Comments

* do not double escape chat message body
2025-11-29 15:58:16 +08:00 · 2015-12-05 20:32:15 +01:00
parent 5661f09454
commit f01c624f82
1 changed files with 9 additions and 9 deletions
--- a/includes/ajaxHandler/comment.class.php
+++ b/includes/ajaxHandler/comment.class.php
@@ -11,15 +11,15 @@ class AjaxComment extends AjaxHandler
    const REPLY_LENGTH_MAX   = 600;

    protected $_post = array(
-        'id'          => [FILTER_CALLBACK,                    ['options' => 'AjaxComment::checkId']],
-        'body'        => [FILTER_SANITIZE_FULL_SPECIAL_CHARS, FILTER_FLAG_NO_ENCODE_QUOTES],
-        'commentbody' => [FILTER_SANITIZE_FULL_SPECIAL_CHARS, FILTER_FLAG_NO_ENCODE_QUOTES],
-        'response'    => [FILTER_SANITIZE_FULL_SPECIAL_CHARS, FILTER_FLAG_NO_ENCODE_QUOTES],
-        'reason'      => [FILTER_SANITIZE_FULL_SPECIAL_CHARS, FILTER_FLAG_NO_ENCODE_QUOTES],
-        'remove'      => [FILTER_SANITIZE_NUMBER_INT,         null],
-        'commentId'   => [FILTER_SANITIZE_NUMBER_INT,         null],
-        'replyId'     => [FILTER_SANITIZE_NUMBER_INT,         null],
-     // 'username'    => [FILTER_SANITIZE_STRING,            0xC] // FILTER_FLAG_STRIP_LOW | *_HIGH
+        'id'          => [FILTER_CALLBACK,            ['options' => 'AjaxComment::checkId']],
+        'body'        => [FILTER_UNSAFE_RAW,          null],// escaped by json_encode
+        'commentbody' => [FILTER_UNSAFE_RAW,          null],// escaped by json_encode
+        'response'    => [FILTER_SANITIZE_STRING,     FILTER_FLAG_STRIP_LOW],
+        'reason'      => [FILTER_SANITIZE_STRING,     FILTER_FLAG_STRIP_LOW],
+        'remove'      => [FILTER_SANITIZE_NUMBER_INT, null],
+        'commentId'   => [FILTER_SANITIZE_NUMBER_INT, null],
+        'replyId'     => [FILTER_SANITIZE_NUMBER_INT, null],
+     // 'username'    => [FILTER_SANITIZE_STRING,     0xC]  // FILTER_FLAG_STRIP_LOW | *_HIGH
    );

    protected $_get  = array(