From 500023723ee4854a1b4ffba6d1f27118e5142637 Mon Sep 17 00:00:00 2001 From: Retro_Guy Date: Sat, 19 Aug 2023 07:45:07 -0700 Subject: [PATCH] Use htmlspecialchars properly. --- Rocksolid_Light/rocksolid/lib/message.inc.php | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/Rocksolid_Light/rocksolid/lib/message.inc.php b/Rocksolid_Light/rocksolid/lib/message.inc.php index ee4cba3..486453e 100644 --- a/Rocksolid_Light/rocksolid/lib/message.inc.php +++ b/Rocksolid_Light/rocksolid/lib/message.inc.php @@ -594,6 +594,22 @@ function text2html($text) { return $text; } +function nl2p($string, $line_breaks = true, $xml = true) { + + $string = str_replace(array('

', '

', '
', '
'), '', $string); + + // It is conceivable that people might still want single line-breaks + // without breaking into a new paragraph. + if ($line_breaks == true) + return '

'.preg_replace(array("/([\n]{2,})/i", "/([^>])\n([^<])/i"), array("

\n

", '$1$2'), trim($string)).'

'; + else + return '

'.preg_replace( + array("/([\n]{2,})/i", "/([\r\n]{3,})/i","/([^>])\n([^<])/i"), + array("

\n

", "

\n

", '$1$2'), + + trim($string)).'

'; +} + /* * print an article to the webpage * @@ -628,7 +644,6 @@ function message_show($group,$id,$attachment=0,$article_data=false,$maxlen=false show_header($head,$group,$local_poster); // X-Face if ($face = display_full_headers($head->number,$group,$head->name,$head->from,true)) { -// $pngfile = '../tmp/face-'.preg_replace("/[^A-Za-z0-9 ]/", '', $head->id); $pngfile = '../tmp/face-'.hash('ripemd160', $face); if(file_exists($pngfile)) { echo ''; @@ -660,6 +675,7 @@ function message_show($group,$id,$attachment=0,$article_data=false,$maxlen=false $encrypted=true; } if($encrypted === false) { + $body = nl2p(htmlspecialchars($body)); $body=decode_textbody($body, $article_data->header->content_type_format[$attachment]); }