xml_escape() on INSERT and don't XML escape thread/remark body in templates
This commit is contained in:
parent
fd2688f45d
commit
94988c2d34
|
|
@ -32,7 +32,6 @@ Run the tests locally (against development environment):
|
|||
|
||||
## TODOs
|
||||
|
||||
1. `xml_escape` on INSERT (needed for the Markdown stuff later)
|
||||
1. Rules/about page
|
||||
1. CSS
|
||||
1. "All new posts flagged" mode (require approval for new posts)
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
package PostText::Model::Remark;
|
||||
|
||||
use Mojo::Base -base, -signatures;
|
||||
use Mojo::Util qw{xml_escape};
|
||||
|
||||
has 'pg';
|
||||
|
||||
|
|
@ -28,7 +29,7 @@ sub by_page_for($self, $thread_id, $this_page = 1) {
|
|||
}
|
||||
|
||||
sub create($self, $thread_id, $author, $body, $hidden = 0, $flagged = 0) {
|
||||
my @data = ($thread_id, $author, $body, $hidden, $flagged);
|
||||
my @data = ($thread_id, $author, xml_escape($body), $hidden, $flagged);
|
||||
|
||||
$self->pg->db->query(<<~'END_SQL', @data);
|
||||
INSERT INTO remarks (
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
package PostText::Model::Thread;
|
||||
|
||||
use Mojo::Base -base, -signatures;
|
||||
use Mojo::Util qw{xml_escape};
|
||||
|
||||
has 'pg';
|
||||
|
||||
|
|
@ -9,7 +10,7 @@ has per_page => 5;
|
|||
has date_format => 'Dy, FMDD Mon YYYY HH24:MI:SS TZ';
|
||||
|
||||
sub create($self, $author, $title, $body, $hidden = 0, $flagged = 0) {
|
||||
my @data = ($author, $title, $body, $hidden, $flagged);
|
||||
my @data = ($author, $title, xml_escape($body), $hidden, $flagged);
|
||||
|
||||
$self->pg->db->query(<<~'END_SQL', @data)->hash->{'thread_id'};
|
||||
INSERT INTO threads (
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
<nav class="id">#<%= $remark->{'id'} %></nav>
|
||||
<h4 class="date"><%= $remark->{'date'} %></h4>
|
||||
<h5 class="author"><%= $remark->{'author'} %></h5>
|
||||
<p class="body"><%= $remark->{'body'} %></p>
|
||||
<p class="body"><%== $remark->{'body'} %></p>
|
||||
</article>
|
||||
</div>
|
||||
<nav>
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@
|
|||
<h3 class="title"><%= $thread->{'title'} %></h3>
|
||||
<h4 class="date"><%= $thread->{'date'} %></h4>
|
||||
<h5 class="author"><%= $thread->{'author'} %></h5>
|
||||
<p class="body"><%= $thread->{'body'} %></p>
|
||||
<p class="body"><%== $thread->{'body'} %></p>
|
||||
</article>
|
||||
</div>
|
||||
<% if (my $last_remark_id = $last_remark->{'id'}) { =%>
|
||||
|
|
@ -50,7 +50,7 @@
|
|||
</nav>
|
||||
<h4 class="date"><%= $last_remark->{'date'} %></h4>
|
||||
<h5 class="author"><%= $last_remark->{'author'} %></h5>
|
||||
<p class="body"><%= $last_remark->{'body'} %></p>
|
||||
<p class="body"><%== $last_remark->{'body'} %></p>
|
||||
</article>
|
||||
</div>
|
||||
<% } =%>
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
<h3 class="title"><%= $thread->{'title'} %></h3>
|
||||
<h4 class="date"><%= $thread->{'date'} %></h4>
|
||||
<h5 class="author"><%= $thread->{'author'} %></h5>
|
||||
<p class="body"><%= $thread->{'body'} %></p>
|
||||
<p class="body"><%== $thread->{'body'} %></p>
|
||||
</article>
|
||||
</div>
|
||||
<nav>
|
||||
|
|
@ -32,7 +32,7 @@
|
|||
</nav>
|
||||
<h4 class="date"><%= $remark->{'date'} %></h4>
|
||||
<h5 class="author"><%= $remark->{'author'} %></h5>
|
||||
<p class="body"><%= $remark->{'body'} %></p>
|
||||
<p class="body"><%== $remark->{'body'} %></p>
|
||||
<nav class="flag">
|
||||
<%= link_to Flag => flag_remark => {remark_id => $remark->{'id'}} %>
|
||||
</nav>
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
</h3>
|
||||
<h4 class="date"><%= $thread->{'date'} %></h4>
|
||||
<h5 class="author"><%= $thread->{'author'} %></h5>
|
||||
<p class="body"><%= truncate_text $thread->{'body'} %></p>
|
||||
<p class="body"><%== truncate_text $thread->{'body'} %></p>
|
||||
<nav>
|
||||
<%= link_to Remark => post_remark => {thread_id => $thread->{'id'}} %>
|
||||
<%= link_to url_for(single_thread => {thread_id => $thread->{'id'}})
|
||||
|
|
|
|||
Loading…
Reference in a new issue