diff --git a/includes/pages/admin_questions.php b/includes/pages/admin_questions.php index 0b5940cc..7b6ce2ab 100644 --- a/includes/pages/admin_questions.php +++ b/includes/pages/admin_questions.php @@ -51,7 +51,7 @@ function admin_questions() $unanswered_questions_table[] = [ 'from' => User_Nick_render($user_source), - 'question' => str_replace("\n", '
', $question['Question']), + 'question' => nl2br(htmlspecialchars($question['Question'])), 'answer' => form([ form_textarea('answer', '', ''), form_submit('submit', __('Save')) @@ -69,9 +69,9 @@ function admin_questions() $answer_user_source = User::find($question['AID']); $answered_questions_table[] = [ 'from' => User_Nick_render($user_source), - 'question' => str_replace("\n", '
', $question['Question']), + 'question' => nl2br(htmlspecialchars($question['Question'])), 'answered_by' => User_Nick_render($answer_user_source), - 'answer' => str_replace("\n", '
', $question['Answer']), + 'answer' => nl2br(htmlspecialchars($question['Answer'])), 'actions' => form([ form_submit('submit', __('delete'), 'btn-xs') ], page_link_to('admin_questions', ['action' => 'delete', 'id' => $question['QID']])) @@ -113,13 +113,9 @@ function admin_questions() [$question_id] ); if (!empty($question) && empty($question['AID'])) { - $answer = trim( - preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", - '', - strip_tags($request->input('answer')) - )); + $answer = trim($request->input('answer')); - if ($answer != '') { + if (!empty($answer)) { DB::update(' UPDATE `Questions` SET `AID`=?, `Answer`=? @@ -132,7 +128,12 @@ function admin_questions() $question_id, ] ); - engelsystem_log('Question ' . $question['Question'] . ' answered: ' . $answer); + engelsystem_log( + 'Question ' + . htmlspecialchars($question['Question']) + . ' answered: ' + . htmlspecialchars($answer) + ); redirect(page_link_to('admin_questions')); } else { return error('Enter an answer!', true); @@ -158,7 +159,7 @@ function admin_questions() ); if (!empty($question)) { DB::delete('DELETE FROM `Questions` WHERE `QID`=? LIMIT 1', [$question_id]); - engelsystem_log('Question deleted: ' . $question['Question']); + engelsystem_log('Question deleted: ' . htmlspecialchars($question['Question'])); redirect(page_link_to('admin_questions')); } else { return error('No question found.', true); diff --git a/includes/pages/user_questions.php b/includes/pages/user_questions.php index 19999577..29925a4f 100644 --- a/includes/pages/user_questions.php +++ b/includes/pages/user_questions.php @@ -29,6 +29,7 @@ function user_questions() 'SELECT * FROM `Questions` WHERE NOT `AID` IS NULL AND `UID`=?', [$user->id] ); + foreach ($answered_questions as &$question) { $answer_user_source = User::find($question['AID']); $question['answer_user'] = User_Nick_render($answer_user_source); @@ -42,8 +43,8 @@ function user_questions() } else { switch ($request->input('action')) { case 'ask': - $question = strip_request_item_nl('question'); - if ($question != '' && $request->hasPostData('submit')) { + $question = request()->get('question'); + if (!empty($question) && $request->hasPostData('submit')) { DB::insert(' INSERT INTO `Questions` (`UID`, `Question`) VALUES (?, ?) diff --git a/includes/view/Questions_view.php b/includes/view/Questions_view.php index 29629074..4d57edf9 100644 --- a/includes/view/Questions_view.php +++ b/includes/view/Questions_view.php @@ -12,12 +12,12 @@ function Questions_view($open_questions, $answered_questions, $ask_action) $question['actions'] = form([ form_submit('submit', __('delete'), 'btn-default btn-xs') ], page_link_to('user_questions', ['action' => 'delete', 'id' => $question['QID']])); - $question['Question'] = str_replace("\n", '
', $question['Question']); + $question['Question'] = nl2br(htmlspecialchars($question['Question'])); } foreach ($answered_questions as &$question) { - $question['Question'] = str_replace("\n", '
', $question['Question']); - $question['Answer'] = str_replace("\n", '
', $question['Answer']); + $question['Question'] = nl2br(htmlspecialchars($question['Question'])); + $question['Answer'] = nl2br(htmlspecialchars($question['Answer'])); $question['actions'] = form([ form_submit('submit', __('delete'), 'btn-default btn-xs') ], page_link_to('user_questions', ['action' => 'delete', 'id' => $question['QID']]));