leftypol
/
leftypol
4
5
Fork 2
Code Issues 56 Pull Requests 1 Projects Releases Wiki Activity
Browse Source

post.php: sanitize appeal message

pull/107/head
Zankaria 3 months ago
parent
854cc6cd23
commit
fd9baaea5f
1 changed files with 24 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 32
      post.php

32
post.php
View File

@ -64,6 +64,22 @@ function strip_markup($post_body)
}
}
/**
* Inserts a new ban appeal into the database.
*
* @param int $ban_id Ban id.
* @param string $appeal_message Appeal message.
* @return void
*/
function query_insert_ban_appeal($ban_id, $appeal_message)
{
$query = prepare("INSERT INTO ``ban_appeals`` VALUES (NULL, :ban_id, :time, :message, 0)");
$query->bindValue(':ban_id', $ban_id, PDO::PARAM_INT);
$query->bindValue(':time', time(), PDO::PARAM_INT);
$query->bindValue(':message', $appeal_message);
$query->execute() or error(db_error($query));
}
/**
* Method handling functions
*/
@ -537,8 +553,9 @@ function handle_post()
$_POST['subject'] = '';
}
if (!isset($_POST['password']))
if (!isset($_POST['password'])) {
$_POST['password'] = '';
}
if (isset($_POST['thread'])) {
$post['op'] = false;
@ -549,7 +566,7 @@ function handle_post()
if (!$dropped_post) {
// Check for CAPTCHA right after opening the board so the "return" link is in there
// Check for CAPTCHA right after opening the board so the "return" link is in there.
if ($config['recaptcha']) {
if (!isset($_POST['g-recaptcha-response']))
error($config['error']['bot']);
@ -1549,8 +1566,9 @@ function handle_post()
function handle_appeal()
{
global $config;
if (!isset($_POST['ban_id']))
if (!isset($_POST['ban_id'])) {
error($config['error']['bot']);
}
$ban_id = (int) $_POST['ban_id'];
@ -1587,11 +1605,9 @@ function handle_appeal()
error($config['error']['toolongappeal']);
}
$query = prepare("INSERT INTO ``ban_appeals`` VALUES (NULL, :ban_id, :time, :message, 0)");
$query->bindValue(':ban_id', $ban_id, PDO::PARAM_INT);
$query->bindValue(':time', time(), PDO::PARAM_INT);
$query->bindValue(':message', $_POST['appeal']);
$query->execute() or error(db_error($query));
// Sanitize away eventual Cross Site Scripting funkyness.
$appeal_msg = htmlspecialchars($_POST['appeal']);
query_insert_ban_appeal($ban_id, $appeal_msg);
displayBan($ban);
}

Write Preview
Loading…
Cancel
Save