From aedd73055238aaf8082687c3977d6a06ef5855ab Mon Sep 17 00:00:00 2001 From: "Paul S. Owen" Date: Thu, 21 Nov 2002 22:46:12 +0000 Subject: [PATCH] Of course it has to be more tricky than that doesn't it ... well, I'm off to bed so it can stick it up its pipe and smoke it for now :D git-svn-id: file:///svn/phpbb/trunk@3078 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/db/mysql.php | 4 ++-- phpBB/db/mysql4.php | 6 +++--- phpBB/includes/page_tail.php | 2 +- phpBB/viewtopic.php | 10 ++++++---- 4 files changed, 12 insertions(+), 10 deletions(-) diff --git a/phpBB/db/mysql.php b/phpBB/db/mysql.php index 8776d3e5ac..132b64f79f 100644 --- a/phpBB/db/mysql.php +++ b/phpBB/db/mysql.php @@ -139,7 +139,7 @@ class sql_db $endtime = explode(' ', microtime()); $endtime = $endtime[0] + $endtime[1] - $starttime; - $this->sql_report .= "
Query:\t" . preg_replace('/[\s]*[\n\r\t]+[\n\r\s\t]*/', "\n\t", $query) . "\n\n";
+				$this->sql_report .= "
Query:\t" . htmlspecialchars(preg_replace('/[\s]*[\n\r\t]+[\n\r\s\t]*/', "\n\t", $query)) . "\n\n";
 				if ($this->query_result)
 				{
 					$this->sql_report .= "Time before:  $curtime\nTime after:   $endtime\nElapsed time: " . ($endtime - $curtime) . "\n
";
@@ -147,7 +147,7 @@ class sql_db
 				else
 				{
 					$error = $this->sql_error();
-					$this->sql_report .= 'FAILED - MySQL Error ' . $error['code'] . ': ' . $error['message'] . '

';
+					$this->sql_report .= 'FAILED - MySQL Error ' . $error['code'] . ': ' . htmlspecialchars($error['message']) . '

';
 				}
 				$this->sql_time += $endtime - $curtime;
 				if (preg_match('/^SELECT/', $query))
diff --git a/phpBB/db/mysql4.php b/phpBB/db/mysql4.php
index 921db44ba5..6c1b027697 100644
--- a/phpBB/db/mysql4.php
+++ b/phpBB/db/mysql4.php
@@ -134,12 +134,12 @@ class sql_db
 			{
 				$this->sql_error($query);
 			}
-			if (!empty($_REQUEST['explain']))
+if (!empty($_REQUEST['explain']))
 			{
 				$endtime = explode(' ', microtime());
 				$endtime = $endtime[0] + $endtime[1] - $starttime;
 
-				$this->sql_report .= "
Query:\t" . preg_replace('/[\s]*[\n\r\t]+[\n\r\s\t]*/', "\n\t", $query) . "\n\n";
+				$this->sql_report .= "
Query:\t" . htmlspecialchars(preg_replace('/[\s]*[\n\r\t]+[\n\r\s\t]*/', "\n\t", $query)) . "\n\n";
 				if ($this->query_result)
 				{
 					$this->sql_report .= "Time before:  $curtime\nTime after:   $endtime\nElapsed time: " . ($endtime - $curtime) . "\n
";
@@ -147,7 +147,7 @@ class sql_db
 				else
 				{
 					$error = $this->sql_error();
-					$this->sql_report .= 'FAILED - MySQL Error ' . $error['code'] . ': ' . $error['message'] . '

';
+					$this->sql_report .= 'FAILED - MySQL Error ' . $error['code'] . ': ' . htmlspecialchars($error['message']) . '

';
 				}
 				$this->sql_time += $endtime - $curtime;
 				if (preg_match('/^SELECT/', $query))
diff --git a/phpBB/includes/page_tail.php b/phpBB/includes/page_tail.php
index f2ff5f8cbf..32de512e4f 100644
--- a/phpBB/includes/page_tail.php
+++ b/phpBB/includes/page_tail.php
@@ -40,7 +40,7 @@ if (defined('DEBUG'))
 
 	if ($auth->acl_get('a_'))
 	{
-		$debug_output .= ' | Explain';
+		$debug_output .= ' | Explain';
 	}
 	$debug_output .= ' ]';
 }
diff --git a/phpBB/viewtopic.php b/phpBB/viewtopic.php
index 68c8b17a9a..8784e2ee91 100644
--- a/phpBB/viewtopic.php
+++ b/phpBB/viewtopic.php
@@ -272,7 +272,7 @@ if ($user->data['user_id'] != ANONYMOUS)
 }
 
 // Was a highlight request part of the URI?
-$highlight_match = '';
+$highlight_match = $highlight = '';
 if (isset($_GET['highlight']))
 {
 	// Split words and phrases
@@ -286,6 +286,8 @@ if (isset($_GET['highlight']))
 		}
 	}
 	unset($words);
+
+	$highlight = urlencode($_GET['highlight']);
 }
 
 // Quick mod tools
@@ -300,7 +302,7 @@ $topic_mod .= ($auth->acl_gets('m_split', 'a_', $forum_id)) ? '' : '';
 
 // If we've got a hightlight set pass it on to pagination.
-$pagination = ($highlight_match) ? generate_pagination("viewtopic.$phpEx$SID&t=$topic_id&postdays=$post_days&postorder=$post_order&highlight=" . urlencode($_GET['highlight']), $topic_replies, $config['posts_per_page'], $start) : generate_pagination("viewtopic.$phpEx$SID&t=$topic_id&postdays=$post_days&postorder=$post_order", $topic_replies, $config['posts_per_page'], $start);
+$pagination = ($highlight_match) ? generate_pagination("viewtopic.$phpEx$SID&t=$topic_id&postdays=$post_days&postorder=$post_order&highlight=$highlight", $topic_replies, $config['posts_per_page'], $start) : generate_pagination("viewtopic.$phpEx$SID&t=$topic_id&postdays=$post_days&postorder=$post_order", $topic_replies, $config['posts_per_page'], $start);
 
 // Post, reply and other URL generation for
 // templating vars
@@ -429,13 +431,13 @@ $template->assign_vars(array(
 	'S_MOD_ACTION' 			=> "modcp.$phpEx$SID&t=$topic_id",
 	'S_WATCH_TOPIC' 		=> $s_watching_topic,
 
-	'U_VIEW_TOPIC' 			=> "viewtopic.$phpEx$SID&t=$topic_id&start=$start&postdays=$post_days&postorder=$post_order&highlight=" . urlencode($_GET['highlight']),
+	'U_VIEW_TOPIC' 			=> "viewtopic.$phpEx$SID&t=$topic_id&start=$start&postdays=$post_days&postorder=$post_order&highlight=$highlight",
 	'U_TOPIC'				=> $server_path . 'viewtopic.' . $phpEx  . '?t=' . $topic_id,
 	'U_FORUM'				=> $server_path,
 	'U_VIEW_FORUM' 			=> $view_forum_url,
 	'U_VIEW_OLDER_TOPIC'	=> $view_prev_topic_url,
 	'U_VIEW_NEWER_TOPIC'	=> $view_next_topic_url,
-	'U_PRINT_TOPIC'			=> "viewtopic.$phpEx$SID&t=$topic_id&start=$start&postdays=$post_days&postorder=$post_order&highlight=" . $_GET['highlight'] . "&view=print",
+	'U_PRINT_TOPIC'			=> "viewtopic.$phpEx$SID&t=$topic_id&start=$start&postdays=$post_days&postorder=$post_order&highlight=$highlight&view=print",
 	'U_POST_NEW_TOPIC' 		=> $new_topic_url,
 	'U_POST_REPLY_TOPIC' 	=> $reply_topic_url)
 );