Minahito
minah****@users*****
2006年 2月 21日 (火) 20:37:49 JST
Index: xoops2jp/html/include/comment_view.php diff -u xoops2jp/html/include/comment_view.php:1.2.8.2 xoops2jp/html/include/comment_view.php:1.2.8.3 --- xoops2jp/html/include/comment_view.php:1.2.8.2 Mon Feb 20 17:45:23 2006 +++ xoops2jp/html/include/comment_view.php Tue Feb 21 20:37:49 2006 @@ -1,5 +1,5 @@ <?php -// $Id: comment_view.php,v 1.2.8.2 2006/02/20 08:45:23 minahito Exp $ +// $Id: comment_view.php,v 1.2.8.3 2006/02/21 11:37:49 minahito Exp $ // ------------------------------------------------------------------------ // // XOOPS - PHP Content Management System // // Copyright (c) 2000 XOOPS.org // @@ -94,23 +94,24 @@ } elseif ($com_mode == 'thread') { // RMV-FIX... added extraParam stuff here $comment_url = $comment_config['pageName'] . '?'; + + // + // Parse extra parameters from the request. + // if (isset($comment_config['extraParams']) && is_array($comment_config['extraParams'])) { - $extra_params = ''; - foreach ($comment_config['extraParams'] as $extra_param) { + foreach ($comment_config['extraParams'] as $extra_key) { // This page is included in the module hosting page -- param could be from anywhere - if (isset(${$extra_param})) { - $extra_params .= $extra_param .'='.${$extra_param}.'&'; - } elseif (isset($_POST[$extra_param])) { - $extra_params .= $extra_param .'='.$_POST[$extra_param].'&'; - } elseif (isset($_GET[$extra_param])) { - $extra_params .= $extra_param .'='.$_GET[$extra_param].'&'; - } else { - $extra_params .= $extra_param .'=&'; + if (isset($GLOBALS[$extra_key])) { + $comment_url .= $extra_key .'='. htmlspecialchars($GLOBALS[$extra_key], ENT_NOQUOTES).'&'; + } elseif (isset($_REQUEST[$extra_key])) { + $comment_url .= $extra_key .'='. htmlspecialchars($_REQUEST[$extra_key], ENT_NOQUOTES).'&'; + } + else { + $comment_url .= $extra_key .'=&'; } - //$extra_params .= isset(${$extra_param}) ? $extra_param .'='.${$extra_param}.'&' : $extra_param .'=&'; } - $comment_url .= $extra_params; } + $xoopsTpl->assign('comment_url', $comment_url.$comment_config['itemName'].'='.$com_itemid.'&com_mode=thread&com_order='.$com_order); if (!empty($com_id) && !empty($com_rootid) && ($com_id != $com_rootid)) { // Show specific thread tree @@ -174,17 +175,22 @@ $postcomment_link = 'comment_new.php?com_itemid=' . $com_itemid . '&com_order=' . $com_order . '&com_mode=' . $com_mode; } + // + // Parse extra parameters from the request. + // TODO The following lines are *CODE CLONE* + // $link_extra is raw data and not sanitized. + // $link_extra = ''; $fetchParams = array(); if (isset($comment_config['extraParams']) && is_array($comment_config['extraParams'])) { - foreach ($comment_config['extraParams'] as $extra_param) { + foreach ($comment_config['extraParams'] as $extra_key) { // // We deprecate that a developer depends on the following line. // - if (isset($GLOBALS[$extra_param])) { - $fetchParams[$extra_param] = $GLOBALS[$extra_param]; - } elseif (isset($_REQUEST[$extra_param])) { - $fetchParams[$extra_param] = xoops_getrequest($extra_param); + if (isset($GLOBALS[$extra_key])) { + $fetchParams[$extra_key] = $GLOBALS[$extra_key]; + } elseif (isset($_REQUEST[$extra_key])) { + $fetchParams[$extra_key] = xoops_getrequest($extra_key); } }