title',$pid,$rht,$rht+1,$indent+1,'$type','{$_SERVER['REMOTE_ADDR']}'");
} else {
! $rht = DB_getItem($_TABLES['comments'], 'MAX(rht)');
DB_save ($_TABLES['comments'], 'sid,uid,comment,date,title,pid,lft,rht,indent,type,ipaddress',
"'$sid',$uid,'$comment',now(),'$title',$pid,$rht+1,$rht+2,0,'$type','{$_SERVER['REMOTE_ADDR']}'");
--- 840,863 ----
DB_query("LOCK TABLES {$_TABLES['comments']} WRITE");
if ($pid > 0) {
! $result = DB_query("SELECT rht, indent FROM {$_TABLES['comments']} WHERE cid = $pid "
! . "AND sid = '$sid'");
list($rht, $indent) = DB_fetchArray($result);
! if ( !DB_error() ) {
! DB_query("UPDATE {$_TABLES['comments']} SET lft = lft + 2 "
! . "WHERE sid = '$sid' AND type = '$type' AND lft >= $rht");
! DB_query("UPDATE {$_TABLES['comments']} SET rht = rht + 2 "
! . "WHERE sid = '$sid' AND type = '$type' AND rht >= $rht");
! DB_save ($_TABLES['comments'], 'sid,uid,comment,date,title,pid,lft,rht,indent,type,ipaddress',
! "'$sid',$uid,'$comment',now(),'$title',$pid,$rht,$rht+1,$indent+1,'$type','{$_SERVER['REMOTE_ADDR']}'");
! } else { //replying to non-existent comment or comment in wrong article
! COM_errorLog("CMT_saveComment: $uid from {$_SERVER['REMOTE_ADDR']} tried "
! . 'to reply to a non-existent comment or the pid/sid did not match');
! $ret = 4; // Cannot return here, tables locked!
! }
} else {
! $rht = DB_getItem($_TABLES['comments'], 'MAX(rht)', "sid = '$sid'");
! if ( DB_error() ) {
! $rht = 0;
! }
DB_save ($_TABLES['comments'], 'sid,uid,comment,date,title,pid,lft,rht,indent,type,ipaddress',
"'$sid',$uid,'$comment',now(),'$title',$pid,$rht+1,$rht+2,0,'$type','{$_SERVER['REMOTE_ADDR']}'");
***************
*** 854,858 ****
DB_query('UNLOCK TABLES');
! if (isset ($_CONF['notification']) &&
in_array ('comment', $_CONF['notification'])) {
CMT_sendNotification ($title, $comment, $uid, $_SERVER['REMOTE_ADDR'],
--- 866,871 ----
DB_query('UNLOCK TABLES');
! // Send notification of comment if no errors and notications enabled for comments
! if (($ret == 0) && isset ($_CONF['notification']) &&
in_array ('comment', $_CONF['notification'])) {
CMT_sendNotification ($title, $comment, $uid, $_SERVER['REMOTE_ADDR'],
***************
*** 862,866 ****
COM_errorLog("CMT_saveComment: $uid from {$_SERVER['REMOTE_ADDR']} tried "
. 'to submit a comment with invalid $title and/or $comment.');
! return $ret = 4;
}
--- 875,879 ----
COM_errorLog("CMT_saveComment: $uid from {$_SERVER['REMOTE_ADDR']} tried "
. 'to submit a comment with invalid $title and/or $comment.');
! return $ret = 5;
}
More information about the geeklog-cvs
mailing list