questions: Don't strip content from messages

closes #545 ("=" removed in Questions & Answers)
2018-12-28 22:34:30 +01:00 · 2018-12-28 22:34:30 +01:00 · 6df3dc8489
parent 012d5a4722
commit 6df3dc8489
3 changed files with 18 additions and 16 deletions
--- a/includes/pages/admin_questions.php
+++ b/includes/pages/admin_questions.php
@ -51,7 +51,7 @@ function admin_questions()

            $unanswered_questions_table[] = [
                'from'     => User_Nick_render($user_source),
-                'question' => str_replace("\n", '<br />', $question['Question']),
+                'question' => nl2br(htmlspecialchars($question['Question'])),
                'answer'   => form([
                    form_textarea('answer', '', ''),
                    form_submit('submit', __('Save'))
@ -69,9 +69,9 @@ function admin_questions()
            $answer_user_source = User::find($question['AID']);
            $answered_questions_table[] = [
                'from'        => User_Nick_render($user_source),
-                'question'    => str_replace("\n", '<br />', $question['Question']),
+                'question'    => nl2br(htmlspecialchars($question['Question'])),
                'answered_by' => User_Nick_render($answer_user_source),
-                'answer'      => str_replace("\n", '<br />', $question['Answer']),
+                'answer'      => nl2br(htmlspecialchars($question['Answer'])),
                'actions'     => form([
                    form_submit('submit', __('delete'), 'btn-xs')
                ], page_link_to('admin_questions', ['action' => 'delete', 'id' => $question['QID']]))
@ -113,13 +113,9 @@ function admin_questions()
                    [$question_id]
                );
                if (!empty($question) && empty($question['AID'])) {
-                    $answer = trim(
-                        preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui",
-                            '',
-                            strip_tags($request->input('answer'))
-                        ));
+                    $answer = trim($request->input('answer'));

-                    if ($answer != '') {
+                    if (!empty($answer)) {
                        DB::update('
                                UPDATE `Questions`
                                SET `AID`=?, `Answer`=?
@ -132,7 +128,12 @@ function admin_questions()
                                $question_id,
                            ]
                        );
-                        engelsystem_log('Question ' . $question['Question'] . ' answered: ' . $answer);
+                        engelsystem_log(
+                            'Question '
+                            . htmlspecialchars($question['Question'])
+                            . ' answered: '
+                            . htmlspecialchars($answer)
+                        );
                        redirect(page_link_to('admin_questions'));
                    } else {
                        return error('Enter an answer!', true);
@ -158,7 +159,7 @@ function admin_questions()
                );
                if (!empty($question)) {
                    DB::delete('DELETE FROM `Questions` WHERE `QID`=? LIMIT 1', [$question_id]);
-                    engelsystem_log('Question deleted: ' . $question['Question']);
+                    engelsystem_log('Question deleted: ' . htmlspecialchars($question['Question']));
                    redirect(page_link_to('admin_questions'));
                } else {
                    return error('No question found.', true);
--- a/includes/pages/user_questions.php
+++ b/includes/pages/user_questions.php
@ -29,6 +29,7 @@ function user_questions()
            'SELECT * FROM `Questions` WHERE NOT `AID` IS NULL AND `UID`=?',
            [$user->id]
        );
+
        foreach ($answered_questions as &$question) {
            $answer_user_source = User::find($question['AID']);
            $question['answer_user'] = User_Nick_render($answer_user_source);
@ -42,8 +43,8 @@ function user_questions()
    } else {
        switch ($request->input('action')) {
            case 'ask':
-                $question = strip_request_item_nl('question');
-                if ($question != '' && $request->hasPostData('submit')) {
+                $question = request()->get('question');
+                if (!empty($question) && $request->hasPostData('submit')) {
                    DB::insert('
                        INSERT INTO `Questions` (`UID`, `Question`)
                        VALUES (?, ?)
--- a/includes/view/Questions_view.php
+++ b/includes/view/Questions_view.php
@ -12,12 +12,12 @@ function Questions_view($open_questions, $answered_questions, $ask_action)
        $question['actions'] = form([
            form_submit('submit', __('delete'), 'btn-default btn-xs')
        ], page_link_to('user_questions', ['action' => 'delete', 'id' => $question['QID']]));
-        $question['Question'] = str_replace("\n", '<br />', $question['Question']);
+        $question['Question'] = nl2br(htmlspecialchars($question['Question']));
    }

    foreach ($answered_questions as &$question) {
-        $question['Question'] = str_replace("\n", '<br />', $question['Question']);
-        $question['Answer'] = str_replace("\n", '<br />', $question['Answer']);
+        $question['Question'] = nl2br(htmlspecialchars($question['Question']));
+        $question['Answer'] = nl2br(htmlspecialchars($question['Answer']));
        $question['actions'] = form([
            form_submit('submit', __('delete'), 'btn-default btn-xs')
        ], page_link_to('user_questions', ['action' => 'delete', 'id' => $question['QID']]));