Minahito
minah****@users*****
2006年 2月 21日 (火) 20:37:49 JST
Index: xoops2jp/html/include/comment_view.php
diff -u xoops2jp/html/include/comment_view.php:1.2.8.2 xoops2jp/html/include/comment_view.php:1.2.8.3
--- xoops2jp/html/include/comment_view.php:1.2.8.2 Mon Feb 20 17:45:23 2006
+++ xoops2jp/html/include/comment_view.php Tue Feb 21 20:37:49 2006
@@ -1,5 +1,5 @@
<?php
-// $Id: comment_view.php,v 1.2.8.2 2006/02/20 08:45:23 minahito Exp $
+// $Id: comment_view.php,v 1.2.8.3 2006/02/21 11:37:49 minahito Exp $
// ------------------------------------------------------------------------ //
// XOOPS - PHP Content Management System //
// Copyright (c) 2000 XOOPS.org //
@@ -94,23 +94,24 @@
} elseif ($com_mode == 'thread') {
// RMV-FIX... added extraParam stuff here
$comment_url = $comment_config['pageName'] . '?';
+
+ //
+ // Parse extra parameters from the request.
+ //
if (isset($comment_config['extraParams']) && is_array($comment_config['extraParams'])) {
- $extra_params = '';
- foreach ($comment_config['extraParams'] as $extra_param) {
+ foreach ($comment_config['extraParams'] as $extra_key) {
// This page is included in the module hosting page -- param could be from anywhere
- if (isset(${$extra_param})) {
- $extra_params .= $extra_param .'='.${$extra_param}.'&';
- } elseif (isset($_POST[$extra_param])) {
- $extra_params .= $extra_param .'='.$_POST[$extra_param].'&';
- } elseif (isset($_GET[$extra_param])) {
- $extra_params .= $extra_param .'='.$_GET[$extra_param].'&';
- } else {
- $extra_params .= $extra_param .'=&';
+ if (isset($GLOBALS[$extra_key])) {
+ $comment_url .= $extra_key .'='. htmlspecialchars($GLOBALS[$extra_key], ENT_NOQUOTES).'&';
+ } elseif (isset($_REQUEST[$extra_key])) {
+ $comment_url .= $extra_key .'='. htmlspecialchars($_REQUEST[$extra_key], ENT_NOQUOTES).'&';
+ }
+ else {
+ $comment_url .= $extra_key .'=&';
}
- //$extra_params .= isset(${$extra_param}) ? $extra_param .'='.${$extra_param}.'&' : $extra_param .'=&';
}
- $comment_url .= $extra_params;
}
+
$xoopsTpl->assign('comment_url', $comment_url.$comment_config['itemName'].'='.$com_itemid.'&com_mode=thread&com_order='.$com_order);
if (!empty($com_id) && !empty($com_rootid) && ($com_id != $com_rootid)) {
// Show specific thread tree
@@ -174,17 +175,22 @@
$postcomment_link = 'comment_new.php?com_itemid=' . $com_itemid . '&com_order=' . $com_order . '&com_mode=' . $com_mode;
}
+ //
+ // Parse extra parameters from the request.
+ // TODO The following lines are *CODE CLONE*
+ // $link_extra is raw data and not sanitized.
+ //
$link_extra = '';
$fetchParams = array();
if (isset($comment_config['extraParams']) && is_array($comment_config['extraParams'])) {
- foreach ($comment_config['extraParams'] as $extra_param) {
+ foreach ($comment_config['extraParams'] as $extra_key) {
//
// We deprecate that a developer depends on the following line.
//
- if (isset($GLOBALS[$extra_param])) {
- $fetchParams[$extra_param] = $GLOBALS[$extra_param];
- } elseif (isset($_REQUEST[$extra_param])) {
- $fetchParams[$extra_param] = xoops_getrequest($extra_param);
+ if (isset($GLOBALS[$extra_key])) {
+ $fetchParams[$extra_key] = $GLOBALS[$extra_key];
+ } elseif (isset($_REQUEST[$extra_key])) {
+ $fetchParams[$extra_key] = xoops_getrequest($extra_key);
}
}