xml_escape() on INSERT and don't XML escape thread/remark body in templates

This commit is contained in:
swagg boi 2023-04-25 10:40:47 -04:00
parent fd2688f45d
commit 94988c2d34
7 changed files with 10 additions and 9 deletions

View file

@ -32,7 +32,6 @@ Run the tests locally (against development environment):
## TODOs
1. `xml_escape` on INSERT (needed for the Markdown stuff later)
1. Rules/about page
1. CSS
1. "All new posts flagged" mode (require approval for new posts)

View file

@ -1,6 +1,7 @@
package PostText::Model::Remark;
use Mojo::Base -base, -signatures;
use Mojo::Util qw{xml_escape};
has 'pg';
@ -28,7 +29,7 @@ sub by_page_for($self, $thread_id, $this_page = 1) {
}
sub create($self, $thread_id, $author, $body, $hidden = 0, $flagged = 0) {
my @data = ($thread_id, $author, $body, $hidden, $flagged);
my @data = ($thread_id, $author, xml_escape($body), $hidden, $flagged);
$self->pg->db->query(<<~'END_SQL', @data);
INSERT INTO remarks (

View file

@ -1,6 +1,7 @@
package PostText::Model::Thread;
use Mojo::Base -base, -signatures;
use Mojo::Util qw{xml_escape};
has 'pg';
@ -9,7 +10,7 @@ has per_page => 5;
has date_format => 'Dy, FMDD Mon YYYY HH24:MI:SS TZ';
sub create($self, $author, $title, $body, $hidden = 0, $flagged = 0) {
my @data = ($author, $title, $body, $hidden, $flagged);
my @data = ($author, $title, xml_escape($body), $hidden, $flagged);
$self->pg->db->query(<<~'END_SQL', @data)->hash->{'thread_id'};
INSERT INTO threads (

View file

@ -6,7 +6,7 @@
<nav class="id">#<%= $remark->{'id'} %></nav>
<h4 class="date"><%= $remark->{'date'} %></h4>
<h5 class="author"><%= $remark->{'author'} %></h5>
<p class="body"><%= $remark->{'body'} %></p>
<p class="body"><%== $remark->{'body'} %></p>
</article>
</div>
<nav>

View file

@ -37,7 +37,7 @@
<h3 class="title"><%= $thread->{'title'} %></h3>
<h4 class="date"><%= $thread->{'date'} %></h4>
<h5 class="author"><%= $thread->{'author'} %></h5>
<p class="body"><%= $thread->{'body'} %></p>
<p class="body"><%== $thread->{'body'} %></p>
</article>
</div>
<% if (my $last_remark_id = $last_remark->{'id'}) { =%>
@ -50,7 +50,7 @@
</nav>
<h4 class="date"><%= $last_remark->{'date'} %></h4>
<h5 class="author"><%= $last_remark->{'author'} %></h5>
<p class="body"><%= $last_remark->{'body'} %></p>
<p class="body"><%== $last_remark->{'body'} %></p>
</article>
</div>
<% } =%>

View file

@ -6,7 +6,7 @@
<h3 class="title"><%= $thread->{'title'} %></h3>
<h4 class="date"><%= $thread->{'date'} %></h4>
<h5 class="author"><%= $thread->{'author'} %></h5>
<p class="body"><%= $thread->{'body'} %></p>
<p class="body"><%== $thread->{'body'} %></p>
</article>
</div>
<nav>
@ -32,7 +32,7 @@
</nav>
<h4 class="date"><%= $remark->{'date'} %></h4>
<h5 class="author"><%= $remark->{'author'} %></h5>
<p class="body"><%= $remark->{'body'} %></p>
<p class="body"><%== $remark->{'body'} %></p>
<nav class="flag">
<%= link_to Flag => flag_remark => {remark_id => $remark->{'id'}} %>
</nav>

View file

@ -15,7 +15,7 @@
</h3>
<h4 class="date"><%= $thread->{'date'} %></h4>
<h5 class="author"><%= $thread->{'author'} %></h5>
<p class="body"><%= truncate_text $thread->{'body'} %></p>
<p class="body"><%== truncate_text $thread->{'body'} %></p>
<nav>
<%= link_to Remark => post_remark => {thread_id => $thread->{'id'}} %>
<%= link_to url_for(single_thread => {thread_id => $thread->{'id'}})