Paul
Fri 15th Aug '03, 12:22pm
Hi,
HTML characters are not being properly stripped when a new thread is created by splitting an existing thread. The following code should be modified from admin/postings.php:
$DB_site->query("INSERT INTO thread (threadid,title,lastpost,forumid,open,replycount,p ostusername,postuserid,lastposter,dateline,views,i conid,notes,visible) VALUES (NULL,'".addslashes($title)."','".addslashes($threadinfo[lastpost])."','".addslashes($threadinfo[forumid])."','".addslashes($threadinfo[open])."','".addslashes($threadinfo[replycount])."','".addslashes($threadinfo[postusername])."','".addslashes($threadinfo[postuserid])."','".addslashes($threadinfo[lastposter])."','".addslashes($threadinfo[dateline])."','".addslashes($threadinfo[views])."','".addslashes($threadinfo[iconid])."','Thread split from threadid $threadid by ".addslashes($bbuserinfo['username'])." on ".vbdate($dateformat." ".$timeformat,time()).". ".addslashes($threadinfo[notes])."','".addslashes($threadinfo[visible])."')");
Should be changed to:
$DB_site->query("INSERT INTO thread (threadid,title,lastpost,forumid,open,replycount,p ostusername,postuserid,lastposter,dateline,views,i conid,notes,visible) VALUES (NULL,'".addslashes(htmlspecialchars($title))."','".addslashes($threadinfo[lastpost])."','".addslashes($threadinfo[forumid])."','".addslashes($threadinfo[open])."','".addslashes($threadinfo[replycount])."','".addslashes(htmlspecialchars($threadinfo[postusername]))."','".addslashes($threadinfo[postuserid])."','".addslashes($threadinfo[lastposter])."','".addslashes($threadinfo[dateline])."','".addslashes($threadinfo[views])."','".addslashes($threadinfo[iconid])."','Thread split from threadid $threadid by ".addslashes(htmlspecialchars($bbuserinfo['username']))." on ".vbdate($dateformat." ".$timeformat,time()).". ".addslashes(htmlspecialchars($threadinfo[notes]))."','".addslashes($threadinfo[visible])."')");
Watch out. This is a long line and the forum adds spaces. You'll need to remove the spaces inserted every 50 characters in the above.
HTML characters are not being properly stripped when a new thread is created by splitting an existing thread. The following code should be modified from admin/postings.php:
$DB_site->query("INSERT INTO thread (threadid,title,lastpost,forumid,open,replycount,p ostusername,postuserid,lastposter,dateline,views,i conid,notes,visible) VALUES (NULL,'".addslashes($title)."','".addslashes($threadinfo[lastpost])."','".addslashes($threadinfo[forumid])."','".addslashes($threadinfo[open])."','".addslashes($threadinfo[replycount])."','".addslashes($threadinfo[postusername])."','".addslashes($threadinfo[postuserid])."','".addslashes($threadinfo[lastposter])."','".addslashes($threadinfo[dateline])."','".addslashes($threadinfo[views])."','".addslashes($threadinfo[iconid])."','Thread split from threadid $threadid by ".addslashes($bbuserinfo['username'])." on ".vbdate($dateformat." ".$timeformat,time()).". ".addslashes($threadinfo[notes])."','".addslashes($threadinfo[visible])."')");
Should be changed to:
$DB_site->query("INSERT INTO thread (threadid,title,lastpost,forumid,open,replycount,p ostusername,postuserid,lastposter,dateline,views,i conid,notes,visible) VALUES (NULL,'".addslashes(htmlspecialchars($title))."','".addslashes($threadinfo[lastpost])."','".addslashes($threadinfo[forumid])."','".addslashes($threadinfo[open])."','".addslashes($threadinfo[replycount])."','".addslashes(htmlspecialchars($threadinfo[postusername]))."','".addslashes($threadinfo[postuserid])."','".addslashes($threadinfo[lastposter])."','".addslashes($threadinfo[dateline])."','".addslashes($threadinfo[views])."','".addslashes($threadinfo[iconid])."','Thread split from threadid $threadid by ".addslashes(htmlspecialchars($bbuserinfo['username']))." on ".vbdate($dateformat." ".$timeformat,time()).". ".addslashes(htmlspecialchars($threadinfo[notes]))."','".addslashes($threadinfo[visible])."')");
Watch out. This is a long line and the forum adds spaces. You'll need to remove the spaces inserted every 50 characters in the above.