php functions for escaping
authorcommunity.cacert.org <community.cacert.org@d4452222-2f33-11de-9270-010000000000>
Wed, 27 May 2009 07:14:23 +0000 (07:14 +0000)
committercommunity.cacert.org <community.cacert.org@d4452222-2f33-11de-9270-010000000000>
Wed, 27 May 2009 07:14:23 +0000 (07:14 +0000)
git-svn-id: http://svn.cacert.cl/Software/Voting/vote@42 d4452222-2f33-11de-9270-010000000000

motion.php
motions.php

index 4672cf7..71fe4b7 100644 (file)
        }
        $db->getStatement("stats")->execute();
        $stats = $db->getStatement("stats")->fetch();
-       function htmlesc($string) {
-               $string = preg_replace('/&/',"&amp;",$string);
-               $string = preg_replace('/</',"&lt;",$string);
-               $string = preg_replace('/>/',"&gt;",$string);
-               echo $string;
-       }
 ?>
 <html>
        <head>
@@ -179,11 +173,11 @@ BODY;
                                }
                        ?>
                <table>
-                       <tr><td>ID:</td><td><?php htmlesc($motion['tag']); ?></td></tr>
-                       <tr><td>Proponent:</td><td><?php htmlesc($motion['proposer']); ?><input type="hidden" name="proponent" value="<?php htmlesc($user['id']); ?>"></td></tr>
-                       <tr><td>Proposed:</td><td><?php htmlesc($motion['proposed']); ?> UTC</td></tr>
-                       <tr><td>Title:</td><td><input name="title" value="<?php htmlesc($motion['title'])?>"></td></tr>
-                       <tr><td>Text:</td><td><textarea name="content"><?php htmlesc($motion['content'])?></textarea></td></tr>
+                       <tr><td>ID:</td><td><?php echo htmlentities($motion['tag']); ?></td></tr>
+                       <tr><td>Proponent:</td><td><?php echo htmlentities($motion['proposer']); ?><input type="hidden" name="proponent" value="<?php echo htmlentities($user['id']); ?>"></td></tr>
+                       <tr><td>Proposed:</td><td><?php echo htmlentities($motion['proposed']); ?> UTC</td></tr>
+                       <tr><td>Title:</td><td><input name="title" value="<?php echo htmlentities($motion['title'])?>"></td></tr>
+                       <tr><td>Text:</td><td><textarea name="content"><?php echo htmlspecialchars($motion['content'])?></textarea></td></tr>
                        <tr><td>Quorum:</td><td><select name="quorum">
                                <option value="<?php echo(ceil($stats["voters"])); ?>" <?php if($motion['quorum'] == $stats["voters"]) { echo(" selected=\"selected\""); } ?>>100% Votes (<?php echo($stats["voters"]); ?>)</option>
                                <option value="<?php echo(ceil($stats["voters"] / 2)); ?>" <?php if($motion['quorum'] == ceil($stats["voters"] / 2)) { echo(" selected=\"selected\""); } ?>>50% Votes (<?php echo(ceil($stats["voters"] / 2)); ?>)</option>
index a4df212..fe91f39 100644 (file)
@@ -40,8 +40,8 @@
                                                </td>
                                                <td>
                                                <i><a href="motions.php?id=<?php echo $row['tag'].'">'.$row['tag']; ?></a></i><br/>
-                                               <b><?php echo $row['title']; ?></b><br/>
-                                               <pre><?php echo $row['content']; ?></pre>
+                                               <b><?php echo htmlentities($row['title']); ?></b><br/>
+                                               <pre><?php echo htmlspecialchars($row['content']); ?></pre>
                                                <br/>
                                                <i>Due: <?php echo($row['due']); ?> UTC</i><br/>
                                                <i>Proposed: <?php echo($row['proposer']); ?> (<?php echo($row['proposed']); ?> UTC)</i><br/>