perdedora/leftypol
1
0
Fork 0
forked from leftypol/leftypol
Code Pull requests Activity

post.php: sanitize appeal message

Browse source
This commit is contained in:
Zankaria 2024-01-16 18:01:13 +00:00
parent 854cc6cd23
commit fd9baaea5f
1 changed files with 24 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

32
post.php
View file

@ -64,6 +64,22 @@ function strip_markup($post_body)
} }
} }
/**
* Inserts a new ban appeal into the database.
*
* @param int $ban_id Ban id.
* @param string $appeal_message Appeal message.
* @return void
*/
function query_insert_ban_appeal($ban_id, $appeal_message)
{
$query = prepare("INSERT INTO ``ban_appeals`` VALUES (NULL, :ban_id, :time, :message, 0)");
$query->bindValue(':ban_id', $ban_id, PDO::PARAM_INT);
$query->bindValue(':time', time(), PDO::PARAM_INT);
$query->bindValue(':message', $appeal_message);
$query->execute() or error(db_error($query));
}
/** /**
* Method handling functions * Method handling functions
*/ */
@ -537,8 +553,9 @@ function handle_post()
$_POST['subject'] = ''; $_POST['subject'] = '';
} }
if (!isset($_POST['password'])) if (!isset($_POST['password'])) {
$_POST['password'] = ''; $_POST['password'] = '';
}
if (isset($_POST['thread'])) { if (isset($_POST['thread'])) {
$post['op'] = false; $post['op'] = false;
@ -549,7 +566,7 @@ function handle_post()
if (!$dropped_post) { if (!$dropped_post) {
// Check for CAPTCHA right after opening the board so the "return" link is in there // Check for CAPTCHA right after opening the board so the "return" link is in there.
if ($config['recaptcha']) { if ($config['recaptcha']) {
if (!isset($_POST['g-recaptcha-response'])) if (!isset($_POST['g-recaptcha-response']))
error($config['error']['bot']); error($config['error']['bot']);
@ -1549,8 +1566,9 @@ function handle_post()
function handle_appeal() function handle_appeal()
{ {
global $config; global $config;
if (!isset($_POST['ban_id'])) if (!isset($_POST['ban_id'])) {
error($config['error']['bot']); error($config['error']['bot']);
}
$ban_id = (int) $_POST['ban_id']; $ban_id = (int) $_POST['ban_id'];
@ -1587,11 +1605,9 @@ function handle_appeal()
error($config['error']['toolongappeal']); error($config['error']['toolongappeal']);
} }
$query = prepare("INSERT INTO ``ban_appeals`` VALUES (NULL, :ban_id, :time, :message, 0)"); // Sanitize away eventual Cross Site Scripting funkyness.
$query->bindValue(':ban_id', $ban_id, PDO::PARAM_INT); $appeal_msg = htmlspecialchars($_POST['appeal']);
$query->bindValue(':time', time(), PDO::PARAM_INT); query_insert_ban_appeal($ban_id, $appeal_msg);
$query->bindValue(':message', $_POST['appeal']);
$query->execute() or error(db_error($query));
displayBan($ban); displayBan($ban);
} }