From edfce2ead5bca3627a1f549f046ab4dbb927f3db Mon Sep 17 00:00:00 2001
From: discomrade <nice@try.fbi>
Date: Sat, 24 Jul 2021 10:47:56 -0200
Subject: [PATCH] Enforce maximum length of ban appeal

---
 inc/config.php        | 10 +++++++++-
 post.php              | 12 ++++++++----
 templates/banned.html |  2 +-
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/inc/config.php b/inc/config.php
index 1507abbb..ab13bc81 100644
--- a/inc/config.php
+++ b/inc/config.php
@@ -664,6 +664,9 @@
     // How many ban appeals can be made for a single ban?
     $config['ban_appeals_max'] = 1;
 
+    // Maximum character length of appeal.
+    $config['ban_appeal_max_chars'] = 120;
+
     // Show moderator name on ban page.
     $config['show_modname'] = false;
 
@@ -1154,8 +1157,13 @@
     $config['error']['nodelete']        = _('You didn\'t select anything to delete.');
     $config['error']['nodeletethread']  = _('You are not allowed to delete threads.');
     $config['error']['noreport']        = _('You didn\'t select anything to report.');
- 	$config['error']['toolongreport']	= _('The reason was too long.');
+    $config['error']['toolongreport']	= _('The reason was too long.');
     $config['error']['toomanyreports']  = _('You can\'t report that many posts at once.');
+    $config['error']['noban']        = _('That ban doesn\'t exist or is not for you.');
+    $config['error']['tooshortban']	= _('You cannot appeal a ban of this length.');
+    $config['error']['toolongappeal']	= _('The appeal was too long.');
+    $config['error']['toomanyappeals']  = _('You cannot appeal this ban again.');
+    $config['error']['pendingappeal']  = _('There is already a pending appeal for this ban.');
     $config['error']['invalidpassword'] = _('Wrong password…');
     $config['error']['invalidimg']      = _('Invalid image.');
     $config['error']['unknownext']      = _('Unknown file extension.');
diff --git a/post.php b/post.php
index 5a2fa32e..cdfb56fa 100644
--- a/post.php
+++ b/post.php
@@ -1487,23 +1487,27 @@ function handle_appeal(){
     }
     
     if (!isset($ban)) {
-        error(_("That ban doesn't exist or is not for you."));
+        error($config['error']['noban']);
     }
     
     if ($ban['expires'] && $ban['expires'] - $ban['created'] <= $config['ban_appeals_min_length']) {
-        error(_("You cannot appeal a ban of this length."));
+        error($config['error']['tooshortban']);
     }
     
     $query = query("SELECT `denied` FROM ``ban_appeals`` WHERE `ban_id` = $ban_id") or error(db_error());
     $ban_appeals = $query->fetchAll(PDO::FETCH_COLUMN);
     
     if (count($ban_appeals) >= $config['ban_appeals_max']) {
-        error(_("You cannot appeal this ban again."));
+        error($config['error']['toomanyappeals']);
     }
     
     foreach ($ban_appeals as $is_denied) {
         if (!$is_denied)
-            error(_("There is already a pending appeal for this ban."));
+            error($config['error']['pendingappeal']);
+    }
+    
+    if (strlen($_POST['appeal']) > $config['ban_appeal_max_chars']) {
+        error($config['error']['toolongappeal']);
     }
     
     $query = prepare("INSERT INTO ``ban_appeals`` VALUES (NULL, :ban_id, :time, :message, 0)");
diff --git a/templates/banned.html b/templates/banned.html
index 65d66281..3d0b333f 100644
--- a/templates/banned.html
+++ b/templates/banned.html
@@ -136,7 +136,7 @@
 			{% endif %}
 			<form class="ban-appeal" action="" method="post">
 				<input type="hidden" name="ban_id" value="{{ ban.id }}">
-				<textarea name="appeal" rows="4" cols="40"></textarea>
+				<textarea name="appeal" rows="4" cols="40" maxlength="{{ config.ban_appeal_max_chars }}"></textarea>
 				<input type="submit" value="Submit">
 			</form>
 		{% endif %}