summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--includes/pages/admin_questions.php23
-rw-r--r--includes/pages/user_questions.php5
-rw-r--r--includes/view/Questions_view.php6
3 files changed, 18 insertions, 16 deletions
diff --git a/includes/pages/admin_questions.php b/includes/pages/admin_questions.php
index 0b5940cc..7b6ce2ab 100644
--- a/includes/pages/admin_questions.php
+++ b/includes/pages/admin_questions.php
@@ -51,7 +51,7 @@ function admin_questions()
$unanswered_questions_table[] = [
'from' => User_Nick_render($user_source),
- 'question' => str_replace("\n", '<br />', $question['Question']),
+ 'question' => nl2br(htmlspecialchars($question['Question'])),
'answer' => form([
form_textarea('answer', '', ''),
form_submit('submit', __('Save'))
@@ -69,9 +69,9 @@ function admin_questions()
$answer_user_source = User::find($question['AID']);
$answered_questions_table[] = [
'from' => User_Nick_render($user_source),
- 'question' => str_replace("\n", '<br />', $question['Question']),
+ 'question' => nl2br(htmlspecialchars($question['Question'])),
'answered_by' => User_Nick_render($answer_user_source),
- 'answer' => str_replace("\n", '<br />', $question['Answer']),
+ 'answer' => nl2br(htmlspecialchars($question['Answer'])),
'actions' => form([
form_submit('submit', __('delete'), 'btn-xs')
], page_link_to('admin_questions', ['action' => 'delete', 'id' => $question['QID']]))
@@ -113,13 +113,9 @@ function admin_questions()
[$question_id]
);
if (!empty($question) && empty($question['AID'])) {
- $answer = trim(
- preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui",
- '',
- strip_tags($request->input('answer'))
- ));
+ $answer = trim($request->input('answer'));
- if ($answer != '') {
+ if (!empty($answer)) {
DB::update('
UPDATE `Questions`
SET `AID`=?, `Answer`=?
@@ -132,7 +128,12 @@ function admin_questions()
$question_id,
]
);
- engelsystem_log('Question ' . $question['Question'] . ' answered: ' . $answer);
+ engelsystem_log(
+ 'Question '
+ . htmlspecialchars($question['Question'])
+ . ' answered: '
+ . htmlspecialchars($answer)
+ );
redirect(page_link_to('admin_questions'));
} else {
return error('Enter an answer!', true);
@@ -158,7 +159,7 @@ function admin_questions()
);
if (!empty($question)) {
DB::delete('DELETE FROM `Questions` WHERE `QID`=? LIMIT 1', [$question_id]);
- engelsystem_log('Question deleted: ' . $question['Question']);
+ engelsystem_log('Question deleted: ' . htmlspecialchars($question['Question']));
redirect(page_link_to('admin_questions'));
} else {
return error('No question found.', true);
diff --git a/includes/pages/user_questions.php b/includes/pages/user_questions.php
index 19999577..29925a4f 100644
--- a/includes/pages/user_questions.php
+++ b/includes/pages/user_questions.php
@@ -29,6 +29,7 @@ function user_questions()
'SELECT * FROM `Questions` WHERE NOT `AID` IS NULL AND `UID`=?',
[$user->id]
);
+
foreach ($answered_questions as &$question) {
$answer_user_source = User::find($question['AID']);
$question['answer_user'] = User_Nick_render($answer_user_source);
@@ -42,8 +43,8 @@ function user_questions()
} else {
switch ($request->input('action')) {
case 'ask':
- $question = strip_request_item_nl('question');
- if ($question != '' && $request->hasPostData('submit')) {
+ $question = request()->get('question');
+ if (!empty($question) && $request->hasPostData('submit')) {
DB::insert('
INSERT INTO `Questions` (`UID`, `Question`)
VALUES (?, ?)
diff --git a/includes/view/Questions_view.php b/includes/view/Questions_view.php
index 29629074..4d57edf9 100644
--- a/includes/view/Questions_view.php
+++ b/includes/view/Questions_view.php
@@ -12,12 +12,12 @@ function Questions_view($open_questions, $answered_questions, $ask_action)
$question['actions'] = form([
form_submit('submit', __('delete'), 'btn-default btn-xs')
], page_link_to('user_questions', ['action' => 'delete', 'id' => $question['QID']]));
- $question['Question'] = str_replace("\n", '<br />', $question['Question']);
+ $question['Question'] = nl2br(htmlspecialchars($question['Question']));
}
foreach ($answered_questions as &$question) {
- $question['Question'] = str_replace("\n", '<br />', $question['Question']);
- $question['Answer'] = str_replace("\n", '<br />', $question['Answer']);
+ $question['Question'] = nl2br(htmlspecialchars($question['Question']));
+ $question['Answer'] = nl2br(htmlspecialchars($question['Answer']));
$question['actions'] = form([
form_submit('submit', __('delete'), 'btn-default btn-xs')
], page_link_to('user_questions', ['action' => 'delete', 'id' => $question['QID']]));