Skip to content

Commit 7ba83c4

Browse files
carlbennettcarlbennett
committed
Fix commenting on news so that html is stripped
1 parent 432294b commit 7ba83c4

File tree

2 files changed

+7
-6
lines changed

2 files changed

+7
-6
lines changed

src/libraries/Comment.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -153,7 +153,7 @@ public function getContent($prepare) {
153153
return $this->content;
154154
}
155155
$md = new Markdown();
156-
return $md->text($this->content);
156+
return $md->text(filter_var($this->content, FILTER_SANITIZE_FULL_SPECIAL_CHARS));
157157
}
158158

159159
public function getCreatedDateTime() {

src/templates/News/View.phtml

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@ require("./header.inc.phtml");
7676
<?php } ?>
7777
<section class="news"><img class="category" alt="<?php echo $object->getCategory()->getLabel(); ?>" title="<?php echo $object->getCategory()->getLabel(); ?>" src="<?php echo Common::relativeUrlToAbsolute("/a/news_categories/" . $object->getCategory()->getFilename()); ?>"/><?php echo $object->getContent(true); ?></section>
7878
<footer>
79-
<span class="float-left"><a href="<?php echo $user_url; ?>"><img class="avatar" src="<?php echo $user_avatar; ?>"/> <?php echo htmlspecialchars($user_name, ENT_HTML5, "UTF-8"); ?></a></span>
79+
<span class="float-left"><a href="<?php echo $user_url; ?>"><img class="avatar" src="<?php echo $user_avatar; ?>"/> <?php echo filter_var($user_name, FILTER_SANITIZE_STRING); ?></a></span>
8080
<?php if ($object->getEditedDateTime() !== null) { ?>
8181
<span class="float-right"><?php echo $object->getCreatedDateTime()->format("l, F j, Y"); ?> | Edited: <?php echo $object->getEditedDateTime()->format("l, F j, Y"); ?></span>
8282
<?php } else { ?>
@@ -98,25 +98,26 @@ require("./header.inc.phtml");
9898
$c_user_url = $c_user->getURI();
9999
$c_user_avatar = $c_user->getAvatarURI(22);
100100
?>
101-
<tr><td><a href="<?php echo $c_user_url; ?>"><img class="avatar" src="<?php echo $c_user_avatar; ?>"/> <?php echo htmlspecialchars($c_user_name, ENT_HTML5, "UTF-8"); ?></a><br/><time class="comment_timestamp" datetime="<?php echo $c->getCreatedDateTime()->format("c"); ?>"><?php echo $c->getCreatedDateTime()->format("D M j, Y g:ia T"); ?></time></td><td><?php echo $c->getContent(true); ?></td></tr>
101+
<tr><td><a href="<?php echo $c_user_url; ?>"><img class="avatar" src="<?php echo $c_user_avatar; ?>"/> <?php echo filter_var($c_user_name, FILTER_SANITIZE_STRING); ?></a><br/><time class="comment_timestamp" datetime="<?php echo $c->getCreatedDateTime()->format("c"); ?>"><?php echo $c->getCreatedDateTime()->format("D M j, Y g:ia T"); ?></time></td><td><?php echo $c->getContent(true); ?></td></tr>
102102
<?php } ?>
103103
</tbody></table>
104104
<?php } ?>
105105
</section>
106106
<?php if ($logged_in) { ?>
107107
<section>
108+
<hr/>
108109
<form method="POST" action="<?php echo Common::relativeUrlToAbsolute("/comment/create"); ?>">
109110
<input type="hidden" name="parent_type" value="<?php echo Comment::PARENT_TYPE_NEWS_POST; ?>"/>
110-
<input type="hidden" name="parent_id" value="<?php echo htmlspecialchars($object_id, ENT_HTML5, "UTF-8"); ?>"/>
111+
<input type="hidden" name="parent_id" value="<?php echo $object_id; ?>"/>
111112
<p class="center"><label for="comment-content">Comment on this post:</label></p>
112113
<p class="center"><textarea id="comment-content" name="content" cols="80" rows="5"></textarea></p>
113114
<p class="center"><input type="submit" value="Comment"/></p>
114115
</form>
115116
</section>
116117
<?php } ?>
117118
<?php } else { ?>
118-
<header class="red"><?php echo htmlspecialchars($title, ENT_HTML5, "UTF-8"); ?></header>
119-
<section class="red"><?php echo htmlspecialchars($description, ENT_HTML5, "UTF-8"); ?></section>
119+
<header class="red"><?php echo filter_var($title, FILTER_SANITIZE_STRING); ?></header>
120+
<section class="red"><?php echo filter_var($description, FILTER_SANITIZE_STRING); ?></section>
120121
<?php } ?>
121122
</article>
122123
<?php require("./footer.inc.phtml"); ?>

0 commit comments

Comments
 (0)