durusmail: quixote-users: qxbb - quixote demo board
qxbb - quixote demo board
2002-10-01
2002-10-02
2002-10-10
2002-10-10
qxbb - quixote demo board
Neil Schemenauer
2002-10-02
On Wed, Oct 02, 2002 at 12:09:24AM +0100, Pedro Vale Lima wrote:
> I ported a php board to quixote, mostly to learn how to use qx.
> I guess it could be useful as a bigger demo or starting point
> for a board program.

You might want use html_quote and url_quote from quixote.html.  In
view.ptl you have:

  message = msg.message
  message = string.replace(message,"<","<")
  message = string.replace(message,">",">")

Can message ever contain the '&' character?  Elsewhere you have:

  "%s" % \
        (msg.id,topic_id,start,msg.subject)

First, '&' characters should be escaped.  Next, if any of the format
arguments can have '&', '<', or '>' characters then they should also be
escaped.  For example:

  url = 'view?message_id=%d&topic_id=%d&start=%s' % (msg.id, topic_id,
                                                     url_quote(start))
  '%s" % (html_quote(url), html_quote(msg.subject))

I think there are quite a few other places that you should use
html_quote.

  Neil


reply