1
wanikoo
some weird code in newbb/post.php
  • 2005/2/24 22:20

  • wanikoo

  • Not too shy to talk

  • Posts: 129

  • Since: 2003/12/27


Umm...
Today,
I added spaw editor and koivi editor to my newbb(Ver1.0 Not 2.x).
btw, during this job, I found some weird code.
( newbb/post.php )
// prevent hacking of nohtml value
        
if (!empty($HTTP_POST_VARS['nohtml']) && $forumdata['allow_html']) {
            
$forumpost->setNohtml(0);
        } else {
            
$forumpost->setNohtml(1);
        }

Is this intentional to prevent to any hacking or just a mistake??
anyway....this prevents all allow_html posts regardless of the value of nohtml
I think this code should be like this! ( 0 -> 1, 1-> 0 )
// prevent hacking of nohtml value
        
if (!empty($HTTP_POST_VARS['nohtml']) && $forumdata['allow_html']) {
            
$forumpost->setNohtml(1);
        } else {
            
$forumpost->setNohtml(0);
        }

Or ( just delete ! in !empty)
// prevent hacking of nohtml value
        
if (empty($HTTP_POST_VARS['nohtml']) && $forumdata['allow_html']) {
            
$forumpost->setNohtml(0);
        } else {
            
$forumpost->setNohtml(1);
        }

Umm..
I think the latter is reasonable.

2
wanikoo
Re: some weird code in newbb1.x
  • 2005/3/9 11:08

  • wanikoo

  • Not too shy to talk

  • Posts: 129

  • Since: 2003/12/27


And...this code is also weird.
foreach (array('forum''topic_id''post_id''order''pid') as $getint) {
    ${
$getint} = isset($HTTP_POST_VARS[$getint]) ? intval($HTTP_POST_VARS[$getint]) : 0;
}
$order = isset($order) ? intval($order) : '';

As you know, 'order' has string-value like "ASC", "DESC" not integer value..in newbb module.
So this code can cause some trouble.

I think this code should be like this!
foreach (array('order''etc') as $getstr) {
    ${
$getstr} = isset($_POST[$getstr]) ? addslashes(trim($_POST[$getstr])) : '';
}
foreach (array(
'order''etc') as $getstr) {
    ${
$getstr} = isset($_GET[$getstr]) ? addslashes(trim($_GET[$getstr])) : '';
}
$order = isset($_GET['order']) ? addslashes(trim($_GET['order'])) : '';

$order = isset($_POST['order']) ? addslashes(trim($_POST['order'])) : '';

3
Mithrandir
Re: some weird code in newbb/post.php

// prevent hacking of nohtml value
if (!empty($HTTP_POST_VARS['nohtml']) && $forumdata['allow_html']) {
    
$forumpost->setNohtml(0);
} else {
    
$forumpost->setNohtml(1);
}

setNohtml(0) = HTML allowed
netNohtml(1) = HTML blocked

To put the process in grammar:
"If the POST var is checked and HTML is allowed in the forum, the module shall not block HTML"

4
wanikoo
Re: some weird code in newbb/post.php
  • 2005/3/9 14:50

  • wanikoo

  • Not too shy to talk

  • Posts: 129

  • Since: 2003/12/27


Quote:

Mithrandir wrote:
// prevent hacking of nohtml value
if (!empty($HTTP_POST_VARS['nohtml']) && $forumdata['allow_html']) {
    
$forumpost->setNohtml(0);
} else {
    
$forumpost->setNohtml(1);
}

setNohtml(0) = HTML allowed
netNohtml(1) = HTML blocked

To put the process in grammar:
"If the POST var is checked and HTML is allowed in the forum, the module shall not block HTML"

Umm...
I'v searched this patch..and found this page!
https://sourceforge.jp/projects/exmodules/document/Extra_xoops2.0.9-newbb-patch-1.00_-_Notes/
minahito who had submitted this patch corrected it like this!

// patching
if (empty($HTTP_POST_VARS['nohtml']) && $forumdata['allow_html']) {
$forumpost->setNohtml(0);
} else {
$forumpost->setNohtml(1);
}

I mean not !empty but just empty !!

5
Dave_L
Re: some weird code in newbb/post.php
  • 2005/3/9 15:11

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


The best place to report newBB bugs is: http://dev.xoops.org/modules/xfmod/tracker/?group_id=1001

If this applies only to the old version newBB 1, I doubt if it will be fixed, but if it's posted on the tracker, it would be easier for others to find.

6
Mithrandir
Re: some weird code in newbb/post.php

After going over the code in my head again, I think Minahito is right (it is not always easy to get around those double or tripple negations like "don't set the noHTML to off" )

And so is Dave

Login

Who's Online

325 user(s) are online (241 user(s) are browsing Support Forums)


Members: 0


Guests: 325


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits