diff options
| -rw-r--r-- | include/functions_session.inc.php | 2 | ||||
| -rw-r--r-- | include/picture_comment.inc.php | 7 | ||||
| -rw-r--r-- | picture.php | 17 |
3 files changed, 14 insertions, 12 deletions
diff --git a/include/functions_session.inc.php b/include/functions_session.inc.php index 411b374bf..b4ee2d183 100644 --- a/include/functions_session.inc.php +++ b/include/functions_session.inc.php @@ -141,7 +141,7 @@ function pwg_session_write($session_id, $data) $query = ' REPLACE INTO '.SESSIONS_TABLE.' (id,data,expiration) - VALUES(\''.get_remote_addr_session_hash().$session_id.'\',\''.$data.'\',now()) + VALUES(\''.get_remote_addr_session_hash().$session_id.'\',\''.str_replace("'", "\'", $data).'\',now()) ;'; pwg_query($query); return true; diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php index 0273e7b71..70e2c7e95 100644 --- a/include/picture_comment.inc.php +++ b/include/picture_comment.inc.php @@ -228,16 +228,11 @@ SELECT if ($show_add_comment_form) { $key = get_ephemeral_key(3, $page['image_id']); - $content = ''; - if ('reject'===@$comment_action) - { - $content = htmlspecialchars( stripslashes($comm['content']) ); - } $template->assign('comment_add', array( 'F_ACTION' => $url_self, 'KEY' => $key, - 'CONTENT' => $content, + 'CONTENT' => null, 'SHOW_AUTHOR' => !is_classic_user() )); } diff --git a/picture.php b/picture.php index bcc1a2939..015c65de5 100644 --- a/picture.php +++ b/picture.php @@ -320,6 +320,7 @@ UPDATE '.USER_CACHE_CATEGORIES_TABLE.' include_once(PHPWG_ROOT_PATH.'include/functions_comment.inc.php'); check_input_parameter('comment_to_edit', $_GET, false, PATTERN_ID); $author_id = get_comment_author_id($_GET['comment_to_edit']); + if (can_manage_comment('edit', $author_id)) { if (!empty($_POST['content'])) @@ -333,21 +334,27 @@ UPDATE '.USER_CACHE_CATEGORIES_TABLE.' $_POST['key'] ); + $perform_redirect = false; switch ($comment_action) { case 'moderate': - array_push($page['infos'], l10n('An administrator must authorize your comment before it is visible.')); + $_SESSION['page_infos'][] = l10n('An administrator must authorize your comment before it is visible.'); case 'validate': - array_push($page['infos'], l10n('Your comment has been registered')); + $_SESSION['page_infos'][] = l10n('Your comment has been registered'); + $perform_redirect = true; break; case 'reject': - set_status_header(403); - array_push($page['errors'], l10n('Your comment has NOT been registered because it did not pass the validation rules')); + $_SESSION['page_errors'][] = l10n('Your comment has NOT been registered because it did not pass the validation rules'); + $perform_redirect = true; break; default: trigger_error('Invalid comment action '.$comment_action, E_USER_WARNING); } - + + if ($perform_redirect) + { + redirect($url_self); + } unset($_POST['content']); break; } |