* diary.rhtml: escape HTML in comment form.

* tdiary.rb: shorten commentator's nsme and mail address validation in comment mail. git-svn-id: https://tdiary.svn.sourceforge.net/svnroot/tdiary/trunk/core@263 7f22e88f-374d-0410-998f-c91420d97ba2
tdiary · Mar 22, 2002 · 2efe5de · 2efe5de
1 parent 4e539cd
commit 2efe5de
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 5 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -2,6 +2,8 @@
 	* tdiary.rb: Plugin#add_xxx_proc can receive a block.
 	* 00default.rb: follow new add_xxx_proc style.
 	* HOWTO-make-plugin.html: follow new add_xxx_proc style.
+	* diary.rhtml: escape HTML in comment form.
+	* tdiary.rb: shorten commentator's nsme and mail address validation in comment mail.
 
 2002.03.20 TADA Tadashi <sho@spc.gr.jp>
 	* doctype plugin.

diff --git a/skel/diary.rhtml b/skel/diary.rhtml
@@ -1,4 +1,4 @@
-<%# diary.rhtml $Revision: 1.2 $ %>
+<%# diary.rhtml $Revision: 1.3 $ %>
 <div class="day">
 <h2><span class="date"><a href="<%= opt['index'] %><%%=anchor "<%= @date.strftime( '%Y%m%d' ) %>" %%>"><%= @date.strftime( opt['date_format'] ) %></a></span> <span class="title"><%= title %></span></h2>
 
@@ -65,7 +65,7 @@ if not opt['hide_comment_form'] and opt['long_mode'] then %>
 	<div class="form"><form method="post" action="<%= opt['index'] %>">
 	<input type="hidden" name="date" value="<%= @date.strftime( '%Y%m%d' ) %>">
 	<p><a name="c"><%%=comment_description%%></a></p>
-	<p><%%=comment_name_label%%>: <input class="field" name="name" value="<%= opt['cookie_name'] %>">¡¡<%%=comment_mail_label%%>: <input class="field" name="mail" value="<%= opt['cookie_mail'] %>"><br></p>
+	<p><%%=comment_name_label%%>: <input class="field" name="name" value="<%= CGI::escapeHTML( opt['cookie_name'] ) %>">¡¡<%%=comment_mail_label%%>: <input class="field" name="mail" value="<%= CGI::escapeHTML( opt['cookie_mail'] ) %>"><br></p>
 	<p><%%=comment_body_label%%>:<br>
 	<textarea name="body" cols="60" rows="5"></textarea></p>
 	<p><input type="submit" name="comment" value="<%%=comment_submit_label%%>"></p>

diff --git a/tdiary.rb b/tdiary.rb
@@ -1,7 +1,7 @@
 =begin
 == NAME
 tDiary: the "tsukkomi-able" web diary system.
-tdiary.rb $Revision: 1.18 $
+tdiary.rb $Revision: 1.19 $
 
 Copyright (C) 2001-2002, TADA Tadashi <sho@spc.gr.jp>
 =end
@@ -956,9 +956,10 @@ def load( date )
 		if dirty and @mail_on_comment then
 			require 'socket'
 
-			name = to_mime( @name.to_jis ).join( "\n " )
+			name = to_mime( @name.to_jis )[0]
 			body = @body.to_jis
-			mail = @mail.length == 0 ? @author_mail : @mail
+			mail = @mail
+			mail = @author_mail unless mail =~ %r<[0-9a-zA-Z_.-]+@[\(\)%!0-9a-zA-Z_$@.&+-,'"*-]+>
 
 			now = Time::now
 			g = now.dup.gmtime