From 321c742124d0b338f8d2497b3151f0d96dc9c854 Mon Sep 17 00:00:00 2001
From: discomrade <nice@try.fbi>
Date: Fri, 28 Jan 2022 00:59:08 -0100
Subject: [PATCH] Prevent raw HTML editing a post with tinyboard modifiers
 (e.g. user flags) from inserting them into the visible post body

---
 inc/mod/pages.php | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/inc/mod/pages.php b/inc/mod/pages.php
index 02cc564b..fe1def9b 100644
--- a/inc/mod/pages.php
+++ b/inc/mod/pages.php
@@ -2066,12 +2066,6 @@ function mod_edit_post($board, $edit_raw_html, $postID) {
 		// Remove any modifiers they may have put in
 		$_POST['body'] = remove_modifiers($_POST['body']);
 
-		// Add back modifiers in the original post
-		$modifiers = extract_modifiers($post['body_nomarkup']);
-		foreach ($modifiers as $key => $value) {
-			$_POST['body'] .= "<tinyboard $key>$value</tinyboard>";
-		}
-
 		if ($edit_raw_html)
 			$query = prepare(sprintf('UPDATE ``posts_%s`` SET `name` = :name, `email` = :email, `subject` = :subject, `body` = :body, `body_nomarkup` = :body_nomarkup WHERE `id` = :id', $board));
 		else
@@ -2080,11 +2074,22 @@ function mod_edit_post($board, $edit_raw_html, $postID) {
 		$query->bindValue(':name', $_POST['name']);
 		$query->bindValue(':email', $_POST['email']);
 		$query->bindValue(':subject', $_POST['subject']);
-		$query->bindValue(':body', $_POST['body']);
 		if ($edit_raw_html) {
 			$body_nomarkup = $_POST['body'] . "\n<tinyboard raw html>1</tinyboard>";
+			// Add back modifiers in the original post
+			$modifiers = extract_modifiers($post['body_nomarkup']);
+			foreach ($modifiers as $key => $value) {
+				$body_nomarkup .= "<tinyboard $key>$value</tinyboard>";
+			}
 			$query->bindValue(':body_nomarkup', $body_nomarkup);
+		} else {
+			// Add back modifiers in the original post
+			$modifiers = extract_modifiers($post['body_nomarkup']);
+			foreach ($modifiers as $key => $value) {
+				$_POST['body'] .= "<tinyboard $key>$value</tinyboard>";
+			}
 		}
+		$query->bindValue(':body', $_POST['body']);
 		$query->execute() or error(db_error($query));
 		
 		if ($edit_raw_html) {