From: Paul Hänsch Date: Thu, 26 Aug 2021 11:56:14 +0000 (+0200) Subject: sanitizing of comment input, improved comment display X-Git-Url: https://git.plutz.net/?a=commitdiff_plain;h=3bf9ee98bee3b55fe732c8ffb5e8b08e6a5038e4;p=webpoll sanitizing of comment input, improved comment display --- diff --git a/comments.sh b/comments.sh old mode 100644 new mode 100755 index 9597602..90fdbb9 --- a/comments.sh +++ b/comments.sh @@ -9,6 +9,9 @@ comments_postcomment() { local cuid="$1" username="$2" text="$3" local db="$comments_file" + [ ! "$cuid" -o ! "$username" -o ! "$text" ] \ + && REDIRECT "${_BASE}${PATH_INFO}#ERROR_COMMENT_INVALID" + mkdir -p "${comments_file%/*}" || REDIRECT "${_BASE}${PATH_INFO}#ERROR_COMMENT_NOCREAT" if LOCK "$db"; then if grep -qE "^${cuid} " "$db"; then @@ -30,6 +33,9 @@ comments_updatecomment() { local db="$comments_file" local ousername sid time otext + [ ! "$cuid" -o ! "$username" -o ! "$text" ] \ + && REDIRECT "${_BASE}${PATH_INFO}#ERROR_COMMENT_INVALID" + mkdir -p "${comments_file%/*}" || REDIRECT "${_BASE}${PATH_INFO}#ERROR_COMMENT_NOCREAT" if LOCK "$db"; then read -r cuid ousername sid time otext <<-EOF @@ -53,10 +59,16 @@ comments_updatecomment() { } [ "$REQUEST_METHOD" = POST ] && case "$(POST action)" in - postcomment) comments_postcomment "$(POST cuid)" "$(POST username)" "$(POST text)";; - updatecomment) comments_updatecomment "$(POST cuid)" "$(POST updatekey)" "$(POST username)" "$(POST text)";; + postcomment) comments_postcomment \ + "$(POST cuid |checkid)" \ + "$(POST username |grep -m1 -oE '[^[:space:]].*[^[:space:]]')" \ + "$(POST text)";; + updatecomment) comments_updatecomment \ + "$(POST cuid |checkid)" "$(POST updatekey)" \ + "$(POST username |grep -m1 -oE '[^[:space:]].*[^[:space:]]')" \ + "$(POST text)";; cancelcommentpost) REDIRECT "${_BASE}${PATH_INFO}#comments";; - cancelcommentedit) REDIRECT "${_BASE}${PATH_INFO}#comment_$(POST cuid)";; + cancelcommentedit) REDIRECT "${_BASE}${PATH_INFO}#comment_$(POST cuid |checkid)";; esac w_comments() { @@ -73,6 +85,7 @@ w_comments() { [hidden "cuid" "$(timeid)"] [input name=username placeholder="Your Name" autocomplete=off] [textarea name=text placeholder="Your Text"] + [label .legend You can use Markdown formatting for the comment text. Comments can be edited up to a short time after they have been posted.] [submit "action" "cancelcommentpost" Cancel][submit "action" "postcomment" . Post Comment] ] EOF @@ -88,18 +101,16 @@ w_comments() { [submit "action" "cancelcommentedit" Cancel][submit "action" "updatecomment" . Update Comment] ]' "$cuid" "$cuid" "$(session_mac "${username}|${time}|${text}")" \ "$(UNSTRING "$username" |HTML)" "$(UNSTRING "$text" |HTML)" - elif [ "$username" -a "$edit" = "$cuid" ]; then - printf '[div .comment #comment_%s [h3 . %s, %s:][span .error You cannot edit this comment][div . %s]]' \ - "$cuid" "$(UNSTRING "$username" |HTML)" "$(date -d "@${time%%,*}")" \ - "$(UNSTRING "$text" |markdown)" - elif [ "$username" -a "$sid" = "$SESSION_ID" ]; then - printf '[div .comment #comment_%s [h3 . %s, %s:][a href="?editcomment=%s#comment_%s" edit][div . %s]]' \ - "$cuid" "$(UNSTRING "$username" |HTML)" "$(date -d "@${time%%,*}")" \ - "$cuid" "$cuid" "$(UNSTRING "$text" |markdown)" elif [ "$username" -a "$text" ]; then - printf '[div .comment #comment_%s [h3 . %s, %s:][div . %s]]' \ - "$cuid" "$(UNSTRING "$username" |HTML)" "$(date -d "@${time%%,*}")" \ - "$(UNSTRING "$text" |markdown)" + printf '[div .comment #comment_%s [h3 . %s:]' "$cuid" "$(UNSTRING "$username" |HTML)" + printf '[span .time [label posted] %s]' "$(date -d "@${time%,*}")" + [ "${time}" != "${time%,*}" ] \ + && printf '[span .update [label updated] %s]' "$(date -d "@${time#*,}")" + [ "$edit" = "$cuid" ] \ + && printf '[span .error You cannot edit this comment]' + [ "$sid" = "$SESSION_ID" ] \ + && printf '[a .edit href="?editcomment=%s#comment_%s" edit]' "$cuid" "$cuid" + printf '[div . %s]]' "$(UNSTRING "$text" |markdown)" else printf '[div .comment .deleted #comment_%s [h3 (deleted)]]' "$cuid" fi