From 94988c2d349602e4c6ed5dfc6c345ed1cecce53c Mon Sep 17 00:00:00 2001 From: swag Date: Tue, 25 Apr 2023 10:40:47 -0400 Subject: [PATCH] xml_escape() on INSERT and don't XML escape thread/remark body in templates --- README.md | 1 - lib/PostText/Model/Remark.pm | 3 ++- lib/PostText/Model/Thread.pm | 3 ++- templates/remark/by_id.html.ep | 2 +- templates/remark/create.html.ep | 4 ++-- templates/thread/by_id.html.ep | 4 ++-- templates/thread/by_page.html.ep | 2 +- 7 files changed, 10 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 7c0c7e1..1330f16 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,6 @@ Run the tests locally (against development environment): ## TODOs -1. `xml_escape` on INSERT (needed for the Markdown stuff later) 1. Rules/about page 1. CSS 1. "All new posts flagged" mode (require approval for new posts) diff --git a/lib/PostText/Model/Remark.pm b/lib/PostText/Model/Remark.pm index 69fe6ac..0e84fd0 100644 --- a/lib/PostText/Model/Remark.pm +++ b/lib/PostText/Model/Remark.pm @@ -1,6 +1,7 @@ package PostText::Model::Remark; use Mojo::Base -base, -signatures; +use Mojo::Util qw{xml_escape}; has 'pg'; @@ -28,7 +29,7 @@ sub by_page_for($self, $thread_id, $this_page = 1) { } sub create($self, $thread_id, $author, $body, $hidden = 0, $flagged = 0) { - my @data = ($thread_id, $author, $body, $hidden, $flagged); + my @data = ($thread_id, $author, xml_escape($body), $hidden, $flagged); $self->pg->db->query(<<~'END_SQL', @data); INSERT INTO remarks ( diff --git a/lib/PostText/Model/Thread.pm b/lib/PostText/Model/Thread.pm index cf2f0c1..c0380de 100644 --- a/lib/PostText/Model/Thread.pm +++ b/lib/PostText/Model/Thread.pm @@ -1,6 +1,7 @@ package PostText::Model::Thread; use Mojo::Base -base, -signatures; +use Mojo::Util qw{xml_escape}; has 'pg'; @@ -9,7 +10,7 @@ has per_page => 5; has date_format => 'Dy, FMDD Mon YYYY HH24:MI:SS TZ'; sub create($self, $author, $title, $body, $hidden = 0, $flagged = 0) { - my @data = ($author, $title, $body, $hidden, $flagged); + my @data = ($author, $title, xml_escape($body), $hidden, $flagged); $self->pg->db->query(<<~'END_SQL', @data)->hash->{'thread_id'}; INSERT INTO threads ( diff --git a/templates/remark/by_id.html.ep b/templates/remark/by_id.html.ep index 6b7438f..7d10d8c 100644 --- a/templates/remark/by_id.html.ep +++ b/templates/remark/by_id.html.ep @@ -6,7 +6,7 @@

<%= $remark->{'date'} %>

<%= $remark->{'author'} %>
-

<%= $remark->{'body'} %>

+

<%== $remark->{'body'} %>

<%= $last_remark->{'date'} %>

<%= $last_remark->{'author'} %>
-

<%= $last_remark->{'body'} %>

+

<%== $last_remark->{'body'} %>

<% } =%> diff --git a/templates/thread/by_id.html.ep b/templates/thread/by_id.html.ep index b585d38..25ec887 100644 --- a/templates/thread/by_id.html.ep +++ b/templates/thread/by_id.html.ep @@ -6,7 +6,7 @@

<%= $thread->{'title'} %>

<%= $thread->{'date'} %>

<%= $thread->{'author'} %>
-

<%= $thread->{'body'} %>

+

<%== $thread->{'body'} %>

<%= $remark->{'date'} %>

<%= $remark->{'author'} %>
-

<%= $remark->{'body'} %>

+

<%== $remark->{'body'} %>

diff --git a/templates/thread/by_page.html.ep b/templates/thread/by_page.html.ep index 7521175..2fa00f7 100644 --- a/templates/thread/by_page.html.ep +++ b/templates/thread/by_page.html.ep @@ -15,7 +15,7 @@

<%= $thread->{'date'} %>

<%= $thread->{'author'} %>
-

<%= truncate_text $thread->{'body'} %>

+

<%== truncate_text $thread->{'body'} %>