forked from leftypol/leftypol
post.php: sanitize appeal message
This commit is contained in:
parent
854cc6cd23
commit
fd9baaea5f
32
post.php
32
post.php
|
@ -64,6 +64,22 @@ function strip_markup($post_body)
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Inserts a new ban appeal into the database.
|
||||
*
|
||||
* @param int $ban_id Ban id.
|
||||
* @param string $appeal_message Appeal message.
|
||||
* @return void
|
||||
*/
|
||||
function query_insert_ban_appeal($ban_id, $appeal_message)
|
||||
{
|
||||
$query = prepare("INSERT INTO ``ban_appeals`` VALUES (NULL, :ban_id, :time, :message, 0)");
|
||||
$query->bindValue(':ban_id', $ban_id, PDO::PARAM_INT);
|
||||
$query->bindValue(':time', time(), PDO::PARAM_INT);
|
||||
$query->bindValue(':message', $appeal_message);
|
||||
$query->execute() or error(db_error($query));
|
||||
}
|
||||
|
||||
/**
|
||||
* Method handling functions
|
||||
*/
|
||||
|
@ -537,8 +553,9 @@ function handle_post()
|
|||
$_POST['subject'] = '';
|
||||
}
|
||||
|
||||
if (!isset($_POST['password']))
|
||||
if (!isset($_POST['password'])) {
|
||||
$_POST['password'] = '';
|
||||
}
|
||||
|
||||
if (isset($_POST['thread'])) {
|
||||
$post['op'] = false;
|
||||
|
@ -549,7 +566,7 @@ function handle_post()
|
|||
|
||||
|
||||
if (!$dropped_post) {
|
||||
// Check for CAPTCHA right after opening the board so the "return" link is in there
|
||||
// Check for CAPTCHA right after opening the board so the "return" link is in there.
|
||||
if ($config['recaptcha']) {
|
||||
if (!isset($_POST['g-recaptcha-response']))
|
||||
error($config['error']['bot']);
|
||||
|
@ -1549,8 +1566,9 @@ function handle_post()
|
|||
function handle_appeal()
|
||||
{
|
||||
global $config;
|
||||
if (!isset($_POST['ban_id']))
|
||||
if (!isset($_POST['ban_id'])) {
|
||||
error($config['error']['bot']);
|
||||
}
|
||||
|
||||
$ban_id = (int) $_POST['ban_id'];
|
||||
|
||||
|
@ -1587,11 +1605,9 @@ function handle_appeal()
|
|||
error($config['error']['toolongappeal']);
|
||||
}
|
||||
|
||||
$query = prepare("INSERT INTO ``ban_appeals`` VALUES (NULL, :ban_id, :time, :message, 0)");
|
||||
$query->bindValue(':ban_id', $ban_id, PDO::PARAM_INT);
|
||||
$query->bindValue(':time', time(), PDO::PARAM_INT);
|
||||
$query->bindValue(':message', $_POST['appeal']);
|
||||
$query->execute() or error(db_error($query));
|
||||
// Sanitize away eventual Cross Site Scripting funkyness.
|
||||
$appeal_msg = htmlspecialchars($_POST['appeal']);
|
||||
query_insert_ban_appeal($ban_id, $appeal_msg);
|
||||
|
||||
displayBan($ban);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user