diff options
| author | Starla Insigna <hatkirby@fourisland.com> | 2009-10-02 19:04:20 -0400 |
|---|---|---|
| committer | Starla Insigna <hatkirby@fourisland.com> | 2009-10-02 19:04:20 -0400 |
| commit | 9dfba1e70866fb2bb551678f6e04b8ddfd5467e1 (patch) | |
| tree | 81f4731ae7b2fa902226f084480e26411ac3ad71 | |
| parent | 00586f1e8ada8f5baa6e3013525862dccac77b4a (diff) | |
| download | fourisland-9dfba1e70866fb2bb551678f6e04b8ddfd5467e1.tar.gz fourisland-9dfba1e70866fb2bb551678f6e04b8ddfd5467e1.tar.bz2 fourisland-9dfba1e70866fb2bb551678f6e04b8ddfd5467e1.zip | |
Fixed HTML Entites problem
When the poll escaping problem was fixed, a whole ton of other similar bugs were found which were also fixed here. Fixes #115
| -rw-r--r-- | admin/drafts.php | 2 | ||||
| -rw-r--r-- | admin/editLink.php | 4 | ||||
| -rw-r--r-- | admin/editPoll.php | 30 | ||||
| -rw-r--r-- | admin/editPost.php | 4 | ||||
| -rw-r--r-- | admin/links.php | 2 | ||||
| -rw-r--r-- | admin/newLink.php | 2 | ||||
| -rw-r--r-- | admin/newPoll.php | 19 | ||||
| -rw-r--r-- | admin/newPost.php | 2 | ||||
| -rw-r--r-- | admin/pending.php | 2 | ||||
| -rw-r--r-- | admin/polls.php | 2 | ||||
| -rw-r--r-- | admin/posts.php | 2 | ||||
| -rwxr-xr-x | includes/footer.php | 8 | ||||
| -rwxr-xr-x | includes/functions.php | 12 | ||||
| -rwxr-xr-x | includes/header.php | 4 | ||||
| -rwxr-xr-x | pages/blog.php | 10 | ||||
| -rwxr-xr-x | pages/poll.php | 4 | ||||
| -rwxr-xr-x | pages/welcome.php | 2 |
17 files changed, 59 insertions, 52 deletions
| diff --git a/admin/drafts.php b/admin/drafts.php index 22d8a09..5f7be1a 100644 --- a/admin/drafts.php +++ b/admin/drafts.php | |||
| @@ -82,7 +82,7 @@ foreach ($pager->getPageData() as $post) | |||
| 82 | { | 82 | { |
| 83 | if (!empty($post)) | 83 | if (!empty($post)) |
| 84 | { | 84 | { |
| 85 | $template->adds_block('POST', array( 'TITLE' => $post['title'], | 85 | $template->adds_block('POST', array( 'TITLE' => htmlentities($post['title']), |
| 86 | 'AUTHOR' => $post['author'], | 86 | 'AUTHOR' => $post['author'], |
| 87 | 'ID' => $post['id'], | 87 | 'ID' => $post['id'], |
| 88 | 'CODED' => $post['slug'], | 88 | 'CODED' => $post['slug'], |
| diff --git a/admin/editLink.php b/admin/editLink.php index fe4fb66..f3ba9cc 100644 --- a/admin/editLink.php +++ b/admin/editLink.php | |||
| @@ -74,10 +74,10 @@ if (isset($_GET['submit'])) | |||
| 74 | $template->adds_block('FLASH', array('TEXT' => 'Your link has been sucessfully edited.')); | 74 | $template->adds_block('FLASH', array('TEXT' => 'Your link has been sucessfully edited.')); |
| 75 | } | 75 | } |
| 76 | 76 | ||
| 77 | $template->add('TITLEVALUE', $_POST['title']); | 77 | $template->add('TITLEVALUE', htmlentities($_POST['title'])); |
| 78 | $template->add('URLVALUE', $_POST['url']); | 78 | $template->add('URLVALUE', $_POST['url']); |
| 79 | } else { | 79 | } else { |
| 80 | $template->add('TITLEVALUE', $getlink3['title']); | 80 | $template->add('TITLEVALUE', htmlentities($getlink3['title'])); |
| 81 | $template->add('URLVALUE', $getlink3['url']); | 81 | $template->add('URLVALUE', $getlink3['url']); |
| 82 | } | 82 | } |
| 83 | 83 | ||
| diff --git a/admin/editPoll.php b/admin/editPoll.php index 3a154a3..425f33c 100644 --- a/admin/editPoll.php +++ b/admin/editPoll.php | |||
| @@ -81,21 +81,21 @@ if (isset($_GET['submit'])) | |||
| 81 | $getpoll2 = mysql_query($getpoll); | 81 | $getpoll2 = mysql_query($getpoll); |
| 82 | $getpoll3 = mysql_fetch_array($getpoll2); | 82 | $getpoll3 = mysql_fetch_array($getpoll2); |
| 83 | 83 | ||
| 84 | $template->add('QUESTIONVALUE', $_POST['question']); | 84 | $template->add('QUESTIONVALUE', htmlentities($_POST['question'])); |
| 85 | $template->add('OPTION1VALUE', $_POST['option1']); | 85 | $template->add('OPTION1VALUE', htmlentities($_POST['option1'])); |
| 86 | $template->add('OPTION2VALUE', $_POST['option2']); | 86 | $template->add('OPTION2VALUE', htmlentities($_POST['option2'])); |
| 87 | $template->add('OPTION3VALUE', $_POST['option3']); | 87 | $template->add('OPTION3VALUE', htmlentities($_POST['option3'])); |
| 88 | $template->add('OPTION4VALUE', $_POST['option4']); | 88 | $template->add('OPTION4VALUE', htmlentities($_POST['option4'])); |
| 89 | $template->add('TEXTVALUE', $_POST['text']); | 89 | $template->add('TEXTVALUE', $_POST['text']); |
| 90 | } else { | 90 | } else { |
| 91 | $inspoll = "UPDATE polloftheweek SET question = \"" . mysql_real_escape_string($_POST['question']) . "\", option1 = \"" . mysql_real_escape_string($_POST['option1']) . "\", option2 = \"" . mysql_real_escape_string($_POST['option2']) . "\", option3 = \"" . mysql_real_escape_string($_POST['option3']) . "\", option4 = \"" . mysql_real_escape_string($_POST['option4']) . "\", text = \"" . mysql_real_escape_string($_POST['text']) . "\" WHERE id = " . $_GET['id']; | 91 | $inspoll = "UPDATE polloftheweek SET question = \"" . mysql_real_escape_string($_POST['question']) . "\", option1 = \"" . mysql_real_escape_string($_POST['option1']) . "\", option2 = \"" . mysql_real_escape_string($_POST['option2']) . "\", option3 = \"" . mysql_real_escape_string($_POST['option3']) . "\", option4 = \"" . mysql_real_escape_string($_POST['option4']) . "\", text = \"" . mysql_real_escape_string($_POST['text']) . "\" WHERE id = " . $_GET['id']; |
| 92 | $inspoll2 = mysql_query($inspoll); | 92 | $inspoll2 = mysql_query($inspoll); |
| 93 | 93 | ||
| 94 | $template->add('QUESTIONVALUE', $_POST['question']); | 94 | $template->add('QUESTIONVALUE', htmlentities($_POST['question'])); |
| 95 | $template->add('OPTION1VALUE', $_POST['option1']); | 95 | $template->add('OPTION1VALUE', htmlentities($_POST['option1'])); |
| 96 | $template->add('OPTION2VALUE', $_POST['option2']); | 96 | $template->add('OPTION2VALUE', htmlentities($_POST['option2'])); |
| 97 | $template->add('OPTION3VALUE', $_POST['option3']); | 97 | $template->add('OPTION3VALUE', htmlentities($_POST['option3'])); |
| 98 | $template->add('OPTION4VALUE', $_POST['option4']); | 98 | $template->add('OPTION4VALUE', htmlentities($_POST['option4'])); |
| 99 | $template->add('TEXTVALUE', $_POST['text']); | 99 | $template->add('TEXTVALUE', $_POST['text']); |
| 100 | 100 | ||
| 101 | $template->adds_block('FLASH', array('TEXT' => 'Your poll has been sucessfully edited. <a href="/poll/' . $_GET['id'] . '.php">View poll</a>.')); | 101 | $template->adds_block('FLASH', array('TEXT' => 'Your poll has been sucessfully edited. <a href="/poll/' . $_GET['id'] . '.php">View poll</a>.')); |
| @@ -105,11 +105,11 @@ if (isset($_GET['submit'])) | |||
| 105 | $getpoll2 = mysql_query($getpoll); | 105 | $getpoll2 = mysql_query($getpoll); |
| 106 | $getpoll3 = mysql_fetch_array($getpoll2); | 106 | $getpoll3 = mysql_fetch_array($getpoll2); |
| 107 | 107 | ||
| 108 | $template->add('QUESTIONVALUE', $getpoll3['question']); | 108 | $template->add('QUESTIONVALUE', htmlentities($getpoll3['question'])); |
| 109 | $template->add('OPTION1VALUE', $getpoll3['option1']); | 109 | $template->add('OPTION1VALUE', htmlentities($getpoll3['option1'])); |
| 110 | $template->add('OPTION2VALUE', $getpoll3['option2']); | 110 | $template->add('OPTION2VALUE', htmlentities($getpoll3['option2'])); |
| 111 | $template->add('OPTION3VALUE', $getpoll3['option3']); | 111 | $template->add('OPTION3VALUE', htmlentities($getpoll3['option3'])); |
| 112 | $template->add('OPTION4VALUE', $getpoll3['option4']); | 112 | $template->add('OPTION4VALUE', htmlentities($getpoll3['option4'])); |
| 113 | $template->add('TEXTVALUE', $getpoll3['text']); | 113 | $template->add('TEXTVALUE', $getpoll3['text']); |
| 114 | } | 114 | } |
| 115 | 115 | ||
| diff --git a/admin/editPost.php b/admin/editPost.php index b01d1e2..b87f895 100644 --- a/admin/editPost.php +++ b/admin/editPost.php | |||
| @@ -201,13 +201,13 @@ if (!isset($_GET['type']) || !isset($_GET['id']) || !is_numeric($_GET['id'])) | |||
| 201 | $template->add('ACTION', '/admin/editPost.php?type=' . $type . '&id=' . $id . '&submit='); | 201 | $template->add('ACTION', '/admin/editPost.php?type=' . $type . '&id=' . $id . '&submit='); |
| 202 | } | 202 | } |
| 203 | 203 | ||
| 204 | $template->add('TITLEVALUE', $_POST['title']); | 204 | $template->add('TITLEVALUE', htmlentities($_POST['title'])); |
| 205 | $template->add('TEXTVALUE', $_POST['text']); | 205 | $template->add('TEXTVALUE', $_POST['text']); |
| 206 | $template->add('TAGSVALUE', $_POST['tags']); | 206 | $template->add('TAGSVALUE', $_POST['tags']); |
| 207 | $template->add(strtoupper($_POST['type']) . 'SELECTED', ' checked="checked"'); | 207 | $template->add(strtoupper($_POST['type']) . 'SELECTED', ' checked="checked"'); |
| 208 | if ($_POST['type'] != 'draft') $template->add('TAGSDISABLED', ' readonly="readonly"'); | 208 | if ($_POST['type'] != 'draft') $template->add('TAGSDISABLED', ' readonly="readonly"'); |
| 209 | } else { | 209 | } else { |
| 210 | $template->add('TITLEVALUE', $getpost3['title']); | 210 | $template->add('TITLEVALUE', htmlentities($getpost3['title'])); |
| 211 | $template->add('TEXTVALUE', $getpost3['text']); | 211 | $template->add('TEXTVALUE', $getpost3['text']); |
| 212 | $template->add('TAGSVALUE', implode(',', getTags($_GET['id'], $tableToTags[$_GET['type']]))); | 212 | $template->add('TAGSVALUE', implode(',', getTags($_GET['id'], $tableToTags[$_GET['type']]))); |
| 213 | $template->add(strtoupper($tableToForm[$_GET['type']]) . 'SELECTED', ' checked="checked"'); | 213 | $template->add(strtoupper($tableToForm[$_GET['type']]) . 'SELECTED', ' checked="checked"'); |
| diff --git a/admin/links.php b/admin/links.php index d1ab878..fc1c813 100644 --- a/admin/links.php +++ b/admin/links.php | |||
| @@ -97,7 +97,7 @@ foreach ($pager->getPageData() as $link) | |||
| 97 | { | 97 | { |
| 98 | if (!empty($link)) | 98 | if (!empty($link)) |
| 99 | { | 99 | { |
| 100 | $template->adds_block('LINK', array( 'TITLE' => $link['title'], | 100 | $template->adds_block('LINK', array( 'TITLE' => htmlentities($link['title']), |
| 101 | 'URL' => $link['url'], | 101 | 'URL' => $link['url'], |
| 102 | 'ID' => $link['id'], | 102 | 'ID' => $link['id'], |
| 103 | 'ODD' => ($j % 2 ? '' : ' class="odd"'))); | 103 | 'ODD' => ($j % 2 ? '' : ' class="odd"'))); |
| diff --git a/admin/newLink.php b/admin/newLink.php index 3f6b42c..90313bd 100644 --- a/admin/newLink.php +++ b/admin/newLink.php | |||
| @@ -80,7 +80,7 @@ if (isset($_GET['submit'])) | |||
| 80 | $template->add('TYPEDISABLED', ' readonly="readonly"'); | 80 | $template->add('TYPEDISABLED', ' readonly="readonly"'); |
| 81 | } | 81 | } |
| 82 | 82 | ||
| 83 | $template->add('TITLEVALUE', $_POST['title']); | 83 | $template->add('TITLEVALUE', htmlentities($_POST['title'])); |
| 84 | $template->add('URLVALUE', $_POST['url']); | 84 | $template->add('URLVALUE', $_POST['url']); |
| 85 | $template->add(strtoupper($_POST['type']) . 'SELECTED', ' checked="checked"'); | 85 | $template->add(strtoupper($_POST['type']) . 'SELECTED', ' checked="checked"'); |
| 86 | } else { | 86 | } else { |
| diff --git a/admin/newPoll.php b/admin/newPoll.php index c924cd9..d105f45 100644 --- a/admin/newPoll.php +++ b/admin/newPoll.php | |||
| @@ -77,6 +77,13 @@ if (isset($_GET['submit'])) | |||
| 77 | 77 | ||
| 78 | $template->add('TITLE', 'New Poll'); | 78 | $template->add('TITLE', 'New Poll'); |
| 79 | $template->add('ACTION', '/admin/newPoll.php?submit='); | 79 | $template->add('ACTION', '/admin/newPoll.php?submit='); |
| 80 | |||
| 81 | $template->add('QUESTIONVALUE', htmlentities($_POST['question'])); | ||
| 82 | $template->add('OPTION1VALUE', htmlentities($_POST['option1'])); | ||
| 83 | $template->add('OPTION2VALUE', htmlentities($_POST['option2'])); | ||
| 84 | $template->add('OPTION3VALUE', htmlentities($_POST['option3'])); | ||
| 85 | $template->add('OPTION4VALUE', htmlentities($_POST['option4'])); | ||
| 86 | $template->add('TEXTVALUE', htmlentities($_POST['text'])); | ||
| 80 | } else { | 87 | } else { |
| 81 | $inspoll = "INSERT INTO polloftheweek (question,option1,option2,option3,option4,text) VALUES (\"" . mysql_real_escape_string($_POST['question']) . "\",\"" . mysql_real_escape_string($_POST['option1']) . "\",\"" . mysql_real_escape_string($_POST['option2']) . "\",\"" . mysql_real_escape_string($_POST['option3']) . "\",\"" . mysql_real_escape_string($_POST['option4']) . "\",\"" . mysql_real_escape_string($_POST['text']) . "\")"; | 88 | $inspoll = "INSERT INTO polloftheweek (question,option1,option2,option3,option4,text) VALUES (\"" . mysql_real_escape_string($_POST['question']) . "\",\"" . mysql_real_escape_string($_POST['option1']) . "\",\"" . mysql_real_escape_string($_POST['option2']) . "\",\"" . mysql_real_escape_string($_POST['option3']) . "\",\"" . mysql_real_escape_string($_POST['option4']) . "\",\"" . mysql_real_escape_string($_POST['text']) . "\")"; |
| 82 | $inspoll2 = mysql_query($inspoll); | 89 | $inspoll2 = mysql_query($inspoll); |
| @@ -86,12 +93,12 @@ if (isset($_GET['submit'])) | |||
| 86 | $cleardid = "TRUNCATE TABLE didpollalready"; | 93 | $cleardid = "TRUNCATE TABLE didpollalready"; |
| 87 | $cleardid2 = mysql_query($cleardid); | 94 | $cleardid2 = mysql_query($cleardid); |
| 88 | 95 | ||
| 89 | $template->add('QUESTIONVALUE', $_POST['question']); | 96 | $template->add('QUESTIONVALUE', htmlentities($_POST['question'])); |
| 90 | $template->add('OPTION1VALUE', $_POST['option1']); | 97 | $template->add('OPTION1VALUE', htmlentities($_POST['option1'])); |
| 91 | $template->add('OPTION2VALUE', $_POST['option2']); | 98 | $template->add('OPTION2VALUE', htmlentities($_POST['option2'])); |
| 92 | $template->add('OPTION3VALUE', $_POST['option3']); | 99 | $template->add('OPTION3VALUE', htmlentities($_POST['option3'])); |
| 93 | $template->add('OPTION4VALUE', $_POST['option4']); | 100 | $template->add('OPTION4VALUE', htmlentities($_POST['option4'])); |
| 94 | $template->add('TEXTVALUE', $_POST['text']); | 101 | $template->add('TEXTVALUE', htmlentities($_POST['text'])); |
| 95 | 102 | ||
| 96 | $template->add('TITLE', 'Edit Poll'); | 103 | $template->add('TITLE', 'Edit Poll'); |
| 97 | $template->add('ACTION', '/admin/editPoll.php?id=' . $id . '&submit='); | 104 | $template->add('ACTION', '/admin/editPoll.php?id=' . $id . '&submit='); |
| diff --git a/admin/newPost.php b/admin/newPost.php index eb6b4e0..32e7aa2 100644 --- a/admin/newPost.php +++ b/admin/newPost.php | |||
| @@ -145,7 +145,7 @@ if (isset($_GET['submit'])) | |||
| 145 | if ($type != 'drafts') $template->add('TAGSDISABLED', ' readonly="readonly"'); | 145 | if ($type != 'drafts') $template->add('TAGSDISABLED', ' readonly="readonly"'); |
| 146 | } | 146 | } |
| 147 | 147 | ||
| 148 | $template->add('TITLEVALUE', $_POST['title']); | 148 | $template->add('TITLEVALUE', htmlentities($_POST['title'])); |
| 149 | $template->add('TEXTVALUE', $_POST['text']); | 149 | $template->add('TEXTVALUE', $_POST['text']); |
| 150 | $template->add('TAGSVALUE', $_POST['tags']); | 150 | $template->add('TAGSVALUE', $_POST['tags']); |
| 151 | $template->add(strtoupper($_POST['type']) . 'SELECTED', ' checked="checked"'); | 151 | $template->add(strtoupper($_POST['type']) . 'SELECTED', ' checked="checked"'); |
| diff --git a/admin/pending.php b/admin/pending.php index 407cd35..6f1cfaf 100644 --- a/admin/pending.php +++ b/admin/pending.php | |||
| @@ -148,7 +148,7 @@ foreach ($pager->getPageData() as $post) | |||
| 148 | { | 148 | { |
| 149 | if (!empty($post)) | 149 | if (!empty($post)) |
| 150 | { | 150 | { |
| 151 | $template->add_ref($j, 'POST', array( 'TITLE' => $post['title'], | 151 | $template->add_ref($j, 'POST', array( 'TITLE' => htmlentities($post['title']), |
| 152 | 'AUTHOR' => $post['author'], | 152 | 'AUTHOR' => $post['author'], |
| 153 | 'ID' => $post['id'], | 153 | 'ID' => $post['id'], |
| 154 | 'CODED' => $post['slug'], | 154 | 'CODED' => $post['slug'], |
| diff --git a/admin/polls.php b/admin/polls.php index 8e1465c..e4239fa 100644 --- a/admin/polls.php +++ b/admin/polls.php | |||
| @@ -82,7 +82,7 @@ foreach ($pager->getPageData() as $post) | |||
| 82 | { | 82 | { |
| 83 | if (!empty($post)) | 83 | if (!empty($post)) |
| 84 | { | 84 | { |
| 85 | $template->adds_block('POST', array( 'TITLE' => $post['question'], | 85 | $template->adds_block('POST', array( 'TITLE' => htmlentities($post['question']), |
| 86 | 'ID' => $post['id'], | 86 | 'ID' => $post['id'], |
| 87 | 'ODD' => ($j % 2 ? '' : ' class="odd"'))); | 87 | 'ODD' => ($j % 2 ? '' : ' class="odd"'))); |
| 88 | } | 88 | } |
| diff --git a/admin/posts.php b/admin/posts.php index 605db30..d2e34c5 100644 --- a/admin/posts.php +++ b/admin/posts.php | |||
| @@ -82,7 +82,7 @@ foreach ($pager->getPageData() as $post) | |||
| 82 | { | 82 | { |
| 83 | if (!empty($post)) | 83 | if (!empty($post)) |
| 84 | { | 84 | { |
| 85 | $template->adds_block('POST', array( 'TITLE' => $post['title'], | 85 | $template->adds_block('POST', array( 'TITLE' => htmlentities($post['title']), |
| 86 | 'AUTHOR' => $post['author'], | 86 | 'AUTHOR' => $post['author'], |
| 87 | 'ID' => $post['id'], | 87 | 'ID' => $post['id'], |
| 88 | 'CODED' => $post['slug'], | 88 | 'CODED' => $post['slug'], |
| diff --git a/includes/footer.php b/includes/footer.php index 19cc341..d1f9668 100755 --- a/includes/footer.php +++ b/includes/footer.php | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | <?php | 1 | <?php |
| 2 | /* | 2 | /* |
| 3 | 444444444 | 3 | 444444444 |
| 4 | 4::::::::4 | 4 | 4::::::::4 |
| @@ -65,7 +65,7 @@ while ($getcomments3[$i] = mysql_fetch_array($getcomments2)) | |||
| 65 | 'AREA' => 'blog', | 65 | 'AREA' => 'blog', |
| 66 | 'CODED' => $getpost3['slug'], | 66 | 'CODED' => $getpost3['slug'], |
| 67 | 'ENDING' => '/', | 67 | 'ENDING' => '/', |
| 68 | 'TITLE' => stripslashes($getpost3['title']), | 68 | 'TITLE' => stripslashes(htmlentities($getpost3['title'])), |
| 69 | 'AUTHOR' => (($website != '') ? '<a href="' . $website . '">' . $username . '</a>' : $username))); | 69 | 'AUTHOR' => (($website != '') ? '<a href="' . $website . '">' . $username . '</a>' : $username))); |
| 70 | $i++; | 70 | $i++; |
| 71 | } else if (strpos($getcomments3[$i]['page_id'], 'quote') !== FALSE) | 71 | } else if (strpos($getcomments3[$i]['page_id'], 'quote') !== FALSE) |
| @@ -89,7 +89,7 @@ while ($getcomments3[$i] = mysql_fetch_array($getcomments2)) | |||
| 89 | 'AREA' => 'poll', | 89 | 'AREA' => 'poll', |
| 90 | 'CODED' => $getpotw3['id'], | 90 | 'CODED' => $getpotw3['id'], |
| 91 | 'ENDING' => '.php', | 91 | 'ENDING' => '.php', |
| 92 | 'TITLE' => 'Poll "' . $getpotw3['question'] . '"', | 92 | 'TITLE' => 'Poll "' . htmlentities($getpotw3['question']) . '"', |
| 93 | 'AUTHOR' => (($website != '') ? '<a href="' . $website . '">' . $username . '</a>' : $username))); | 93 | 'AUTHOR' => (($website != '') ? '<a href="' . $website . '">' . $username . '</a>' : $username))); |
| 94 | $i++; | 94 | $i++; |
| 95 | } | 95 | } |
| @@ -169,7 +169,7 @@ $i=0; | |||
| 169 | while ($getpopular3[$i] = mysql_fetch_array($getpopular2)) | 169 | while ($getpopular3[$i] = mysql_fetch_array($getpopular2)) |
| 170 | { | 170 | { |
| 171 | $template->adds_block('POPULAR', array( 'CODED' => $getpopular3[$i]['slug'], | 171 | $template->adds_block('POPULAR', array( 'CODED' => $getpopular3[$i]['slug'], |
| 172 | 'TITLE' => stripslashes($getpopular3[$i]['title']))); | 172 | 'TITLE' => stripslashes(htmlentities($getpopular3[$i]['title'])))); |
| 173 | $i++; | 173 | $i++; |
| 174 | } | 174 | } |
| 175 | 175 | ||
| diff --git a/includes/functions.php b/includes/functions.php index ce7a03e..1ff5c41 100755 --- a/includes/functions.php +++ b/includes/functions.php | |||
| @@ -276,7 +276,7 @@ function displayRelated($title, $avoid = 0) | |||
| 276 | $template = new FITemplate('related'); | 276 | $template = new FITemplate('related'); |
| 277 | } | 277 | } |
| 278 | 278 | ||
| 279 | $template->adds_block('POST', array( 'TITLE' => $getrelated3[$i]['title'], | 279 | $template->adds_block('POST', array( 'TITLE' => htmlentities($getrelated3[$i]['title']), |
| 280 | 'CODED' => $getrelated3[$i]['slug'], | 280 | 'CODED' => $getrelated3[$i]['slug'], |
| 281 | 'AUTHOR' => $getrelated3[$i]['author'], | 281 | 'AUTHOR' => $getrelated3[$i]['author'], |
| 282 | 'DATE' => date('F jS Y',strtotime($getrelated3[$i]['pubDate'])))); | 282 | 'DATE' => date('F jS Y',strtotime($getrelated3[$i]['pubDate'])))); |
| @@ -326,11 +326,11 @@ function getPollOfTheWeek($id = -1) | |||
| 326 | $getpoll2 = mysql_query($getpoll); | 326 | $getpoll2 = mysql_query($getpoll); |
| 327 | $getpoll3 = mysql_fetch_array($getpoll2); | 327 | $getpoll3 = mysql_fetch_array($getpoll2); |
| 328 | 328 | ||
| 329 | $potw->add('QUESTION', $getpoll3['question']); | 329 | $potw->add('QUESTION', stripslashes(htmlentities($getpoll3['question']))); |
| 330 | $potw->add('OPTION1', $getpoll3['option1']); | 330 | $potw->add('OPTION1', stripslashes(htmlentities($getpoll3['option1']))); |
| 331 | $potw->add('OPTION2', $getpoll3['option2']); | 331 | $potw->add('OPTION2', stripslashes(htmlentities($getpoll3['option2']))); |
| 332 | $potw->add('OPTION3', $getpoll3['option3']); | 332 | $potw->add('OPTION3', stripslashes(htmlentities($getpoll3['option3']))); |
| 333 | $potw->add('OPTION4', $getpoll3['option4']); | 333 | $potw->add('OPTION4', stripslashes(htmlentities($getpoll3['option4']))); |
| 334 | 334 | ||
| 335 | $getip = "SELECT * FROM didpollalready WHERE ip = \"" . $_SERVER['REMOTE_ADDR'] . "\""; | 335 | $getip = "SELECT * FROM didpollalready WHERE ip = \"" . $_SERVER['REMOTE_ADDR'] . "\""; |
| 336 | $getip2 = mysql_query($getip); | 336 | $getip2 = mysql_query($getip); |
| diff --git a/includes/header.php b/includes/header.php index 3a8edff..003e002 100755 --- a/includes/header.php +++ b/includes/header.php | |||
| @@ -77,7 +77,7 @@ $i=0; | |||
| 77 | while ($getaffs3 = mysql_fetch_array($getaffs2)) | 77 | while ($getaffs3 = mysql_fetch_array($getaffs2)) |
| 78 | { | 78 | { |
| 79 | $headerTemp->adds_block('AFFILIATES', array( 'COLOR' => getTagColor($i++), | 79 | $headerTemp->adds_block('AFFILIATES', array( 'COLOR' => getTagColor($i++), |
| 80 | 'TITLE' => $getaffs3['title'], | 80 | 'TITLE' => htmlentities($getaffs3['title']), |
| 81 | 'URL' => $getaffs3['url'])); | 81 | 'URL' => $getaffs3['url'])); |
| 82 | } | 82 | } |
| 83 | 83 | ||
| @@ -87,7 +87,7 @@ $i=0; | |||
| 87 | while ($getwebps3 = mysql_fetch_array($getwebps2)) | 87 | while ($getwebps3 = mysql_fetch_array($getwebps2)) |
| 88 | { | 88 | { |
| 89 | $headerTemp->adds_block('WEBPROJS', array( 'COLOR' => getTagColor($i++), | 89 | $headerTemp->adds_block('WEBPROJS', array( 'COLOR' => getTagColor($i++), |
| 90 | 'TITLE' => $getwebps3['title'], | 90 | 'TITLE' => htmlentities($getwebps3['title']), |
| 91 | 'URL' => $getwebps3['url'])); | 91 | 'URL' => $getwebps3['url'])); |
| 92 | } | 92 | } |
| 93 | 93 | ||
| diff --git a/pages/blog.php b/pages/blog.php index c9781ee..550b027 100755 --- a/pages/blog.php +++ b/pages/blog.php | |||
| @@ -43,7 +43,7 @@ if (isset($_GET['post'])) | |||
| 43 | { | 43 | { |
| 44 | updatePop($getpost3['id'],'views'); | 44 | updatePop($getpost3['id'],'views'); |
| 45 | 45 | ||
| 46 | $title = stripslashes($getpost3['title']) . ' - Blog Archive'; | 46 | $title = stripslashes(htmlentities($getpost3['title'])) . ' - Blog Archive'; |
| 47 | 47 | ||
| 48 | $getback = "SELECT * FROM updates WHERE id < " . $getpost3['id'] . " ORDER BY id DESC LIMIT 0,1"; | 48 | $getback = "SELECT * FROM updates WHERE id < " . $getpost3['id'] . " ORDER BY id DESC LIMIT 0,1"; |
| 49 | $getback2 = mysql_query($getback); | 49 | $getback2 = mysql_query($getback); |
| @@ -51,7 +51,7 @@ if (isset($_GET['post'])) | |||
| 51 | if (isset($getback3['title'])) | 51 | if (isset($getback3['title'])) |
| 52 | { | 52 | { |
| 53 | $template->adds_block('BACK', array( 'CODED' => $getback3['slug'], | 53 | $template->adds_block('BACK', array( 'CODED' => $getback3['slug'], |
| 54 | 'TITLE' => $getback3['title'])); | 54 | 'TITLE' => htmlentities($getback3['title']))); |
| 55 | } | 55 | } |
| 56 | 56 | ||
| 57 | $getnext = "SELECT * FROM updates WHERE id > " . $getpost3['id'] . " ORDER BY id ASC LIMIT 0,1"; | 57 | $getnext = "SELECT * FROM updates WHERE id > " . $getpost3['id'] . " ORDER BY id ASC LIMIT 0,1"; |
| @@ -60,7 +60,7 @@ if (isset($_GET['post'])) | |||
| 60 | if (isset($getnext3['title'])) | 60 | if (isset($getnext3['title'])) |
| 61 | { | 61 | { |
| 62 | $template->adds_block('NEXT', array( 'CODED' => $getnext3['slug'], | 62 | $template->adds_block('NEXT', array( 'CODED' => $getnext3['slug'], |
| 63 | 'TITLE' => $getnext3['title'])); | 63 | 'TITLE' => htmlentities($getnext3['title']))); |
| 64 | } | 64 | } |
| 65 | 65 | ||
| 66 | $template->add_ref(0, 'POST', array( 'ID' => $getpost3['id'], | 66 | $template->add_ref(0, 'POST', array( 'ID' => $getpost3['id'], |
| @@ -69,7 +69,7 @@ if (isset($_GET['post'])) | |||
| 69 | 'MONTH' => date('M',strtotime($getpost3['pubDate'])), | 69 | 'MONTH' => date('M',strtotime($getpost3['pubDate'])), |
| 70 | 'DAY' => date('d',strtotime($getpost3['pubDate'])), | 70 | 'DAY' => date('d',strtotime($getpost3['pubDate'])), |
| 71 | 'CODED' => $getpost3['slug'], | 71 | 'CODED' => $getpost3['slug'], |
| 72 | 'TITLE' => $getpost3['title'], | 72 | 'TITLE' => htmlentities($getpost3['title']), |
| 73 | 'AUTHOR' => $getpost3['author'], | 73 | 'AUTHOR' => $getpost3['author'], |
| 74 | 'RATING' => $getpost3['rating'], | 74 | 'RATING' => $getpost3['rating'], |
| 75 | 'TEXT' => parseText($getpost3['text']))); | 75 | 'TEXT' => parseText($getpost3['text']))); |
| @@ -189,7 +189,7 @@ if (isset($_GET['post'])) | |||
| 189 | 189 | ||
| 190 | $template->adds_ref_sub($curID, 'SMALL',array( 'DATE' => date('m-d-Y',strtotime($getposts3[$i]['pubDate'])), | 190 | $template->adds_ref_sub($curID, 'SMALL',array( 'DATE' => date('m-d-Y',strtotime($getposts3[$i]['pubDate'])), |
| 191 | 'CODED' => $getposts3[$i]['slug'], | 191 | 'CODED' => $getposts3[$i]['slug'], |
| 192 | 'TITLE' => $getposts3[$i]['title'])); | 192 | 'TITLE' => htmlentities($getposts3[$i]['title']))); |
| 193 | $i++; | 193 | $i++; |
| 194 | } | 194 | } |
| 195 | if ($i==0) | 195 | if ($i==0) |
| diff --git a/pages/poll.php b/pages/poll.php index 6a87207..a9ab19f 100755 --- a/pages/poll.php +++ b/pages/poll.php | |||
| @@ -53,7 +53,7 @@ if (!isset($_GET['id'])) | |||
| 53 | $question .= '....'; | 53 | $question .= '....'; |
| 54 | } | 54 | } |
| 55 | $template->adds_block('POLL', array( 'ID' => $getpolls3[$i]['id'], | 55 | $template->adds_block('POLL', array( 'ID' => $getpolls3[$i]['id'], |
| 56 | 'QUESTION' => $question, | 56 | 'QUESTION' => htmlentities($question), |
| 57 | 'WEEK' => date('F jS Y', strtotime($getpolls3[$i]['week'])), | 57 | 'WEEK' => date('F jS Y', strtotime($getpolls3[$i]['week'])), |
| 58 | 'EVEN' => (($i % 2 == 1) ? ' class="even"' : ''))); | 58 | 'EVEN' => (($i % 2 == 1) ? ' class="even"' : ''))); |
| 59 | $i++; | 59 | $i++; |
| @@ -90,7 +90,7 @@ if (!isset($_GET['id'])) | |||
| 90 | 90 | ||
| 91 | if ($getpoll3['id'] == $_GET['id']) | 91 | if ($getpoll3['id'] == $_GET['id']) |
| 92 | { | 92 | { |
| 93 | $template->add('QUESTION', $getpoll3['question']); | 93 | $template->add('QUESTION', htmlentities($getpoll3['question'])); |
| 94 | 94 | ||
| 95 | if ($getpoll3['text'] != '') | 95 | if ($getpoll3['text'] != '') |
| 96 | { | 96 | { |
| diff --git a/pages/welcome.php b/pages/welcome.php index 26f9938..5bd710c 100755 --- a/pages/welcome.php +++ b/pages/welcome.php | |||
| @@ -74,7 +74,7 @@ while ($getpost3 = mysql_fetch_array($getpost2)) | |||
| 74 | 'MONTH' => date('M',strtotime($getpost3['pubDate'])), | 74 | 'MONTH' => date('M',strtotime($getpost3['pubDate'])), |
| 75 | 'DAY' => date('d',strtotime($getpost3['pubDate'])), | 75 | 'DAY' => date('d',strtotime($getpost3['pubDate'])), |
| 76 | 'CODED' => $getpost3['slug'], | 76 | 'CODED' => $getpost3['slug'], |
| 77 | 'TITLE' => $getpost3['title'], | 77 | 'TITLE' => htmlentities($getpost3['title']), |
| 78 | 'AUTHOR' => $getpost3['author'], | 78 | 'AUTHOR' => $getpost3['author'], |
| 79 | 'PLURALCOMMENT' => (isset($plural) ? $plural : ''), | 79 | 'PLURALCOMMENT' => (isset($plural) ? $plural : ''), |
| 80 | 'COMMENTS' => $comText, | 80 | 'COMMENTS' => $comText, |