diff --git a/b2comments.php b/b2comments.php index 1547332465..af8d631780 100644 --- a/b2comments.php +++ b/b2comments.php @@ -10,22 +10,21 @@ } } - $comment_author = (empty($HTTP_COOKIE_VARS["comment_author"])) ? "name" : $HTTP_COOKIE_VARS["comment_author"]; - $comment_author_email = (empty($HTTP_COOKIE_VARS["comment_author"])) ? "email" : trim($HTTP_COOKIE_VARS["comment_author_email"]); - $comment_author_url = (empty($HTTP_COOKIE_VARS["comment_author"])) ? "url" : trim($HTTP_COOKIE_VARS["comment_author_url"]); + $comment_author = trim($HTTP_COOKIE_VARS["comment_author"]); + $comment_author_email = trim($HTTP_COOKIE_VARS["comment_author_email"]); + $comment_author_url = trim($HTTP_COOKIE_VARS["comment_author_url"]); $comments = $wpdb->get_results("SELECT * FROM $tablecomments WHERE comment_post_ID = $id ORDER BY comment_date"); ?> -<!-- you can start editing here --> +<!-- You can start editing here. --> <h2>Comments</h2> <p><a href="<?php echo $siteurl; ?>/wp-commentsrss2.php?p=<?php echo $id; ?>">RSS feed for comments on this post.</a></p> <?php if ('open' == $post->ping_status) { ?> -<p>The URL to TrackBack this entry is:</p> -<p><em><?php trackback_url() ?></em></p> +<p>The <acronym title="Uniform Resource Identifier">URI</acronym> to TrackBack this entry is: <em><?php trackback_url() ?></em></p> <?php } ?> <ol id="comments"> @@ -48,7 +47,7 @@ if ($comments) { </ol> <h2>Leave a Comment</h2> <?php if ('open' == $post->comment_status) { ?> -<p>Line and paragraph breaks automatic, website trumps email, <acronym title="Hypertext Markup Language">HTML</acronym> allowed: <?php echo htmlentities($comment_allowed_tags); ?></p> +<p>Line and paragraph breaks automatic, website trumps email, <acronym title="Hypertext Markup Language">HTML</acronym> allowed: <code><?php echo htmlentities(str_replace('<', ' <', $comment_allowed_tags)); ?></code></p> <form action="<?php echo $siteurl; ?>/b2comments.post.php" method="post" id="commentform"> @@ -66,7 +65,7 @@ if ($comments) { <p> <input type="text" name="url" id="url" value="<?php echo $comment_author_url; ?>" size="28" tabindex="3" /> - <label for="url"><acronym title="Uniform Resource Locator">URL</acronym></label> + <label for="url"><acronym title="Uniform Resource Identifier">URI</acronym></label> </p> <p> diff --git a/b2comments.post.php b/b2comments.post.php index 20c8d23587..f7a75f2e16 100644 --- a/b2comments.post.php +++ b/b2comments.post.php @@ -21,13 +21,22 @@ if (!get_magic_quotes_gpc()) { $HTTP_COOKIE_VARS = add_magic_quotes($HTTP_COOKIE_VARS); } -$author = trim($HTTP_POST_VARS['author']); -$email = trim($HTTP_POST_VARS['email']); -$url = trim($HTTP_POST_VARS['url']); +$author = trim(strip_tags($HTTP_POST_VARS['author'])); + +$email = trim(strip_tags($HTTP_POST_VARS['email'])); +if (strlen($email) < 6) + $email = ''; + +$url = trim(strip_tags($HTTP_POST_VARS['url'])); +$url = ((!stristr($url, '://')) && ($url != '')) ? 'http://'.$url : $url; +if (strlen($url) < 7) + $url = ''; + $comment = trim($HTTP_POST_VARS['comment']); $original_comment = $comment; -$comment_autobr = $HTTP_POST_VARS['comment_autobr']; -$comment_post_ID = $HTTP_POST_VARS['comment_post_ID']; +$comment_post_ID = intval($HTTP_POST_VARS['comment_post_ID']); +$user_ip = $HTTP_SERVER_VARS['REMOTE_ADDR']; +$user_domain = gethostbyaddr($user_ip); $commentstatus = $wpdb->get_var("SELECT comment_status FROM $tableposts WHERE ID = $comment_post_ID"); @@ -43,22 +52,10 @@ if ($comment == 'comment' || $comment == '') { exit; } -$user_ip = $HTTP_SERVER_VARS['REMOTE_ADDR']; -$user_domain = gethostbyaddr($user_ip); $time_difference = get_settings('time_difference'); $now = date('Y-m-d H:i:s',(time() + ($time_difference * 3600))); -$author = trim(strip_tags($author)); -$email = trim(strip_tags($email)); -if (strlen($email) < 6) - $email = ''; - -$url = trim(strip_tags($url)); -$url = ((!stristr($url, '://')) && ($url != '')) ? 'http://'.$url : $url; -if (strlen($url) < 7) - $url = ''; - -$comment = trim(strip_tags($comment, $comment_allowed_tags)); +$comment = strip_tags($comment, $comment_allowed_tags); $comment = balanceTags($comment, 1); $comment = convert_chars($comment); $comment = format_to_post($comment); @@ -73,12 +70,12 @@ $url = addslashes($url); /* flood-protection */ $lasttime = $wpdb->get_var("SELECT comment_date FROM $tablecomments WHERE comment_author_IP = '$user_ip' ORDER BY comment_date DESC LIMIT 1"); -$ok = 1; +$ok = true; if (!empty($lasttime)) { $time_lastcomment= mysql2date('U', $lasttime); $time_newcomment= mysql2date('U', "$now"); if (($time_newcomment - $time_lastcomment) < 10) - $ok = 0; + $ok = false; } /* end flood-protection */ @@ -86,7 +83,7 @@ if (!empty($lasttime)) { if ($ok) { // if there was no comment from this IP in the last 10 seconds - $wpdb->query("INSERT INTO $tablecomments VALUES ('0','$comment_post_ID','$author','$email','$url','$user_ip','$now','$comment','0')"); + $wpdb->query("INSERT INTO $tablecomments VALUES ('0', '$comment_post_ID', '$author', '$email', '$url', '$user_ip', '$now', '$comment', '0')"); if ($comments_notify) { $postdata = get_postdata($comment_post_ID);