Navigation

Changeset 105

Timestamp:

2007-12-19 20:17:32 (1 year ago)

Author:

hannes

Message:

escaping & characters in the right places so they don't break posts (ticket #60)

Files:

r90	r105
92	92	}
93	93	// add this post
94		$table->addRow(Array('<td valign="top" width="' . ($SETTINGS['maxavatarsize'] + 10) . '">' . $_member->getPostside() . '</td>', '<td valign="top">' . ~~$_post~~ . '</td>'), FALSE, TRUE);
	94	$table->addRow(Array('<td valign="top" width="' . ($SETTINGS['maxavatarsize'] + 10) . '">' . $_member->getPostside() . '</td>', '<td valign="top">' . str_replace('&', '&amp;', $_post) . '</td>'), FALSE, TRUE);
95	95	// post footer
96	96	$table->addRow(Array(''), Array('colspan'=>'2', 'class'=>'postfooter'));
…	…
106	106	**/
107	107	public function save($show_orig) {
108		global $C, $SETTINGS, $LANG;
	108	global $C, $F, $SETTINGS, $LANG;
109	109	// post data
110	110	global $reply, $subject, $forum, $pollchoices, $user, $post, $password, $email, $subscribe;
…	…
380	380	$q = $C->prepare('INSERT INTO ' . $SETTINGS['dbtableprefix'] . 'posts (topic, post, poster, posteremail, posttime, ip, attachment, postedbymember) VALUES (:reply, :post, :user, :email, :ts, :ip, :attachment, :member)');
381	381	$q->bindParam(':reply', $reply, PDO::PARAM_INT, 12);
382		$q->bindParam(':post', $~~post~~, PDO::PARAM_STR);
383		$q->bindParam(':user', $~~user~~, PDO::PARAM_STR);
	382	$q->bindParam(':post', $F->htmlentities($post, TRUE), PDO::PARAM_STR);
	383	$q->bindParam(':user', $F->htmlentities($user, TRUE), PDO::PARAM_STR);
384	384	$q->bindParam(':email', $email, PDO::PARAM_STR);
385	385	// current time in UTC

r39	r105
82	82	}
83	83	// decode post
84		$row->post = ~~base64_decode(strtr($post, '-_', '+/')~~);
	84	$row->post = $F->htmlentities(base64_decode(strtr($post, '-_', '+/')), TRUE);
85	85	$row->postid = 0;
86	86	// construct and format timestamp