onokazu
onoka****@users*****
2005年 6月 30日 (木) 14:07:51 JST
Index: xoops2jp/html/include/comment_form.php
diff -u xoops2jp/html/include/comment_form.php:1.3 xoops2jp/html/include/comment_form.php:1.4
--- xoops2jp/html/include/comment_form.php:1.3 Sat Jun 11 11:32:40 2005
+++ xoops2jp/html/include/comment_form.php Thu Jun 30 14:07:51 2005
@@ -1,5 +1,5 @@
<?php
-// $Id: comment_form.php,v 1.3 2005/06/11 02:32:40 onokazu Exp $
+// $Id: comment_form.php,v 1.4 2005/06/30 05:07:51 onokazu Exp $
// ------------------------------------------------------------------------ //
// XOOPS - PHP Content Management System //
// Copyright (c) 2000 XOOPS.org //
@@ -75,11 +75,11 @@
$status_select = new XoopsFormSelect(_CM_STATUS, 'com_status', $com_status);
$status_select->addOptionArray(array(XOOPS_COMMENT_PENDING => _CM_PENDING, XOOPS_COMMENT_ACTIVE => _CM_ACTIVE, XOOPS_COMMENT_HIDDEN => _CM_HIDDEN));
$cform->addElement($status_select);
+ $button_tray->addElement(new XoopsFormButton('', 'com_dodelete', _DELETE, 'submit'));
}
$html_checkbox = new XoopsFormCheckBox('', 'dohtml', $dohtml);
$html_checkbox->addOption(1, _CM_DOHTML);
$option_tray->addElement($html_checkbox);
- $button_tray->addElement(new XoopsFormButton('', 'com_dodelete', _DELETE, 'submit'));
}
}
$smiley_checkbox = new XoopsFormCheckBox('', 'dosmiley', $dosmiley);
@@ -105,16 +105,17 @@
if ('system' != $xoopsModule->getVar('dirname')) {
$comment_config = $xoopsModule->getInfo('comments');
if (isset($comment_config['extraParams']) && is_array($comment_config['extraParams'])) {
+ $myts =& MyTextSanitizer::getInstance();
foreach ($comment_config['extraParams'] as $extra_param) {
// This routine is included from forms accessed via both GET and POST
if (isset($_POST[$extra_param])) {
- $hidden_value = $_POST[$extra_param];
+ $hidden_value = $myts->stripSlashesGPC($_POST[$extra_param]);
} elseif (isset($_GET[$extra_param])) {
- $hidden_value = $_GET[$extra_param];
+ $hidden_value = $myts->stripSlashesGPC($_GET[$extra_param]);
} else {
$hidden_value = '';
}
- $cform->addElement(new XoopsFormHidden($extra_param, $hidden_value));
+ $cform->addElement(new XoopsFormHidden($extra_param, htmlspecialchars($hidden_value, ENT_QUOTES)));
}
}
}
Index: xoops2jp/html/include/comment_post.php
diff -u xoops2jp/html/include/comment_post.php:1.3 xoops2jp/html/include/comment_post.php:1.4
--- xoops2jp/html/include/comment_post.php:1.3 Sat Jun 11 11:32:40 2005
+++ xoops2jp/html/include/comment_post.php Thu Jun 30 14:07:51 2005
@@ -1,5 +1,5 @@
<?php
-// $Id: comment_post.php,v 1.3 2005/06/11 02:32:40 onokazu Exp $
+// $Id: comment_post.php,v 1.4 2005/06/30 05:07:51 onokazu Exp $
// ------------------------------------------------------------------------ //
// XOOPS - PHP Content Management System //
// Copyright (c) 2000 XOOPS.org //
@@ -35,6 +35,7 @@
include_once XOOPS_ROOT_PATH.'/language/'.$xoopsConfig['language'].'/comment.php';
include_once XOOPS_ROOT_PATH.'/include/comment_constants.php';
$com_id = isset($_POST['com_id']) ? intval($_POST['com_id']) : 0;
+$extra_params = '';
if ('system' == $xoopsModule->getVar('dirname')) {
if (empty($com_id)) {
exit();
@@ -56,9 +57,9 @@
$com_modid = $xoopsModule->getVar('mid');
$redirect_page = $comment_config['pageName'].'?';
if (isset($comment_config['extraParams']) && is_array($comment_config['extraParams'])) {
- $extra_params = '';
+ $myts =& MyTextSanitizer::getInstance();
foreach ($comment_config['extraParams'] as $extra_param) {
- $extra_params .= isset($_POST[$extra_param]) ? $extra_param.'='.$_POST[$extra_param].'&' : $extra_param.'=&';
+ $extra_params .= isset($_POST[$extra_param]) ? $extra_param.'='.$myts->stripSlashesGPC($_POST[$extra_param]).'&' : $extra_param.'=&';
}
$redirect_page .= $extra_params;
}
@@ -266,8 +267,8 @@
$comment->setVar('com_icon', $com_icon);
$comment->setVar('com_modified', time());
$comment->setVar('com_modid', $com_modid);
- if (isset($extra_params)) {
- $comment->setVar('com_exparams', $extra_params);
+ if (!empty($extra_params)) {
+ $comment->setVar('com_exparams', str_replace('&', '&', $extra_params));
}
if (false != $comment_handler->insert($comment)) {
$newcid = $comment->getVar('com_id');