diff options
author | Laria Carolin Chabowski <laria@laria.me> | 2020-09-25 22:26:52 +0200 |
---|---|---|
committer | Laria Carolin Chabowski <laria@laria.me> | 2020-09-25 22:26:52 +0200 |
commit | 854fef47192b45517d112e630fe2afa830432253 (patch) | |
tree | 0d6e08df7491d288937e276dec030f5e572cea7b /ratatoeskr/frontend.php | |
parent | 3de03d4f83817e59c1be4bc361fee8eca781789b (diff) | |
download | ratatoeskr-cms-854fef47192b45517d112e630fe2afa830432253.tar.gz ratatoeskr-cms-854fef47192b45517d112e630fe2afa830432253.tar.bz2 ratatoeskr-cms-854fef47192b45517d112e630fe2afa830432253.zip |
Cast POSTed data into strings before passing it into Esc::esc
Diffstat (limited to 'ratatoeskr/frontend.php')
-rw-r--r-- | ratatoeskr/frontend.php | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/ratatoeskr/frontend.php b/ratatoeskr/frontend.php index f49e61e..0bac1e4 100644 --- a/ratatoeskr/frontend.php +++ b/ratatoeskr/frontend.php @@ -454,9 +454,9 @@ $ste->register_tag("comment_form", function ($ste, $params, $sub) { $previewbtn = $ste->evalbool(@$params["previewbtn"]) ? " <input type=\"submit\" name=\"preview_comment\" value=\"{$translation["comment_form_preview"]}\" />" : ""; if ($ste->evalbool(@$params["default"])) { - $form_body = "<p>{$translation["comment_form_name"]}: <input type=\"text\" name=\"author_name\" value=\"" . Esc::esc(@$_POST["author_name"]) . "\" /></p> -<p>{$translation["comment_form_mail"]}: <input type=\"text\" name=\"author_mail\" value=\"" . Esc::esc(@$_POST["author_mail"]) . "\" /></p> -<p>{$translation["comment_form_text"]}:<br /><textarea name=\"comment_text\" cols=\"50\" rows=\"10\">" . Esc::esc(@$_POST["comment_text"]) . "</textarea></p> + $form_body = "<p>{$translation["comment_form_name"]}: <input type=\"text\" name=\"author_name\" value=\"" . Esc::esc((string)$_POST["author_name"] ?? '') . "\" /></p> +<p>{$translation["comment_form_mail"]}: <input type=\"text\" name=\"author_mail\" value=\"" . Esc::esc((string)$_POST["author_mail"] ?? '') . "\" /></p> +<p>{$translation["comment_form_text"]}:<br /><textarea name=\"comment_text\" cols=\"50\" rows=\"10\">" . Esc::esc((string)@$_POST["comment_text"] ?? '') . "</textarea></p> <p><input type=\"submit\" name=\"post_comment\" value=\"{$translation["comment_form_submit"]}\" />$previewbtn</p>"; } else { $ste->vars["current"]["oldcomment"] = [ |