[Cpan-forum-commit] rev 37 - trunk/lib/CPAN

Tue Jan 25 22:28:32 IST 2005

Author: gabor
Date: 2005-01-25 22:28:32 +0200 (Tue, 25 Jan 2005)
New Revision: 37

Modified:
   trunk/lib/CPAN/Forum.pm
Log:
apply escapeHTML to the subject line

Modified: trunk/lib/CPAN/Forum.pm
===================================================================

--- trunk/lib/CPAN/Forum.pm	2005-01-25 19:58:37 UTC (rev 36)
+++ trunk/lib/CPAN/Forum.pm	2005-01-25 20:28:32 UTC (rev 37)
@@ -19,6 +19,7 @@
 my $limit       = 3;
 my $limit_rss   = 10;
 my $cookiename  = "cpanforum";
+my $SUBJECT = qr{[\w .:~!@#\$%^&*\()+?><,'";=-]+};
 
 my %errors = (
 	"ERR no_less_sign"              => "No < sign in text",
@@ -178,6 +179,11 @@
 
 =head2 Changes
 
+v0.09_05
+- POD cleanup (Shlomi Fish)
+
+- More tests
+
 v0.09_04
 
 - Before writing a new post instead of showing a list of all the modules now 
@@ -688,7 +694,7 @@
 		#(my $dashgroup = $post->gid) =~ s/::/-/g;
 		my $thread_count = CPAN::Forum::Posts->sql_count_thread($post->thread)->select_val;
 		push @resp, {
-			subject      => $post->subject, 
+			subject      => _subject_escape($post->subject), 
 			id           => $post->id, 
 			group        => $post->gid->name, 
 			#dashgroup    => $dashgroup,
@@ -1193,8 +1199,8 @@
 			$new_subject = "Re: $new_subject";
 		}
 		
-		$t->param(new_subject  => $new_subject);
-		$t->param(title        => $post->subject);
+		$t->param(new_subject  => _subject_escape($new_subject));
+		$t->param(title        => _subject_escape($post->subject));
 		$t->param(post         => 1);
 		
 		$new_group        = $post->gid->name;
@@ -1208,7 +1214,7 @@
 	# only one iteration in it) The following hash is in preparation of this internal loop.
 	if (not @$errors or $$errors[0] eq "preview") {
 		my %preview;
-		$preview{subject}    = $q->param("new_subject") || "";
+		$preview{subject}    = _subject_escape($q->param("new_subject")) || "";
 		$preview{text}       = _text_escape($q->param("new_text"))    || "";
 		$preview{parentid}   = $q->param("new_parent")  || "";
 #		$preview{thread_id}  = $q->param("new_text")    || "";
@@ -1219,7 +1225,7 @@
 		$t->param(preview_loop => [\%preview]);
 	}
 
-	$t->param(new_subject => $q->param("new_subject"));
+	$t->param(new_subject => _subject_escape($q->param("new_subject")));
 	$t->param(group       => $new_group) if $new_group;
 
 	return $t->output;
@@ -1256,7 +1262,6 @@
 	my $new_text = $q->param("new_text"); 
 	
 	push @errors, "no_subject" if not $new_subject;
-	my $SUBJECT = qr{[\w .:~!@#\$%^&*\()+?><,'";=-]+};
 	push @errors, "invalid_subject" if $new_subject and $new_subject !~ m{^$SUBJECT$};
 	
 	push @errors, "no_text"    if not $new_text;
@@ -1341,6 +1346,11 @@
 	return \%post;
 }
 
+sub _subject_escape {
+	my ($subject) = @_;
+	return CGI::escapeHTML($subject);
+}
+
 # this is not correct, the Internal error should be raised all the way up, not as the
 # text field...
 sub _text_escape {
@@ -1394,7 +1404,7 @@
 #	(my $dashgroup = $posts[0]->gid) =~ s/::/-/g;
 	$t->param(group => $posts[0]->gid->name);
 #	$t->param(dashgroup => $dashgroup);
-	$t->param(title => $posts[0]->subject);
+	$t->param(title => _subject_escape($posts[0]->subject));
 
 	return $t->output;
 }
@@ -1762,7 +1772,7 @@
 
 	my $prefix = "";
 	while (my $post = $it->next() and $cnt--) {
-		$rss->item($url. "posts/" . $post->id(), $prefix . $post->subject);
+		$rss->item($url. "posts/" . $post->id(), $prefix . $post->subject); # TODO _subject_escape ?
 	}
 #	$rss->save("file.rss");
 
@@ -1802,7 +1812,7 @@
 	# disclaimer ?
 	# X-lits: field ?
 
-	my $subject = sprintf ("[%s] %s",  $post->gid->name, $post->subject);
+	my $subject = sprintf ("[%s] %s",  $post->gid->name, $post->subject); # TODO _subject_escape ?
 
 	my ($field) = CPAN::Forum::Configure->search({field => "from"});
 	my $FROM = $field->value;

