badmanners/shimmie2
badmanners/shimmie2
Archived
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[forum] use microhtml, avoid double-escaping text, fixes #835

Browse source
This commit is contained in:
Shish 2024-01-04 16:08:53 +00:00
parent 889f595076
commit 53152bf9f0
2 changed files with 186 additions and 164 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
ext/forum/main.php
View file

@ -111,10 +111,10 @@ class Forum extends Extension
case "view": case "view":
$threadID = int_escape($event->get_arg(1)); $threadID = int_escape($event->get_arg(1));
// $pageNumber = int_escape($event->get_arg(2)); // $pageNumber = int_escape($event->get_arg(2));
list($errors) = $this->sanity_check_viewed_thread($threadID); $errors = $this->sanity_check_viewed_thread($threadID);
if ($errors != null) { if (count($errors) > 0) {
$this->theme->display_error(500, "Error", $errors); $this->theme->display_error(500, "Error", implode("<br>", $errors));
break; break;
} }
@ -133,10 +133,10 @@ class Forum extends Extension
case "create": case "create":
$redirectTo = "forum/index"; $redirectTo = "forum/index";
if (!$user->is_anonymous()) { if (!$user->is_anonymous()) {
list($errors) = $this->sanity_check_new_thread(); $errors = $this->sanity_check_new_thread();
if ($errors != null) { if (count($errors) > 0) {
$this->theme->display_error(500, "Error", $errors); $this->theme->display_error(500, "Error", implode("<br>", $errors));
break; break;
} }
@ -174,10 +174,10 @@ class Forum extends Extension
$threadID = int_escape($_POST["threadID"]); $threadID = int_escape($_POST["threadID"]);
$total_pages = $this->get_total_pages_for_thread($threadID); $total_pages = $this->get_total_pages_for_thread($threadID);
if (!$user->is_anonymous()) { if (!$user->is_anonymous()) {
list($errors) = $this->sanity_check_new_post(); $errors = $this->sanity_check_new_post();
if ($errors != null) { if (count($errors) > 0) {
$this->theme->display_error(500, "Error", $errors); $this->theme->display_error(500, "Error", implode("<br>", $errors));
break; break;
} }
$this->save_new_post($threadID, $user); $this->save_new_post($threadID, $user);
@ -197,63 +197,69 @@ class Forum extends Extension
private function get_total_pages_for_thread(int $threadID): int private function get_total_pages_for_thread(int $threadID): int
{ {
global $database, $config; global $database, $config;
$result = $database->get_row("SELECT COUNT(1) AS count FROM forum_posts WHERE thread_id = :thread_id", ['thread_id' => $threadID]); $result = $database->get_row("
SELECT COUNT(1) AS count
FROM forum_posts
WHERE thread_id = :thread_id
", ['thread_id' => $threadID]);
return (int)ceil($result["count"] / $config->get_int("forumPostsPerPage")); return (int)ceil($result["count"] / $config->get_int("forumPostsPerPage"));
} }
private function sanity_check_new_thread(): array private function sanity_check_new_thread(): array
{ {
$errors = null; $errors = [];
if (!array_key_exists("title", $_POST)) { if (!array_key_exists("title", $_POST)) {
$errors .= "<div id='error'>No title supplied.</div>"; $errors[] = "No title supplied.";
} elseif (strlen($_POST["title"]) == 0) { } elseif (strlen($_POST["title"]) == 0) {
$errors .= "<div id='error'>You cannot have an empty title.</div>"; $errors[] = "You cannot have an empty title.";
} elseif (strlen(html_escape($_POST["title"])) > 255) { } elseif (strlen($_POST["title"]) > 255) {
$errors .= "<div id='error'>Your title is too long.</div>"; $errors[] = "Your title is too long.";
} }
if (!array_key_exists("message", $_POST)) { if (!array_key_exists("message", $_POST)) {
$errors .= "<div id='error'>No message supplied.</div>"; $errors[] = "No message supplied.";
} elseif (strlen($_POST["message"]) == 0) { } elseif (strlen($_POST["message"]) == 0) {
$errors .= "<div id='error'>You cannot have an empty message.</div>"; $errors[] = "You cannot have an empty message.";
} }
return [$errors]; return $errors;
} }
private function sanity_check_new_post(): array private function sanity_check_new_post(): array
{ {
$errors = null; $errors = [];
if (!array_key_exists("threadID", $_POST)) { if (!array_key_exists("threadID", $_POST)) {
$errors = "<div id='error'>No thread ID supplied.</div>"; $errors[] = "No thread ID supplied.";
} elseif (strlen($_POST["threadID"]) == 0) { } elseif (strlen($_POST["threadID"]) == 0) {
$errors = "<div id='error'>No thread ID supplied.</div>"; $errors[] = "No thread ID supplied.";
} elseif (is_numeric($_POST["threadID"])) { } elseif (is_numeric($_POST["threadID"])) {
if (!array_key_exists("message", $_POST)) { if (!array_key_exists("message", $_POST)) {
$errors .= "<div id='error'>No message supplied.</div>"; $errors[] = "No message supplied.";
} elseif (strlen($_POST["message"]) == 0) { } elseif (strlen($_POST["message"]) == 0) {
$errors .= "<div id='error'>You cannot have an empty message.</div>"; $errors[] = "You cannot have an empty message.";
} }
} }
return [$errors]; return $errors;
} }
/**
* @return string[]
*/
private function sanity_check_viewed_thread(int $threadID): array private function sanity_check_viewed_thread(int $threadID): array
{ {
$errors = null; $errors = [];
if (!$this->threadExists($threadID)) { if (!$this->threadExists($threadID)) {
$errors = "<div id='error'>Inexistent thread.</div>"; $errors[] = "Inexistent thread.";
} }
return [$errors]; return $errors;
} }
private function get_thread_title(int $threadID): string private function get_thread_title(int $threadID): string
{ {
global $database; global $database;
$result = $database->get_row("SELECT t.title FROM forum_threads AS t WHERE t.id = :id ", ['id' => $threadID]); return $database->get_one("SELECT t.title FROM forum_threads AS t WHERE t.id = :id ", ['id' => $threadID]);
return $result["title"];
} }
private function show_last_threads(Page $page, PageRequestEvent $event, bool $showAdminOptions = false): void private function show_last_threads(Page $page, PageRequestEvent $event, bool $showAdminOptions = false): void
@ -312,7 +318,7 @@ class Forum extends Extension
private function save_new_thread(User $user): int private function save_new_thread(User $user): int
{ {
$title = html_escape($_POST["title"]); $title = $_POST["title"];
$sticky = !empty($_POST["sticky"]); $sticky = !empty($_POST["sticky"]);
global $database; global $database;
@ -336,7 +342,7 @@ class Forum extends Extension
{ {
global $config; global $config;
$userID = $user->id; $userID = $user->id;
$message = html_escape($_POST["message"]); $message = $_POST["message"];
$max_characters = $config->get_int('forumMaxCharsPerPost'); $max_characters = $config->get_int('forumMaxCharsPerPost');
$message = substr($message, 0, $max_characters); $message = substr($message, 0, $max_characters);

286
ext/forum/theme.php
View file

@ -4,6 +4,10 @@ declare(strict_types=1);
namespace Shimmie2; namespace Shimmie2;
use MicroHTML\HTMLElement;
use function MicroHTML\{INPUT, LABEL, SMALL, TEXTAREA, TR, TD, TABLE, TH, TBODY, THEAD, DIV, A, BR, emptyHTML, SUP, rawHTML};
class ForumTheme extends Themelet class ForumTheme extends Themelet
{ {
public function display_thread_list(Page $page, $threads, $showAdminOptions, $pageNumber, $totalPages) public function display_thread_list(Page $page, $threads, $showAdminOptions, $pageNumber, $totalPages)
@ -27,29 +31,41 @@ class ForumTheme extends Themelet
{ {
global $config, $user; global $config, $user;
$max_characters = $config->get_int('forumMaxCharsPerPost'); $max_characters = $config->get_int('forumMaxCharsPerPost');
$html = make_form(make_link("forum/create"));
$html = SHM_SIMPLE_FORM(
if (!is_null($threadTitle)) { "forum/create",
$threadTitle = html_escape($threadTitle); TABLE(
} ["style" => "width: 500px;"],
TR(
if (!is_null($threadText)) { TD("Title:"),
$threadText = html_escape($threadText); TD(INPUT(["type" => "text", "name" => "title", "value" => $threadTitle]))
} ),
TR(
$html .= " TD("Message:"),
<table style='width: 500px;'> TD(TEXTAREA(
<tr><td>Title:</td><td><input type='text' name='title' value='$threadTitle'></td></tr> ["id" => "message", "name" => "message"],
<tr><td>Message:</td><td><textarea id='message' name='message' >$threadText</textarea></td></tr> $threadText
<tr><td></td><td><small>Max characters alowed: $max_characters.</small></td></tr>"; ))
if ($user->can(Permissions::FORUM_ADMIN)) { ),
$html .= "<tr><td colspan='2'><label for='sticky'>Sticky:</label><input name='sticky' id='sticky' type='checkbox' value='Y' /></td></tr>"; TR(
} TD(),
$html .= "<tr><td colspan='2'><input type='submit' value='Submit' /></td></tr> TD(SMALL("Max characters allowed: $max_characters."))
</table> ),
</form> $user->can(Permissions::FORUM_ADMIN) ? TR(
"; TD(),
TD(
LABEL(["for" => "sticky"], "Sticky:"),
INPUT(["name" => "sticky", "id" => "sticky", "type" => "checkbox", "value" => "Y"])
)
) : null,
TR(
TD(
["colspan" => 2],
INPUT(["type" => "submit", "value" => "Submit"])
)
)
)
);
$blockTitle = "Write a new thread"; $blockTitle = "Write a new thread";
$page->set_title(html_escape($blockTitle)); $page->set_title(html_escape($blockTitle));
@ -65,20 +81,27 @@ class ForumTheme extends Themelet
$max_characters = $config->get_int('forumMaxCharsPerPost'); $max_characters = $config->get_int('forumMaxCharsPerPost');
$html = make_form(make_link("forum/answer")); $html = SHM_SIMPLE_FORM(
"forum/answer",
$html .= '<input type="hidden" name="threadID" value="'.$threadID.'" />'; INPUT(["type" => "hidden", "name" => "threadID", "value" => $threadID]),
TABLE(
$html .= " ["style" => "width: 500px;"],
<table style='width: 500px;'> TR(
<tr><td>Message:</td><td><textarea id='message' name='message' ></textarea> TD("Message:"),
<tr><td></td><td><small>Max characters alowed: $max_characters.</small></td></tr> TD(TEXTAREA(["id" => "message", "name" => "message"]))
</td></tr>"; ),
TR(
$html .= "<tr><td colspan='2'><input type='submit' value='Submit' /></td></tr> TD(),
</table> TD(SMALL("Max characters allowed: $max_characters."))
</form> ),
"; TR(
TD(
["colspan" => 2],
INPUT(["type" => "submit", "value" => "Submit"])
)
)
)
);
$blockTitle = "Answer to this thread"; $blockTitle = "Answer to this thread";
$page->add_block(new Block($blockTitle, $html, "main", 130)); $page->add_block(new Block($blockTitle, $html, "main", 130));
@ -94,68 +117,70 @@ class ForumTheme extends Themelet
$current_post = 0; $current_post = 0;
$html = $tbody = TBODY();
"<div id=returnLink>[<a href=".make_link("forum/index/").">Return</a>]</div><br><br>".
"<table id='threadPosts' class='zebra'>".
"<thead><tr>".
"<th id=threadHeadUser>User</th>".
"<th>Message</th>".
"</tr></thead>";
foreach ($posts as $post) { foreach ($posts as $post) {
$current_post++; $current_post++;
$message = $post["message"];
$message = send_event(new TextFormattingEvent($message))->formatted;
$message = str_replace('\n\r', '<br>', $message);
$message = str_replace('\r\n', '<br>', $message);
$message = str_replace('\n', '<br>', $message);
$message = str_replace('\r', '<br>', $message);
$message = stripslashes($message);
$userLink = "<a href='".make_link("user/".$post["user_name"]."")."'>".$post["user_name"]."</a>";
$poster = User::by_name($post["user_name"]);
$gravatar = $poster->get_avatar_html();
$rank = "<sup class='user_rank'>{$post["user_class"]}</sup>";
$postID = $post['id'];
//if($user->can(Permissions::FORUM_ADMIN)){
//$delete_link = "<a href=".make_link("forum/delete/".$threadID."/".$postID).">Delete</a>";
//} else {
//$delete_link = "";
//}
if ($showAdminOptions) {
$delete_link = "<a href=".make_link("forum/delete/".$threadID."/".$postID).">Delete</a>";
} else {
$delete_link = "";
}
$post_number = (($pageNumber - 1) * $posts_per_page) + $current_post; $post_number = (($pageNumber - 1) * $posts_per_page) + $current_post;
$html .= "<tr > $tbody->appendChild(
<tr class='postHead'> emptyHTML(
<td class='forumSupuser'></td> TR(
<td class='forumSupmessage'><div class=deleteLink>".$delete_link."</div></td> ["class" => "postHead"],
</tr> TD(["class" => "forumSupuser"]),
<tr class='posBody'> TD(
<td class='forumUser'>".$userLink."<br>".$rank."<br>".$gravatar."<br></td> ["class" => "forumSupmessage"],
<td class='forumMessage'> DIV(
<div class=postDate><small>".autodate($post['date'])."</small></div> ["class" => "deleteLink"],
<div class=postNumber> #".$post_number."</div> $showAdminOptions ? A(["href" => make_link("forum/delete/".$threadID."/".$post['id'])], "Delete") : null
<br> )
<div class=postMessage>".$message."</td> )
</tr> ),
<tr class='postFoot'> TR(
<td class='forumSubuser'></td> ["class" => "posBody"],
<td class='forumSubmessage'></td> TD(
</tr>"; ["class" => "forumUser"],
A(["href" => make_link("user/".$post["user_name"])], $post["user_name"]),
BR(),
SUP(["class" => "user_rank"], $post["user_class"]),
BR(),
rawHTML(User::by_name($post["user_name"])->get_avatar_html()),
BR()
),
TD(
["class" => "forumMessage"],
DIV(["class" => "postDate"], SMALL(rawHTML(autodate($post['date'])))),
DIV(["class" => "postNumber"], " #".$post_number),
BR(),
DIV(["class" => "postMessage"], rawHTML(send_event(new TextFormattingEvent($post["message"]))->formatted))
)
),
TR(
["class" => "postFoot"],
TD(["class" => "forumSubuser"]),
TD(["class" => "forumSubmessage"])
)
)
);
} }
$html .= "</tbody></table>"; $html = emptyHTML(
DIV(
["id" => "returnLink"],
A(["href" => make_link("forum/index/")], "Return")
),
BR(),
BR(),
TABLE(
["id" => "threadPosts", "class" => "zebra"],
THEAD(
TR(
TH(["id" => "threadHeadUser"], "User"),
TH("Message")
)
),
$tbody
)
);
$this->display_paginator($page, "forum/view/".$threadID, null, $pageNumber, $totalPages); $this->display_paginator($page, "forum/view/".$threadID, null, $pageNumber, $totalPages);
@ -164,37 +189,32 @@ class ForumTheme extends Themelet
$page->add_block(new Block($threadTitle, $html, "main", 20)); $page->add_block(new Block($threadTitle, $html, "main", 20));
} }
public function add_actions_block(Page $page, $threadID) public function add_actions_block(Page $page, $threadID)
{ {
$html = '<a href="'.make_link("forum/nuke/".$threadID).'">Delete this thread and its posts.</a>'; $html = A(["href" => make_link("forum/nuke/".$threadID)], "Delete this thread and its posts.");
$page->add_block(new Block("Admin Actions", $html, "main", 140)); $page->add_block(new Block("Admin Actions", $html, "main", 140));
} }
private function make_thread_list($threads, $showAdminOptions): HTMLElement
private function make_thread_list($threads, $showAdminOptions): string
{ {
$html = "<table id='threadList' class='zebra'>".
"<thead><tr>".
"<th>Title</th>".
"<th>Author</th>".
"<th>Updated</th>".
"<th>Responses</th>";
if ($showAdminOptions) {
$html .= "<th>Actions</th>";
}
$html .= "</tr></thead><tbody>";
$current_post = 0;
foreach ($threads as $thread) {
$oe = ($current_post++ % 2 == 0) ? "even" : "odd";
global $config; global $config;
$tbody = TBODY();
$html = TABLE(
["id" => "threadList", "class" => "zebra"],
THEAD(
TR(
TH("Title"),
TH("Author"),
TH("Updated"),
TH("Responses"),
$showAdminOptions ? TH("Actions") : null
)
),
$tbody
);
foreach ($threads as $thread) {
$titleSubString = $config->get_int('forumTitleSubString'); $titleSubString = $config->get_int('forumTitleSubString');
if ($titleSubString < strlen($thread["title"])) { if ($titleSubString < strlen($thread["title"])) {
@ -204,27 +224,23 @@ class ForumTheme extends Themelet
$title = $thread["title"]; $title = $thread["title"];
} }
if (bool_escape($thread["sticky"])) { $tbody->appendChild(
$sticky = "Sticky: "; TR(
} else { TD(
$sticky = ""; ["class" => "left"],
bool_escape($thread["sticky"]) ? "Sticky: " : "",
A(["href" => make_link("forum/view/".$thread["id"])], $title)
),
TD(
A(["href" => make_link("user/".$thread["user_name"])], $thread["user_name"])
),
TD(rawHTML(autodate($thread["uptodate"]))),
TD($thread["response_count"]),
$showAdminOptions ? TD(A(["href" => make_link("forum/nuke/".$thread["id"])], "Delete")) : null
)
);
} }
$html .= "<tr class='$oe'>".
'<td class="left">'.$sticky.'<a href="'.make_link("forum/view/".$thread["id"]).'">'.$title."</a></td>".
'<td><a href="'.make_link("user/".$thread["user_name"]).'">'.$thread["user_name"]."</a></td>".
"<td>".autodate($thread["uptodate"])."</td>".
"<td>".$thread["response_count"]."</td>";
if ($showAdminOptions) {
$html .= '<td><a href="'.make_link("forum/nuke/".$thread["id"]).'" title="Delete '.$title.'">Delete</a></td>';
}
$html .= "</tr>";
}
$html .= "</tbody></table>";
return $html; return $html;
} }
} }