swaggboi/PostText
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

xml_escape() on INSERT and don't XML escape thread/remark body in templates

Browse Source
This commit is contained in:
swag 2023-04-25 10:40:47 -04:00
parent fd2688f45d
commit 94988c2d34
7 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -32,7 +32,6 @@ Run the tests locally (against development environment):
## TODOs
1. `xml_escape` on INSERT (needed for the Markdown stuff later)
1. Rules/about page
1. CSS
1. "All new posts flagged" mode (require approval for new posts)

3
lib/PostText/Model/Remark.pm
View File

@ -1,6 +1,7 @@
package PostText::Model::Remark;
use Mojo::Base -base, -signatures;
use Mojo::Util qw{xml_escape};
has 'pg';
@ -28,7 +29,7 @@ sub by_page_for($self, $thread_id, $this_page = 1) {
}
sub create($self, $thread_id, $author, $body, $hidden = 0, $flagged = 0) {
my @data = ($thread_id, $author, $body, $hidden, $flagged);
my @data = ($thread_id, $author, xml_escape($body), $hidden, $flagged);
$self->pg->db->query(<<~'END_SQL', @data);
INSERT INTO remarks (

3
lib/PostText/Model/Thread.pm
View File

@ -1,6 +1,7 @@
package PostText::Model::Thread;
use Mojo::Base -base, -signatures;
use Mojo::Util qw{xml_escape};
has 'pg';
@ -9,7 +10,7 @@ has per_page => 5;
has date_format => 'Dy, FMDD Mon YYYY HH24:MI:SS TZ';
sub create($self, $author, $title, $body, $hidden = 0, $flagged = 0) {
my @data = ($author, $title, $body, $hidden, $flagged);
my @data = ($author, $title, xml_escape($body), $hidden, $flagged);
$self->pg->db->query(<<~'END_SQL', @data)->hash->{'thread_id'};
INSERT INTO threads (

2
templates/remark/by_id.html.ep
View File

@ -6,7 +6,7 @@
<nav class="id">#<%= $remark->{'id'} %></nav>
<h4 class="date"><%= $remark->{'date'} %></h4>
<h5 class="author"><%= $remark->{'author'} %></h5>
<p class="body"><%= $remark->{'body'} %></p>
<p class="body"><%== $remark->{'body'} %></p>
</article>
</div>
<nav>

4
templates/remark/create.html.ep
View File

@ -37,7 +37,7 @@
<h3 class="title"><%= $thread->{'title'} %></h3>
<h4 class="date"><%= $thread->{'date'} %></h4>
<h5 class="author"><%= $thread->{'author'} %></h5>
<p class="body"><%= $thread->{'body'} %></p>
<p class="body"><%== $thread->{'body'} %></p>
</article>
</div>
<% if (my $last_remark_id = $last_remark->{'id'}) { =%>
@ -50,7 +50,7 @@
</nav>
<h4 class="date"><%= $last_remark->{'date'} %></h4>
<h5 class="author"><%= $last_remark->{'author'} %></h5>
<p class="body"><%= $last_remark->{'body'} %></p>
<p class="body"><%== $last_remark->{'body'} %></p>
</article>
</div>
<% } =%>

4
templates/thread/by_id.html.ep
View File

@ -6,7 +6,7 @@
<h3 class="title"><%= $thread->{'title'} %></h3>
<h4 class="date"><%= $thread->{'date'} %></h4>
<h5 class="author"><%= $thread->{'author'} %></h5>
<p class="body"><%= $thread->{'body'} %></p>
<p class="body"><%== $thread->{'body'} %></p>
</article>
</div>
<nav>
@ -32,7 +32,7 @@
</nav>
<h4 class="date"><%= $remark->{'date'} %></h4>
<h5 class="author"><%= $remark->{'author'} %></h5>
<p class="body"><%= $remark->{'body'} %></p>
<p class="body"><%== $remark->{'body'} %></p>
<nav class="flag">
<%= link_to Flag => flag_remark => {remark_id => $remark->{'id'}} %>
</nav>

2
templates/thread/by_page.html.ep
View File

@ -15,7 +15,7 @@
</h3>
<h4 class="date"><%= $thread->{'date'} %></h4>
<h5 class="author"><%= $thread->{'author'} %></h5>
<p class="body"><%= truncate_text $thread->{'body'} %></p>
<p class="body"><%== truncate_text $thread->{'body'} %></p>
<nav>
<%= link_to Remark => post_remark => {thread_id => $thread->{'id'}} %>
<%= link_to url_for(single_thread => {thread_id => $thread->{'id'}})