From cbeb5ee4684df20dc35cd79e375df862170dd752 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Tue, 24 Oct 2000 07:24:24 +0000
Subject: [PATCH] This significant commit fixes 99% of all known bugs and
improves drop.org by means of better security checks in order to avoid
malicious behavior. In addition, quite some code has been fine-tuned.
However, as a result, every theme will require a small update ...
---
account.php | 4 +--
admin.php | 22 ++++++++-------
diary.php | 2 +-
discussion.php | 62 ++++++++++++++-----------------------------
error.php | 10 +------
faq.php | 39 ++++++++++++---------------
includes/admin.inc | 10 +------
includes/config.inc | 6 +++--
includes/function.inc | 15 +++++++++--
submission.php | 4 +--
submit.php | 18 ++++++-------
11 files changed, 81 insertions(+), 111 deletions(-)
diff --git a/account.php b/account.php
index 4041c62f1032..de9ba64d8890 100644
--- a/account.php
+++ b/account.php
@@ -37,7 +37,7 @@ function account_session_start($userid, $passwd) {
function account_session_close() {
global $user;
- watchdog(1, "$user->userid: sucessful attempt to logout");
+ watchdog(1, "session closed for user `$user->userid'");
session_unset();
session_destroy();
unset($user);
@@ -257,7 +257,7 @@ function account_register_enter($user = "", $error = "") {
$output .= "<P>\n";
$output .= " <B>Username:</B><BR>\n";
$output .= " <INPUT NAME=\"new[userid]\" VALUE=\"$new[userid]\"><BR>\n";
- $output .= " <SMALL><I>Enter your desired username: only letters, numbers and some special characters are allowed.</I></SMALL><BR>\n";
+ $output .= " <SMALL><I>Enter your desired username: only letters, numbers and common special characters are allowed.</I></SMALL><BR>\n";
$output .= "</P>\n";
$output .= "<P>\n";
$output .= " <B>E-mail address:</B><BR>\n";
diff --git a/admin.php b/admin.php
index a4322f298ff9..08740150b8f9 100644
--- a/admin.php
+++ b/admin.php
@@ -264,12 +264,12 @@ function comment_edit($id) {
$output .= "<P>\n";
$output .= " <B>Subject:</B><BR>\n";
- $output .= " <INPUT TYPE=\"text\" NAME=\"subject\" SIZE=\"50\" VALUE=\"". stripslashes($comment->subject) ."\"><BR>\n";
+ $output .= " <INPUT TYPE=\"text\" NAME=\"subject\" SIZE=\"50\" VALUE=\"". check_output($comment->subject) ."\"><BR>\n";
$output .= "</P>\n";
$output .= "<P>\n";
$output .= "<B>Comment:</B><BR>\n";
- $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"comment\">". stripslashes($comment->comment) ."</TEXTAREA><BR>\n";
+ $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"comment\">". check_output($comment->comment) ."</TEXTAREA><BR>\n";
$output .= "</P>\n";
$output .= "<P>\n";
@@ -281,7 +281,7 @@ function comment_edit($id) {
}
function comment_save($id, $subject, $comment) {
- db_query("UPDATE comments SET subject = '". addslashes($subject) ."', comment = '". addslashes($comment) ."' WHERE cid = $id");
+ db_query("UPDATE comments SET subject = '". check_input($subject) ."', comment = '". check_input($comment) ."' WHERE cid = $id");
watchdog(1, "modified comment `$subject'.");
}
@@ -372,7 +372,7 @@ function diary_edit($id) {
$output .= "<P>\n";
$output .= "<B>Diary entry:</B><BR>\n";
- $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"text\">". stripslashes($diary->text) ."</TEXTAREA><BR>\n";
+ $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"text\">". check_output($diary->text) ."</TEXTAREA><BR>\n";
$output .= "</P>\n";
$output .= "<P>\n";
@@ -384,7 +384,7 @@ function diary_edit($id) {
}
function diary_save($id, $text) {
- db_query("UPDATE diaries SET text = '". addslashes($text) ."' WHERE id = $id");
+ db_query("UPDATE diaries SET text = '". check_input($text) ."' WHERE id = $id");
watchdog(1, "modified diary entry #$id.");
}
@@ -464,7 +464,7 @@ function story_edit($id) {
$output .= "<P>\n";
$output .= " <B>Subject:</B><BR>\n";
- $output .= " <INPUT TYPE=\"text\" NAME=\"subject\" SIZE=\"50\" VALUE=\"". stripslashes($story->subject) ."\"><BR>\n";
+ $output .= " <INPUT TYPE=\"text\" NAME=\"subject\" SIZE=\"50\" VALUE=\"". check_output($story->subject) ."\"><BR>\n";
$output .= "</P>\n";
$output .= "<P><B>Category:</B><BR>\n";
@@ -479,17 +479,17 @@ function story_edit($id) {
$output .= "<P>\n";
$output .= "<B>Abstract:</B><BR>\n";
- $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"abstract\">". stripslashes($story->abstract) ."</TEXTAREA><BR>\n";
+ $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"abstract\">". check_output($story->abstract) ."</TEXTAREA><BR>\n";
$output .= "</P>\n";
$output .= "<P>\n";
$output .= "<B>Editor's note/updates:</B><BR>\n";
- $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"updates\">". stripslashes($story->updates) ."</TEXTAREA><BR>\n";
+ $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"updates\">". check_output($story->updates) ."</TEXTAREA><BR>\n";
$output .= "</P>\n";
$output .= "<P>\n";
$output .= " <B>Extended story:</B><BR>\n";
- $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"15\" NAME=\"article\">". stripslashes($story->article) ."</TEXTAREA><BR>\n";
+ $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"15\" NAME=\"article\">". check_output($story->article) ."</TEXTAREA><BR>\n";
$output .= "</P>\n";
$output .= "<P><B>Status:</B><BR>\n";
@@ -509,7 +509,7 @@ function story_edit($id) {
}
function story_save($id, $subject, $abstract, $updates, $article, $category, $status) {
- db_query("UPDATE stories SET subject = '". addslashes($subject) ."', abstract = '". addslashes($abstract) ."', updates = '". addslashes($updates) ."', article = '". addslashes($article) ."', category = '". addslashes($category) ."', status = '$status' WHERE id = $id");
+ db_query("UPDATE stories SET subject = '". check_input($subject) ."', abstract = '". check_input($abstract) ."', updates = '". check_input($updates) ."', article = '". check_input($article) ."', category = '". check_input($category) ."', status = '$status' WHERE id = $id");
watchdog(1, "modified story `$subject'.");
}
@@ -554,6 +554,8 @@ function story_display($order = "date") {
}
function info_display() {
+ include "includes/config.inc";
+
$output .= "sitename: $sitename<BR>\n";
$output .= "e-mail address: $contact_email<BR>\n";
$output .= "send e-mail notifications: $notify<BR>\n";
diff --git a/diary.php b/diary.php
index 7fdf0801e480..a0a725938222 100644
--- a/diary.php
+++ b/diary.php
@@ -97,7 +97,7 @@ function diary_edit($id) {
$output .= "<P>\n";
$output .= " <B>Edit diary entry:</B><BR>\n";
- $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"15\" NAME=\"text\">". stripslashes($diary->text) ."</TEXTAREA><BR>\n";
+ $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"15\" NAME=\"text\">". check_input(stripslashes($diary->text)) ."</TEXTAREA><BR>\n";
$output .= " <SMALL><I>Allowed HTML tags: ". htmlspecialchars($allowed_html) .".</I></SMALL>\n";
$output .= "</P>\n";
diff --git a/discussion.php b/discussion.php
index 18238a49f58b..b5f8805f58c3 100644
--- a/discussion.php
+++ b/discussion.php
@@ -9,10 +9,10 @@ function discussion_moderate($moderate) {
global $user, $comment_votes;
if ($user->id && $moderate) {
- $na = $comment_votes[key($comment_votes)];
+ $none = $comment_votes[key($comment_votes)];
foreach ($moderate as $id=>$vote) {
- if ($vote != $comment_votes[$na] && !user_getHistory($user->history, "c$id")) {
+ if ($vote != $comment_votes[$none] && !user_getHistory($user->history, "c$id")) {
### Update the comment's score:
$result = db_query("UPDATE comments SET score = score $vote, votes = votes + 1 WHERE cid = $id");
@@ -26,8 +26,6 @@ function discussion_moderate($moderate) {
function discussion_kids($cid, $mode, $threshold, $level = 0, $dummy = 0) {
global $user, $theme;
- $comments = 0;
-
$result = db_query("SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.pid = $cid AND (c.votes = 0 OR c.score / c.votes >= $threshold) ORDER BY c.timestamp, c.cid");
if ($mode == "nested") {
@@ -37,7 +35,7 @@ function discussion_kids($cid, $mode, $threshold, $level = 0, $dummy = 0) {
$comments++;
$link = "<A HREF=\"discussion.php?op=reply&sid=$comment->sid&pid=$comment->cid\"><FONT COLOR=\"$theme->hlcolor2\">reply to this comment</FONT></A>";
- $theme->comment($comment->userid, stripslashes($comment->subject), stripslashes($comment->comment), $comment->timestamp, stripslashes($comment->url), stripslashes($comment->fake_email), discussion_score($comment), $comment->votes, $comment->cid, $link);
+ $theme->comment($comment->userid, check_output($comment->subject), check_output($comment->comment), $comment->timestamp, check_output($comment->url), check_output($comment->fake_email), discussion_score($comment), $comment->votes, $comment->cid, $link);
discussion_kids($comment->cid, $mode, $threshold, $level + 1, $dummy + 1);
}
@@ -47,15 +45,13 @@ function discussion_kids($cid, $mode, $threshold, $level = 0, $dummy = 0) {
while ($comment = db_fetch_object($result)) {
if ($comment->score >= $threshold) {
$link = "<A HREF=\"discussion.php?op=reply&sid=$comment->sid&pid=$comment->cid\"><FONT COLOR=\"$theme->hlcolor2\">reply to this comment</FONT></A>";
- $theme->comment($comment->userid, check_output($comment->subject), check_output($comment->comment), $comment->timestamp, $comment->url, $comment->fake_email, discussion_score($comment), $comment->votes, $comment->cid, $link);
+ $theme->comment($comment->userid, check_output($comment->subject), check_output($comment->comment), $comment->timestamp, check_output($comment->url), check_output($comment->fake_email), discussion_score($comment), $comment->votes, $comment->cid, $link);
}
discussion_kids($comment->cid, $mode, $threshold);
}
}
- if ($level && $comments) {
- print "</UL>";
- }
+ if ($level && $comments) print "</UL>";
}
function discussion_childs($cid, $threshold, $level = 0, $thread) {
@@ -65,7 +61,6 @@ function discussion_childs($cid, $threshold, $level = 0, $thread) {
$result = db_query("SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.pid = $cid AND (c.votes = 0 OR c.score / c.votes >= $threshold) ORDER BY c.timestamp, c.cid");
if ($level == 0) $thread = "";
- $comments = 0;
while ($comment = db_fetch_object($result)) {
if ($level && !$comments) {
@@ -157,12 +152,12 @@ function discussion_display($sid, $pid, $cid, $level = 0) {
}
function discussion_reply($pid, $sid) {
- global $anonymous, $user, $theme;
+ global $user, $theme;
### Extract parent-information/data:
if ($pid) {
$item = db_fetch_object(db_query("SELECT comments.*, users.userid FROM comments LEFT JOIN users ON comments.author = users.id WHERE comments.cid = $pid"));
- $theme->comment($item->userid, check_output(stripslashes($item->subject)), check_output(stripslashes($item->comment)), $item->timestamp, stripslashes($item->url), stripslashes($item->fake_email), discussion_score($comment), $comment->votes, $item->cid, "reply to this comment");
+ $theme->comment($item->userid, check_output($item->subject), check_output($item->comment), $item->timestamp, check_output($item->url), check_output($item->fake_email), discussion_score($comment), $comment->votes, $item->cid, "reply to this comment");
}
else {
$item = db_fetch_object(db_query("SELECT stories.*, users.userid FROM stories LEFT JOIN users ON stories.author = users.id WHERE stories.status != 0 AND stories.id = $sid"));
@@ -173,18 +168,10 @@ function discussion_reply($pid, $sid) {
$output .= "<FORM ACTION=\"discussion.php\" METHOD=\"post\">\n";
### Name field:
- if ($user->id) {
- $output .= "<P>\n";
- $output .= " <B>Your name:</B><BR>\n";
- $output .= " <A HREF=\"account.php\">$user->userid</A> <FONT SIZE=\"2\">[ <A HREF=\"account.php?op=logout\">logout</A> ]</FONT>\n";
- $output .= "</P>\n";
- }
- else {
- $output .= "<P>\n";
- $output .= " <B>Your name:</B><BR>\n";
- $output .= " $anonymous\n";
- $output .= "</P>\n";
- }
+ $output .= "<P>\n";
+ $output .= " <B>Your name:</B><BR>\n";
+ $output .= format_username($user->userid);
+ $output .= "</P>\n";
### Subject field:
$output .= "<P>\n";
@@ -195,7 +182,7 @@ function discussion_reply($pid, $sid) {
### Comment field:
$output .= "<P>\n";
$output .= " <B>Comment:</B><BR>\n";
- $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"comment\">". check_input($user->signature) ."</TEXTAREA><BR>\n";
+ $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"comment\">". check_output(check_field($user->signature)) ."</TEXTAREA><BR>\n";
$output .= "</P>\n";
### Hidden fields:
@@ -210,39 +197,30 @@ function discussion_reply($pid, $sid) {
}
function comment_preview($pid, $sid, $subject, $comment) {
- global $anonymous, $user, $theme;
+ global $user, $theme;
### Preview comment:
- if ($user->id) $theme->comment("", check_output(stripslashes($subject)), check_output(stripslashes($comment)), time(), "", "", "", "", "", "reply to this comment");
- else $theme->comment($user->userid, check_output(stripslashes($subject)), check_output(stripslashes($comment)), time(), stripslashes($user->url), stripslashes($user->fake_email), "", "", "", "reply to this comment");
+ $theme->comment($user->userid, check_output($subject), check_output($comment), time(), check_output($user->url), check_output($user->fake_email), "", "", "", "reply to this comment");
### Build reply form:
$output .= "<FORM ACTION=\"discussion.php\" METHOD=\"post\">\n";
### Name field:
- if ($user->id) {
- $output .= "<P>\n";
- $output .= " <B>Your name:</B><BR>\n";
- $output .= " <A HREF=\"account.php\">$user->userid</A> <FONT SIZE=\"2\">[ <A HREF=\"account.php?op=logout\">logout</A> ]</FONT>\n";
- $output .= "</P>\n";
- }
- else {
- $output .= "<P>\n";
- $output .= " <B>Your name:</B><BR>\n";
- $output .= " $anonymous\n";
- $output .= "</P>\n";
- }
+ $output .= "<P>\n";
+ $output .= " <B>Your name:</B><BR>\n";
+ $output .= format_username($user->userid);
+ $output .= "</P>\n";
### Subject field:
$output .= "<P>\n";
$output .= " <B>Subject:</B><BR>\n";
- $output .= " <INPUT TYPE=\"text\" NAME=\"subject\" SIZE=\"50\" MAXLENGTH=\"60\" VALUE=\"". check_input($subject) ."\">\n";
+ $output .= " <INPUT TYPE=\"text\" NAME=\"subject\" SIZE=\"50\" MAXLENGTH=\"60\" VALUE=\"". check_output(check_field($subject)) ."\">\n";
$output .= "</P>\n";
### Comment field:
$output .= "<P>\n";
$output .= " <B>Comment:</B><BR>\n";
- $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"comment\">". check_input($comment) ."</TEXTAREA><BR>\n";
+ $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"comment\">". check_output(check_field($comment)) ."</TEXTAREA><BR>\n";
$output .= "</P>\n";
### Hidden fields:
diff --git a/error.php b/error.php
index 91a972e49eb0..2ae17e4e8b18 100644
--- a/error.php
+++ b/error.php
@@ -1,11 +1,3 @@
-<?
-# Future improvements:
-# --------------------
-# 1. Automatically report all errors by e-mail.
-# 2. Keep a list of all errors either on file or in a MySQL table.
-# 3. Auto-redirect visitor to main page within x seconds.
-?>
-
<H1>Oops, an error occured!</H1>
<PRE>
@@ -44,5 +36,5 @@
<B>Processed output:</B><BR>
* <? echo $message; ?><BR>
-
+ * Return to the <A HREF="">main page</A>.
</PRE>
diff --git a/faq.php b/faq.php
index d578c83507bb..28367e9caf70 100644
--- a/faq.php
+++ b/faq.php
@@ -13,19 +13,19 @@
</DD>
<DT><B>What is $sitename all about?</B></DT>
- <DD>$sitename is a news and discussion forum. People log in to the site, read the news, select one or more items and start to discuss and post their reactions. $sitename is a community site that relies solely on reader-contributed content.<P>First off, we strive towards discussion rather then to deliver news on its own: discussion can really make a story considerably better as user comments frequently `upstage' the story itself.<P>Secondly, we aim towards a high quality of content and content posters by using and experimenting with several techniques and systems such as trust metrics, scoring, moderation and collaborative filtering.<P>Last but not least, this site has no real editors as all content is moderated and voted on by all registered users. This means that the community is truly the editor of this site as the community has the final decision on the content. This also implies that we, the $sitename team, are creating nothing more then a tool or an environment to make these things happen.<P></DD>
+ <DD>$sitename is a news and discussion forum. It is a <I>tool</I>. And as a tool, it aims to create an environment to make discussions possible. $sitename is not an organization, but a non-profit hobby project instead.<P>People log in to the site, read the news, select one or more items and start to discuss and post their reactions. $sitename is a community site that relies solely on reader-contributed content.<P>First off, we strive towards discussion rather then to deliver news on its own: discussion can really make a story considerably better as user comments frequently `upstage' the story itself.<P>Secondly, we aim towards a high quality of content and content posters by using and experimenting with several techniques and systems such as trust metrics, scoring, moderation and collaborative filtering.<P></DD>
+
+ <DT><B>Isn't $sitename similar to slashdot.org and kuro5hin.org?</B></DT>
+ <DD>To some extend, yes. Credit where credit is due: we borrowed many ideas (like the interface and moderation) from <A HREF=\"http://slashdot.org/\">slashdot.org</A> and <A HREF=\"http://kuro5hin.org/\">kuro5hin.org</A> because they have many good ideas about discussion forums. We do not use their code or any permutation thereof as $sitename has been written entirely from scratch. Our goal was to create a similar base initially, and to go from there and to transform $sitename into something different by adding new and unique features.<P></DD>
<DT><B><A NAME=\"moderation\">Why moderatiom, trust metrics and collaborative filtering?</A></B></DT>
<DD>To help individuals and communities address the challenges of information overload.<P>As each new piece of information competes for attention, people quickly tend to become overwhelmed and seek assistance in identifying the most interesting, worthwhile, valuable or enteraining items. Not to mention the fact, reader-contributed content and other levels of interactivity tend to become chaotic, bloated and disreputable.<P>Therefore, we decided to develop a public system powered by a community that aims to bring quality content to everyone's attention and to filter out all junk: to <I>sort the wheat from the chaff</I>. The output should be something clean and homogenized featuring quality content, and should slide down the gullet far more easily. Another objective is to provide a customized service according to public and individual preferences, whether expressed or inferred.<P>Yes, you are right. It all sounds a bit idealistic, not to mention hypothetical. However, don't get this wrong: this isn't a new concept, various such systems exist nowadays (like <A HREF=\"http://slashdot.org/\">slashdot.org</A> or <A HREF=\"http://www.kuro5hin.org/\">kuro5hin.org</A>). We just happen to want our own system.<P>Last but not least we, the $sitename team, don't want the responsibility to manually review each post and to select the ones worthy. Systematic editing by individual editors is nice and dandy, if you get paid for it or if you have some time to kill. Afterall, we are not writers, critics nor reviewers for that matter; we are programmers, designers and technicians.<P></DD>
-
- <DT><B>Isn't moderation elitist?</B></DT>
- <DD>To some extent, yes. The system is not designed to allow totally open and unfiltered access. It is intended to create a good place for people who are interested in a topic to come together and communicate. You can't communicate over a noisy channel, so part of our job is to reduce the ability for malicious users to create noise.<P></DD>
-
+
<DT><B>How does submission moderation work?</B></DT>
- <DD>--- under construction ---<P></DD>
+ <DD>Anyone who happens by, and has some news or some thoughts they'd like to share, can submit new content for consideration. After someone has submitted something, their story is added to a queue. All registered users can access this list of pending stories, that is, stories that have been submitted, but do not yet appear on the public front page. Those registered users can vote whether they think the story should be posted or not. When enough people vote to post a story, the story is pushed over the threshold and up it goes on the public page. On the other hand, when too many people voted to drop a story, the story will get trashed.<P></DD>
<DT><B>How does comment moderation work?</B></DT>
- <DD>Comments that gain the approbation of participants gradually move up through statistical effects and pointless comments sink into oblivion.<P>--- under construction ---<P>Hence, the purpose of comment moderation is two-fold: <UL><LI>To bring the really good comments to everyone's attention.</LI><LI>To hide or get get rid of spam, flamebait and trolls.</LI></UL>In the latter, comment moderation provides a technical solution to a social problem.<P></DD>
+ <DD>If you create an account and log in, you will be able to moderate comments. This lets you assign a score to a comment on how good you think the comment was or how visible you think it should be. When more then one person rates a comment, the overall rating is just a simple average of all ratings. Comments with a high ratings are more visible then comments with a lower rating. Like that, comments that gain the approbation of participants will gradually move up through statistical effects and pointless comments will sink into oblivion.<P>Hence, the purpose of comment moderation is two-fold: <UL><LI>To bring the really good comments to everyone's attention.</LI><LI>To hide or get get rid of spam, flamebait and trolls.</LI></UL>In the latter, comment moderation provides a technical solution to a social problem.<P></DD>
<DT><B>Why would I want to create a user account?</B></DT>
<DD>No $sitename participant can use his own name or handle to post comments until they sign up and submit their e-mail address. Those who do not may participate as `$anonymous', but they will suffer numerous disadvantages, not the least that their posts begin at a lower score.<P>In contrast, those with a user account can use their own name or handle and are granted various priveleges: the most important is probably the ability to moderate new submissions and to rate comments. Also, registered users can tune the site to their personal needs. For instance: they can select one of the available themes to alter the look-and-feel of the site or they can fine-tune the values of various settings to their likings.<P></DD>
@@ -42,9 +42,6 @@
<DT><B>Why did my comment get deleted?</B></DT>
<DD>It probably didn't. It probably just got moderated down by our army of moderators. Try browsing at a lower threshold and see if your comment becomes visible.<P></DD>
- <DT><B>Can I syndicate content from this site?</B></DT>
- <DD>--- under construction ---<P></DD>
-
<DT><B>I found a bug or encountered a problem, what do I do?</B></DT>
<DD>Write us a bugreport or send us a patch! Writing a good bug report takes patience, but doing it right the first time saves time for us and for you. It is most helpful when a good description of the problem is included in the bug report. That is, a good example of all the things you did that led to the problem and the problem itself exactly described. The best reports are those that include a full example showing how to reproduce the bug or problem.<P></DD>
@@ -53,21 +50,19 @@
<DT><B>What features does the engine have?</B></DT>
<DD>
- <LI>a theme system: the entire website is fully themable in terms of colors, layout, look-and-feel and markup.</LI>
- <LI>a user account system with session management, secure authentication, human-readable password generator, user and page preferences, comment tracker and so on.</LI>
- <LI>a discussion system: supports different display (<I>threaded</I>, <I>flat</I>, <I>netsted</I>) and order (<I>newest first</I>, <I>oldest first</I>, <I>highest scorings first</I>), comment moderation, customable HTML-support, etc.</LI>
- <LI>a database abstraction layer: allows the website to run on top of different database systems.</LI>
- <LI>anonymous reader/poster support across the entire site in case visitors prefers to remain anonymous or in case cookies are disabled.</LI>
- <LI>a submission queue and submission moderation.</LI>
- <LI>an embedded diary system.</LI>
- <LI>an administrator section which is considered the control center of the website.</LI>
- <LI>a RDF/RSS backend which allows third party websites to become <I>channels</I> in your website with a minimum of extra work.</LI>
+ <LI>A theme system: the entire website is fully themable in terms of colors, layout, look-and-feel and markup.</LI>
+ <LI>A user account system with session management, secure authentication, human-readable password generator, user and page preferences, comment tracker and so on.</LI>
+ <LI>A discussion system: supports different display (<I>threaded</I>, <I>flat</I>, <I>netsted</I>) and order (<I>newest first</I>, <I>oldest first</I>, <I>highest scorings first</I>), comment moderation, customable HTML-support, etc.</LI>
+ <LI>A submission queue and submission moderation.</LI>
+ <LI>An embedded diary system.</LI>
+ <LI>Anonymous reader/poster support across the entire site in case visitors prefers to remain anonymous or in case cookies are disabled.</LI>
+ <LI>An administrator section which is considered the control center of the website.</LI>
+ <LI>A database abstraction layer: allows the website to run on top of different database systems.</LI>
+ <LI>A RDF/RSS backend which allows third party websites to become <I>channels</I> in your website with a minimum of extra work.</LI>
+ <LI>...</LI>
<P>
</DD>
- <DT><B>What is your privacy policy?</B></DT>
- <DD>--- under construction ---<P></DD>
-
<DT><B>What is your disclaimer?</B></DT>
<DD>All messages made available (including any discussion goups and bulletin boards) and any opinions, advice, statements or other information contained in any messages posted or transmitted by any third party are the responsibility of the author of that message and not of $sitename. The fact that a particular message is posted on or transmitted using this website does not mean that $sitename has endorsed that message in any way or verified the accuracy, completeness or usefulness of any message.<P>Furthermore, all persons who use $sitename are advised not to use them for solicitations or any other commercial purposes. We make no representation regarding the merchantability or fitness for any particular purpose of any message posted by any third party. Users are encouraged to seek the advice of their appropriate professional advisors, when evaluating the information contained in any message. $sitename is not responsible for any defamatory, offensive or illegal conduct of any user.<P></DD>
diff --git a/includes/admin.inc b/includes/admin.inc
index 4d0ed0ddabff..5f7d889ae9d4 100644
--- a/includes/admin.inc
+++ b/includes/admin.inc
@@ -8,7 +8,7 @@ function admin_icon($name) {
}
function admin_header() {
- global $sitename, $section, $status;
+ global $sitename, $section;
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
@@ -42,14 +42,6 @@ function admin_header() {
</TR>
<TR><TD BGCOLOR="#000000" COLSPAN="10" WIDTH="100%"><IMG SRC="images/pixel.gif" WIDTH="1" HEIGHT="0" ALT=""></TD></TR>
<TR><TD COLSPAN="10"> </TD></TR>
- <?
- if ($status) {
- ?>
- <TR><TD COLSPAN="10"><BIG><B>status:</B> <? echo $status; ?></BIG></TD></TR>
- <TR><TD COLSPAN="10"> </TD></TR>
- <?
- }
- ?>
<TR>
<TD COLSPAN="10">
<?
diff --git a/includes/config.inc b/includes/config.inc
index 2b889c9440ff..d1cd0b48a802 100644
--- a/includes/config.inc
+++ b/includes/config.inc
@@ -57,9 +57,9 @@
"Computers & Internet",
"Drop.org",
"Entertainment",
- "Freedom",
- "Government",
"News & Media",
+ "Politics & Freedom",
+ "Reviews",
"Science",
"Society & Culture");
@@ -76,6 +76,8 @@
#
# Themes:
+# the first theme listed in the associative array `$themes' will
+# automatically become the default theme.
#
$themes = array("Marvin" => array(
"themes/marvin/marvin.theme",
diff --git a/includes/function.inc b/includes/function.inc
index ec3ad0a90ff3..c9b80e0a6249 100644
--- a/includes/function.inc
+++ b/includes/function.inc
@@ -19,13 +19,17 @@ function load_theme() {
return new Theme();
}
-function check_input($message) {
+function check_field($message) {
return str_replace("\"", """, stripslashes($message));
}
+function check_input($message) {
+ return strip_tags($message);
+}
+
function check_output($message) {
global $allowed_html;
- return nl2br(strip_tags(stripslashes($message), $allowed_html));
+ return strip_tags(stripslashes($message), $allowed_html);
}
function discussion_num_replies($id, $count = 0) {
@@ -33,6 +37,13 @@ function discussion_num_replies($id, $count = 0) {
return ($result) ? db_result($result, 0) : 0;
}
+function discussion_num_filtered($sid, $pid) {
+ global $user;
+ $threshold = ($user->id) ? $user->threshold : "0";
+ $result = db_query("SELECT COUNT(cid) FROM comments WHERE sid = $sid AND pid = $pid AND (votes != 0 AND score / votes < $threshold)");
+ return ($result) ? db_result($result, 0) : 0;
+}
+
function format_plural($count, $one, $more) {
return ($count == 1) ? "$count $one" : "$count $more";
}
diff --git a/submission.php b/submission.php
index b1a64291e471..0bb53743313a 100644
--- a/submission.php
+++ b/submission.php
@@ -12,8 +12,8 @@ function submission_displayMain() {
$content .= "<TABLE BORDER=\"0\" CELLSPACING=\"4\" CELLPADDING=\"4\">\n";
$content .= " <TR BGCOLOR=\"$bgcolor1\"><TH>Subject</TH><TH>Category</TH><TH>Date</TH><TH>Author</TH><TH>Score</TH></TR>\n";
while ($submission = db_fetch_object($result)) {
- if (user_getHistory($user->history, "s$submission->id")) $content .= " <TR><TD WIDTH=\"100%\"><A HREF=\"$PHP_SELF?op=view&id=$submission->id\">$submission->subject</A></TD><TD>$submission->category</TD><TD ALIGN=\"center\">". date("Y-m-d", $submission->timestamp) ."<BR>". date("H:m:s", $submission->timestamp) ."</TD><TD ALIGN=\"center\">". format_username($submission->userid) ."</TD><TD ALIGN=\"center\">". submission_score($submission->id) ."</TD></TR>\n";
- else $content .= " <TR><TD WIDTH=\"100%\"><A HREF=\"$PHP_SELF?op=view&id=$submission->id\">$submission->subject</A></TD><TD>$submission->category</TD><TD ALIGN=\"center\">". date("Y-m-d", $submission->timestamp) ."<BR>". date("H:m:s", $submission->timestamp) ."</TD><TD ALIGN=\"center\">". format_username($submission->userid) ."</TD><TD ALIGN=\"center\"><A HREF=\"$PHP_SELF?op=view&id=$submission->id\">vote</A></TD></TR>\n";
+ if (user_getHistory($user->history, "s$submission->id")) $content .= " <TR><TD WIDTH=\"100%\"><A HREF=\"$PHP_SELF?op=view&id=$submission->id\">". check_output($submission->subject) ."</A></TD><TD>$submission->category</TD><TD ALIGN=\"center\">". date("Y-m-d", $submission->timestamp) ."<BR>". date("H:m:s", $submission->timestamp) ."</TD><TD ALIGN=\"center\">". format_username($submission->userid) ."</TD><TD ALIGN=\"center\">". submission_score($submission->id) ."</TD></TR>\n";
+ else $content .= " <TR><TD WIDTH=\"100%\"><A HREF=\"$PHP_SELF?op=view&id=$submission->id\">". check_output($submission->subject) ."</A></TD><TD>$submission->category</TD><TD ALIGN=\"center\">". date("Y-m-d", $submission->timestamp) ."<BR>". date("H:m:s", $submission->timestamp) ."</TD><TD ALIGN=\"center\">". format_username($submission->userid) ."</TD><TD ALIGN=\"center\"><A HREF=\"$PHP_SELF?op=view&id=$submission->id\">vote</A></TD></TR>\n";
}
$content .= "</TABLE>\n";
diff --git a/submit.php b/submit.php
index 5bd8d137cae1..6a42ce4b4845 100644
--- a/submit.php
+++ b/submit.php
@@ -12,8 +12,7 @@ function submit_enter() {
$output .= "<FORM ACTION=\"submit.php\" METHOD=\"post\">\n";
$output .= "<P>\n <B>Your name:</B><BR>\n";
- if ($user->id) $output .= " $user->userid <SMALL>[ <A HREF=\"account.php\">edit</A> | <A HREF=\"account.php?op=logout\">logout</A> ]</SMALL>\n";
- else $output .= " $anonymous <SMALL>[ <A HREF=\"account.php\">login</A> | <A HREF=\"account.php\">create an account</A> ]</SMALL>\n";
+ $output .= format_username($user->userid);
$output .= "</P>\n";
$output .= "<P>\n";
@@ -57,19 +56,18 @@ function submit_enter() {
}
function submit_preview($subject, $abstract, $article, $category) {
- global $anonymous, $categories, $allowed_html, $theme, $user;
+ global $categories, $allowed_html, $theme, $user;
$output .= "<FORM ACTION=\"submit.php\" METHOD=\"post\">\n";
$output .= "<P>\n";
$output .= " <B>Your name:</B><BR>\n";
- if ($user->id) $output .= " $user->userid <SMALL> [ <A HREF=\"account.php\">edit</A> | <A HREF=\"account.php?op=logout\">logout</A> ]</SMALL>\n";
- else $output .= " $anonymous <SMALL>[ <A HREF=\"account.php\">login</A> | <A HREF=\"account.php\">create an account</A> ]</SMALL>\n";
+ $output .= format_username($user->userid);
$output .= "</P>\n";
$output .= "<P>\n";
$output .= " <B>Subject:</B><BR>\n";
- $output .= " <INPUT TYPE=\"text\" NAME=\"subject\" SIZE=\"50\" MAXLENGTH=\"60\" VALUE=\"". check_input($subject) ."\"><BR>\n";
+ $output .= " <INPUT TYPE=\"text\" NAME=\"subject\" SIZE=\"50\" MAXLENGTH=\"60\" VALUE=\"". check_output(check_field($subject)) ."\"><BR>\n";
$output .= " <SMALL><I>Bad subjects are 'Check this out!' or 'An article'. Be descriptive, clear and simple!</I></SMALL>\n";
$output .= "</P>\n";
@@ -85,13 +83,13 @@ function submit_preview($subject, $abstract, $article, $category) {
$output .= "<P>\n";
$output .= "<B>Abstract:</B><BR>\n";
- $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"abstract\">". check_input($abstract) ."</TEXTAREA><BR>\n";
+ $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"10\" NAME=\"abstract\">". check_output($abstract) ."</TEXTAREA><BR>\n";
$output .= " <SMALL><I>Allowed HTML tags: ". htmlspecialchars($allowed_html) .".</I></SMALL>\n";
$output .= "</P>\n";
$output .= "<P>\n";
$output .= " <B>Extended story:</B><BR>\n";
- $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"15\" NAME=\"article\">". check_input($article) ."</TEXTAREA><BR>\n";
+ $output .= " <TEXTAREA WRAP=\"virtual\" COLS=\"50\" ROWS=\"15\" NAME=\"article\">". check_output($article) ."</TEXTAREA><BR>\n";
$output .= " <SMALL><I>Allowed HTML tags: ". htmlspecialchars($allowed_html) .".</I></SMALL>\n";
$output .= "</P>\n";
@@ -120,7 +118,7 @@ function submit_preview($subject, $abstract, $article, $category) {
$output .= "</FORM>\n";
$theme->header();
- $theme->preview($user->userid, check_output(stripslashes($subject)), check_output(stripslashes($abstract)), "", check_output(stripslashes($article)), date("l, F d, Y - H:i A", time()), check_output(stripslashes($category)), "we-hate-typoes");
+ $theme->preview($user->userid, check_output($subject), check_output($abstract), "", check_output($article), date("l, F d, Y - H:i A", time()), check_output($category), "we-hate-typoes");
$theme->box("Submit a story", $output);
$theme->footer();
}
@@ -129,7 +127,7 @@ function submit_submit($subject, $abstract, $article, $category) {
global $user, $theme;
### Add submission to SQL table:
- db_insert("INSERT INTO stories (author, subject, abstract, article, category, timestamp) VALUES ('$user->id', '". check_output(addslashes($subject)) ."', '". check_output(addslashes($abstract)) ."', '". check_output(addslashes($article)) ."', '". check_output(addslashes($category)) ."', '". time() ."')");
+ db_insert("INSERT INTO stories (author, subject, abstract, article, category, timestamp) VALUES ('$user->id', '". check_input($subject) ."', '". check_input($abstract) ."', '". check_input($article) ."', '". check_input($category) ."', '". time() ."')");
### Display confirmation message:
$theme->header();
--
GitLab