diff options
| author | Steven Wittens <steven@10.no-reply.drupal.org> | 2005-03-31 09:25:33 +0000 |
|---|---|---|
| committer | Steven Wittens <steven@10.no-reply.drupal.org> | 2005-03-31 09:25:33 +0000 |
| commit | be14203534c5f09d0c70c2bf59b81b80f2a90b32 (patch) | |
| tree | a489b0bdda01f9de5deba514bcffd3dce16b59ed /modules/comment.module | |
| parent | 99233a9c991635e801aebc276e4e2975b6ba9e20 (diff) | |
| download | brdo-be14203534c5f09d0c70c2bf59b81b80f2a90b32.tar.gz brdo-be14203534c5f09d0c70c2bf59b81b80f2a90b32.tar.bz2 | |
- #18817: Clean up plain-text checking (see drupal-devel!)
Diffstat (limited to 'modules/comment.module')
| -rw-r--r-- | modules/comment.module | 31 |
1 files changed, 17 insertions, 14 deletions
diff --git a/modules/comment.module b/modules/comment.module index a22da2242..876e89bff 100644 --- a/modules/comment.module +++ b/modules/comment.module @@ -274,7 +274,7 @@ function comment_nodeapi(&$node, $op, $arg = 0) { $text = ''; $comments = db_query('SELECT subject, comment, format FROM {comments} WHERE nid = %d AND status = 0', $node->nid); while ($comment = db_fetch_object($comments)) { - $text .= '<h2>'. $comment->subject .'</h2>'. check_output($comment->comment, $comment->format); + $text .= '<h2>'. check_plain($comment->subject) .'</h2>'. check_output($comment->comment, $comment->format); } return $text; @@ -431,9 +431,12 @@ function comment_validate_form($edit) { // Validate the comment's subject. If not specified, extract // one from the comment's body. - $edit['subject'] = strip_tags($edit['subject']); - if ($edit['subject'] == '') { - $edit['subject'] = truncate_utf8(strip_tags($edit['comment']), 29, TRUE); + if (trim($edit['subject']) == '') { + // The body may be in any format, so we: + // 1) Filter it into HTML + // 2) Strip out all HTML tags + // 3) Convert entities back to plain-text. + $edit['subject'] = truncate_utf8(decode_entities(strip_tags(check_output($edit['comment'], $edit['format']))), 29, TRUE); } // Validate the comment's body. @@ -450,7 +453,7 @@ function comment_validate_form($edit) { if (!$user->uid) { if (variable_get('comment_anonymous', 0) > 0) { if ($edit['name']) { - $taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", strip_tags($edit['name'])), 0); + $taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", $edit['name']), 0); if ($taken != 0) { form_set_error('name', t('The name you used belongs to a registered user.')); @@ -494,7 +497,7 @@ function comment_preview($edit) { // Attach the user and time information. $comment->uid = $user->uid; $comment->timestamp = time(); - $comment->name = $user->name ? $user->name : $comment->name; + $comment->name = check_plain($user->name ? $user->name : $comment->name); // Preview the comment. $output .= theme('comment_view', $comment, theme('links', module_invoke_all('link', 'comment', $comment, 1))); @@ -523,7 +526,7 @@ function comment_post($edit) { // validated/filtered data to perform such check. $duplicate = db_result(db_query("SELECT COUNT(cid) FROM {comments} WHERE pid = %d AND nid = %d AND subject = '%s' AND comment = '%s'", $edit['pid'], $edit['nid'], $edit['subject'], $edit['comment']), 0); if ($duplicate != 0) { - watchdog('content', t('Comment: duplicate %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_WARNING); + watchdog('content', t('Comment: duplicate %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_WARNING); } if ($edit['cid']) { @@ -538,7 +541,7 @@ function comment_post($edit) { module_invoke_all('comment', 'update', $edit); // Add an entry to the watchdog log. - watchdog('content', t('Comment: updated %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); + watchdog('content', t('Comment: updated %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); } else { // Add the comment to database. @@ -641,7 +644,7 @@ function comment_post($edit) { module_invoke_all('comment', 'insert', $edit); // Add an entry to the watchdog log. - watchdog('content', t('Comment: added %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); + watchdog('content', t('Comment: added %subject.', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_NOTICE, l(t('view'), 'node/'. $edit['nid'], NULL, NULL, 'comment-'. $edit['cid'])); } // Clear the cache so an anonymous user can see his comment being added. @@ -662,7 +665,7 @@ function comment_post($edit) { } } else { - watchdog('content', t('Comment: unauthorized comment submitted or comment submitted to a closed node %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>')), WATCHDOG_WARNING); + watchdog('content', t('Comment: unauthorized comment submitted or comment submitted to a closed node (%subject).', array('%subject' => theme('placeholder', $edit['subject']))), WATCHDOG_WARNING); } } @@ -974,7 +977,7 @@ function comment_delete($cid) { } else if ($comment->cid) { $output = theme('confirm', - t('Are you sure you want to delete the comment %title?', array('%title' => '<em>'. $comment->subject .'</em>')), + t('Are you sure you want to delete the comment %title?', array('%title' => theme('placeholder', $comment->subject))), 'node/'. $comment->nid, t('Any replies to this comment will be lost. This action cannot be undone.'), t('Delete')); @@ -992,7 +995,7 @@ function comment_delete($cid) { function comment_save($id, $edit) { db_query("UPDATE {comments} SET subject = '%s', comment = '%s', status = %d, format = '%s', name = '%s', mail = '%s', homepage = '%s' WHERE cid = %d", $edit['subject'], $edit['comment'], $edit['status'], $edit['format'], $edit['name'], $edit['mail'], $edit['homepage'], $id); - watchdog('content', t('Comment: modified %subject.', array('%subject' => '<em>'. $edit['subject'] .'</em>'))); + watchdog('content', t('Comment: modified %subject.', array('%subject' => theme('placeholder', $edit['subject'])))); drupal_set_message(t('The comment has been saved.')); _comment_update_node_statistics($edit['nid']); @@ -1023,7 +1026,7 @@ function comment_admin_overview($type = 'new') { while ($comment = db_fetch_object($result)) { $comment->name = $comment->uid ? $comment->registered_name : $comment->name; $rows[] = array( - l($comment->subject, "node/$comment->nid", array('title' => htmlspecialchars(truncate_utf8($comment->comment, 128))), NULL, "comment-$comment->cid") ." ". theme('mark', node_mark($comment->nid, $comment->timestamp)), + l($comment->subject, "node/$comment->nid", array('title' => truncate_utf8($comment->comment, 128)), NULL, "comment-$comment->cid") ." ". theme('mark', node_mark($comment->nid, $comment->timestamp)), format_name($comment), ($comment->status == 0 ? t('Published') : t('Not published')), format_date($comment->timestamp, 'small'), @@ -1624,7 +1627,7 @@ function theme_comment_post_forbidden() { function _comment_delete_thread($comment) { // Delete the comment: db_query('DELETE FROM {comments} WHERE cid = %d', $comment->cid); - watchdog('content', t('Comment: deleted %subject.', array('%subject' => "<em>$comment->subject</em>"))); + watchdog('content', t('Comment: deleted %subject.', array('%subject' => theme('placeholder', $comment->subject)))); module_invoke_all('comment', 'delete', $comment); |