[forum] use microhtml, avoid double-escaping text, fixes #835

This commit is contained in:
Shish 2024-01-04 16:08:53 +00:00
parent 889f595076
commit 53152bf9f0
2 changed files with 186 additions and 164 deletions

View file

@ -111,10 +111,10 @@ class Forum extends Extension
case "view":
$threadID = int_escape($event->get_arg(1));
// $pageNumber = int_escape($event->get_arg(2));
list($errors) = $this->sanity_check_viewed_thread($threadID);
$errors = $this->sanity_check_viewed_thread($threadID);
if ($errors != null) {
$this->theme->display_error(500, "Error", $errors);
if (count($errors) > 0) {
$this->theme->display_error(500, "Error", implode("<br>", $errors));
break;
}
@ -133,10 +133,10 @@ class Forum extends Extension
case "create":
$redirectTo = "forum/index";
if (!$user->is_anonymous()) {
list($errors) = $this->sanity_check_new_thread();
$errors = $this->sanity_check_new_thread();
if ($errors != null) {
$this->theme->display_error(500, "Error", $errors);
if (count($errors) > 0) {
$this->theme->display_error(500, "Error", implode("<br>", $errors));
break;
}
@ -174,10 +174,10 @@ class Forum extends Extension
$threadID = int_escape($_POST["threadID"]);
$total_pages = $this->get_total_pages_for_thread($threadID);
if (!$user->is_anonymous()) {
list($errors) = $this->sanity_check_new_post();
$errors = $this->sanity_check_new_post();
if ($errors != null) {
$this->theme->display_error(500, "Error", $errors);
if (count($errors) > 0) {
$this->theme->display_error(500, "Error", implode("<br>", $errors));
break;
}
$this->save_new_post($threadID, $user);
@ -197,63 +197,69 @@ class Forum extends Extension
private function get_total_pages_for_thread(int $threadID): int
{
global $database, $config;
$result = $database->get_row("SELECT COUNT(1) AS count FROM forum_posts WHERE thread_id = :thread_id", ['thread_id' => $threadID]);
$result = $database->get_row("
SELECT COUNT(1) AS count
FROM forum_posts
WHERE thread_id = :thread_id
", ['thread_id' => $threadID]);
return (int)ceil($result["count"] / $config->get_int("forumPostsPerPage"));
}
private function sanity_check_new_thread(): array
{
$errors = null;
$errors = [];
if (!array_key_exists("title", $_POST)) {
$errors .= "<div id='error'>No title supplied.</div>";
$errors[] = "No title supplied.";
} elseif (strlen($_POST["title"]) == 0) {
$errors .= "<div id='error'>You cannot have an empty title.</div>";
} elseif (strlen(html_escape($_POST["title"])) > 255) {
$errors .= "<div id='error'>Your title is too long.</div>";
$errors[] = "You cannot have an empty title.";
} elseif (strlen($_POST["title"]) > 255) {
$errors[] = "Your title is too long.";
}
if (!array_key_exists("message", $_POST)) {
$errors .= "<div id='error'>No message supplied.</div>";
$errors[] = "No message supplied.";
} elseif (strlen($_POST["message"]) == 0) {
$errors .= "<div id='error'>You cannot have an empty message.</div>";
$errors[] = "You cannot have an empty message.";
}
return [$errors];
return $errors;
}
private function sanity_check_new_post(): array
{
$errors = null;
$errors = [];
if (!array_key_exists("threadID", $_POST)) {
$errors = "<div id='error'>No thread ID supplied.</div>";
$errors[] = "No thread ID supplied.";
} elseif (strlen($_POST["threadID"]) == 0) {
$errors = "<div id='error'>No thread ID supplied.</div>";
$errors[] = "No thread ID supplied.";
} elseif (is_numeric($_POST["threadID"])) {
if (!array_key_exists("message", $_POST)) {
$errors .= "<div id='error'>No message supplied.</div>";
$errors[] = "No message supplied.";
} elseif (strlen($_POST["message"]) == 0) {
$errors .= "<div id='error'>You cannot have an empty message.</div>";
$errors[] = "You cannot have an empty message.";
}
}
return [$errors];
return $errors;
}
/**
* @return string[]
*/
private function sanity_check_viewed_thread(int $threadID): array
{
$errors = null;
$errors = [];
if (!$this->threadExists($threadID)) {
$errors = "<div id='error'>Inexistent thread.</div>";
$errors[] = "Inexistent thread.";
}
return [$errors];
return $errors;
}
private function get_thread_title(int $threadID): string
{
global $database;
$result = $database->get_row("SELECT t.title FROM forum_threads AS t WHERE t.id = :id ", ['id' => $threadID]);
return $result["title"];
return $database->get_one("SELECT t.title FROM forum_threads AS t WHERE t.id = :id ", ['id' => $threadID]);
}
private function show_last_threads(Page $page, PageRequestEvent $event, bool $showAdminOptions = false): void
@ -312,7 +318,7 @@ class Forum extends Extension
private function save_new_thread(User $user): int
{
$title = html_escape($_POST["title"]);
$title = $_POST["title"];
$sticky = !empty($_POST["sticky"]);
global $database;
@ -336,7 +342,7 @@ class Forum extends Extension
{
global $config;
$userID = $user->id;
$message = html_escape($_POST["message"]);
$message = $_POST["message"];
$max_characters = $config->get_int('forumMaxCharsPerPost');
$message = substr($message, 0, $max_characters);

View file

@ -4,6 +4,10 @@ declare(strict_types=1);
namespace Shimmie2;
use MicroHTML\HTMLElement;
use function MicroHTML\{INPUT, LABEL, SMALL, TEXTAREA, TR, TD, TABLE, TH, TBODY, THEAD, DIV, A, BR, emptyHTML, SUP, rawHTML};
class ForumTheme extends Themelet
{
public function display_thread_list(Page $page, $threads, $showAdminOptions, $pageNumber, $totalPages)
@ -27,29 +31,41 @@ class ForumTheme extends Themelet
{
global $config, $user;
$max_characters = $config->get_int('forumMaxCharsPerPost');
$html = make_form(make_link("forum/create"));
if (!is_null($threadTitle)) {
$threadTitle = html_escape($threadTitle);
}
if (!is_null($threadText)) {
$threadText = html_escape($threadText);
}
$html .= "
<table style='width: 500px;'>
<tr><td>Title:</td><td><input type='text' name='title' value='$threadTitle'></td></tr>
<tr><td>Message:</td><td><textarea id='message' name='message' >$threadText</textarea></td></tr>
<tr><td></td><td><small>Max characters alowed: $max_characters.</small></td></tr>";
if ($user->can(Permissions::FORUM_ADMIN)) {
$html .= "<tr><td colspan='2'><label for='sticky'>Sticky:</label><input name='sticky' id='sticky' type='checkbox' value='Y' /></td></tr>";
}
$html .= "<tr><td colspan='2'><input type='submit' value='Submit' /></td></tr>
</table>
</form>
";
$html = SHM_SIMPLE_FORM(
"forum/create",
TABLE(
["style" => "width: 500px;"],
TR(
TD("Title:"),
TD(INPUT(["type" => "text", "name" => "title", "value" => $threadTitle]))
),
TR(
TD("Message:"),
TD(TEXTAREA(
["id" => "message", "name" => "message"],
$threadText
))
),
TR(
TD(),
TD(SMALL("Max characters allowed: $max_characters."))
),
$user->can(Permissions::FORUM_ADMIN) ? TR(
TD(),
TD(
LABEL(["for" => "sticky"], "Sticky:"),
INPUT(["name" => "sticky", "id" => "sticky", "type" => "checkbox", "value" => "Y"])
)
) : null,
TR(
TD(
["colspan" => 2],
INPUT(["type" => "submit", "value" => "Submit"])
)
)
)
);
$blockTitle = "Write a new thread";
$page->set_title(html_escape($blockTitle));
@ -65,20 +81,27 @@ class ForumTheme extends Themelet
$max_characters = $config->get_int('forumMaxCharsPerPost');
$html = make_form(make_link("forum/answer"));
$html .= '<input type="hidden" name="threadID" value="'.$threadID.'" />';
$html .= "
<table style='width: 500px;'>
<tr><td>Message:</td><td><textarea id='message' name='message' ></textarea>
<tr><td></td><td><small>Max characters alowed: $max_characters.</small></td></tr>
</td></tr>";
$html .= "<tr><td colspan='2'><input type='submit' value='Submit' /></td></tr>
</table>
</form>
";
$html = SHM_SIMPLE_FORM(
"forum/answer",
INPUT(["type" => "hidden", "name" => "threadID", "value" => $threadID]),
TABLE(
["style" => "width: 500px;"],
TR(
TD("Message:"),
TD(TEXTAREA(["id" => "message", "name" => "message"]))
),
TR(
TD(),
TD(SMALL("Max characters allowed: $max_characters."))
),
TR(
TD(
["colspan" => 2],
INPUT(["type" => "submit", "value" => "Submit"])
)
)
)
);
$blockTitle = "Answer to this thread";
$page->add_block(new Block($blockTitle, $html, "main", 130));
@ -94,68 +117,70 @@ class ForumTheme extends Themelet
$current_post = 0;
$html =
"<div id=returnLink>[<a href=".make_link("forum/index/").">Return</a>]</div><br><br>".
"<table id='threadPosts' class='zebra'>".
"<thead><tr>".
"<th id=threadHeadUser>User</th>".
"<th>Message</th>".
"</tr></thead>";
$tbody = TBODY();
foreach ($posts as $post) {
$current_post++;
$message = $post["message"];
$message = send_event(new TextFormattingEvent($message))->formatted;
$message = str_replace('\n\r', '<br>', $message);
$message = str_replace('\r\n', '<br>', $message);
$message = str_replace('\n', '<br>', $message);
$message = str_replace('\r', '<br>', $message);
$message = stripslashes($message);
$userLink = "<a href='".make_link("user/".$post["user_name"]."")."'>".$post["user_name"]."</a>";
$poster = User::by_name($post["user_name"]);
$gravatar = $poster->get_avatar_html();
$rank = "<sup class='user_rank'>{$post["user_class"]}</sup>";
$postID = $post['id'];
//if($user->can(Permissions::FORUM_ADMIN)){
//$delete_link = "<a href=".make_link("forum/delete/".$threadID."/".$postID).">Delete</a>";
//} else {
//$delete_link = "";
//}
if ($showAdminOptions) {
$delete_link = "<a href=".make_link("forum/delete/".$threadID."/".$postID).">Delete</a>";
} else {
$delete_link = "";
}
$post_number = (($pageNumber - 1) * $posts_per_page) + $current_post;
$html .= "<tr >
<tr class='postHead'>
<td class='forumSupuser'></td>
<td class='forumSupmessage'><div class=deleteLink>".$delete_link."</div></td>
</tr>
<tr class='posBody'>
<td class='forumUser'>".$userLink."<br>".$rank."<br>".$gravatar."<br></td>
<td class='forumMessage'>
<div class=postDate><small>".autodate($post['date'])."</small></div>
<div class=postNumber> #".$post_number."</div>
<br>
<div class=postMessage>".$message."</td>
</tr>
<tr class='postFoot'>
<td class='forumSubuser'></td>
<td class='forumSubmessage'></td>
</tr>";
$tbody->appendChild(
emptyHTML(
TR(
["class" => "postHead"],
TD(["class" => "forumSupuser"]),
TD(
["class" => "forumSupmessage"],
DIV(
["class" => "deleteLink"],
$showAdminOptions ? A(["href" => make_link("forum/delete/".$threadID."/".$post['id'])], "Delete") : null
)
)
),
TR(
["class" => "posBody"],
TD(
["class" => "forumUser"],
A(["href" => make_link("user/".$post["user_name"])], $post["user_name"]),
BR(),
SUP(["class" => "user_rank"], $post["user_class"]),
BR(),
rawHTML(User::by_name($post["user_name"])->get_avatar_html()),
BR()
),
TD(
["class" => "forumMessage"],
DIV(["class" => "postDate"], SMALL(rawHTML(autodate($post['date'])))),
DIV(["class" => "postNumber"], " #".$post_number),
BR(),
DIV(["class" => "postMessage"], rawHTML(send_event(new TextFormattingEvent($post["message"]))->formatted))
)
),
TR(
["class" => "postFoot"],
TD(["class" => "forumSubuser"]),
TD(["class" => "forumSubmessage"])
)
)
);
}
$html .= "</tbody></table>";
$html = emptyHTML(
DIV(
["id" => "returnLink"],
A(["href" => make_link("forum/index/")], "Return")
),
BR(),
BR(),
TABLE(
["id" => "threadPosts", "class" => "zebra"],
THEAD(
TR(
TH(["id" => "threadHeadUser"], "User"),
TH("Message")
)
),
$tbody
)
);
$this->display_paginator($page, "forum/view/".$threadID, null, $pageNumber, $totalPages);
@ -164,37 +189,32 @@ class ForumTheme extends Themelet
$page->add_block(new Block($threadTitle, $html, "main", 20));
}
public function add_actions_block(Page $page, $threadID)
{
$html = '<a href="'.make_link("forum/nuke/".$threadID).'">Delete this thread and its posts.</a>';
$html = A(["href" => make_link("forum/nuke/".$threadID)], "Delete this thread and its posts.");
$page->add_block(new Block("Admin Actions", $html, "main", 140));
}
private function make_thread_list($threads, $showAdminOptions): string
private function make_thread_list($threads, $showAdminOptions): HTMLElement
{
$html = "<table id='threadList' class='zebra'>".
"<thead><tr>".
"<th>Title</th>".
"<th>Author</th>".
"<th>Updated</th>".
"<th>Responses</th>";
if ($showAdminOptions) {
$html .= "<th>Actions</th>";
}
$html .= "</tr></thead><tbody>";
$current_post = 0;
foreach ($threads as $thread) {
$oe = ($current_post++ % 2 == 0) ? "even" : "odd";
global $config;
$tbody = TBODY();
$html = TABLE(
["id" => "threadList", "class" => "zebra"],
THEAD(
TR(
TH("Title"),
TH("Author"),
TH("Updated"),
TH("Responses"),
$showAdminOptions ? TH("Actions") : null
)
),
$tbody
);
foreach ($threads as $thread) {
$titleSubString = $config->get_int('forumTitleSubString');
if ($titleSubString < strlen($thread["title"])) {
@ -204,27 +224,23 @@ class ForumTheme extends Themelet
$title = $thread["title"];
}
if (bool_escape($thread["sticky"])) {
$sticky = "Sticky: ";
} else {
$sticky = "";
$tbody->appendChild(
TR(
TD(
["class" => "left"],
bool_escape($thread["sticky"]) ? "Sticky: " : "",
A(["href" => make_link("forum/view/".$thread["id"])], $title)
),
TD(
A(["href" => make_link("user/".$thread["user_name"])], $thread["user_name"])
),
TD(rawHTML(autodate($thread["uptodate"]))),
TD($thread["response_count"]),
$showAdminOptions ? TD(A(["href" => make_link("forum/nuke/".$thread["id"])], "Delete")) : null
)
);
}
$html .= "<tr class='$oe'>".
'<td class="left">'.$sticky.'<a href="'.make_link("forum/view/".$thread["id"]).'">'.$title."</a></td>".
'<td><a href="'.make_link("user/".$thread["user_name"]).'">'.$thread["user_name"]."</a></td>".
"<td>".autodate($thread["uptodate"])."</td>".
"<td>".$thread["response_count"]."</td>";
if ($showAdminOptions) {
$html .= '<td><a href="'.make_link("forum/nuke/".$thread["id"]).'" title="Delete '.$title.'">Delete</a></td>';
}
$html .= "</tr>";
}
$html .= "</tbody></table>";
return $html;
}
}