--- patched/web/html/pkgedit.php 2007-09-07 23:24:08.000000000 -0400
+++ new/web/html/pkgedit.php 2007-09-07 22:25:17.000000000 -0400
@@ -73,7 +73,7 @@
$q = "INSERT INTO PackageComments ";
$q.= "(PackageID, UsersID, Comments, CommentTS) VALUES (";
$q.= intval($_REQUEST["ID"]).", ".uid_from_sid($_COOKIE["AURSID"]) . ", ";
- $q.= "'".mysql_real_escape_string($_REQUEST["comment"])."', ";
+ $q.= "'".mysql_real_escape_string(htmlentities($_REQUEST["comment"],ENT_QUOTES))."', ";
$q.= "UNIX_TIMESTAMP())";
db_query($q, $dbh);
print __("Comment has been added.")."
\n";
--- patched/web/lib/pkgfuncs.inc 2007-09-07 23:24:08.000000000 -0400
+++ new/web/lib/pkgfuncs.inc 2007-09-07 23:12:49.000000000 -0400
@@ -568,7 +568,8 @@
print "";
print "
\n";
- print str_replace("\n", "
", str_replace('"',""", htmlspecialchars(strip_tags(stripslashes($carr["Comments"])))));
+ //print str_replace("\n", "
", str_replace('"',""", htmlspecialchars(strip_tags(stripslashes($carr["Comments"])))));
+ print str_replace("\n", "
", $carr["Comments"]);
print "
\n";
print "