Also, in pkg_comments.php, always use htmlspecialchars when outputting user names. Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> --- web/html/css/aurweb.css | 6 ++++++ web/lib/pkgbasefuncs.inc.php | 9 ++++++--- web/template/pkg_comments.php | 27 ++++++++++++++++++++++++--- 3 files changed, 36 insertions(+), 6 deletions(-) diff --git a/web/html/css/aurweb.css b/web/html/css/aurweb.css index b5ca1f3..bad5f00 100644 --- a/web/html/css/aurweb.css +++ b/web/html/css/aurweb.css @@ -96,6 +96,12 @@ color: #999; } +.edited { + font-size: 0.9em; + font-style: italic; + color: #666; +} + .delete-comment-form, .edit-comment { float: right; margin-left: 8px; diff --git a/web/lib/pkgbasefuncs.inc.php b/web/lib/pkgbasefuncs.inc.php index 85e38cd..44a80b5 100644 --- a/web/lib/pkgbasefuncs.inc.php +++ b/web/lib/pkgbasefuncs.inc.php @@ -47,9 +47,12 @@ function pkgbase_comments($base_id, $limit, $include_deleted) { } $dbh = DB::connect(); - $q = "SELECT PackageComments.ID, UserName, UsersID, Comments, "; - $q.= "CommentTS, DelUsersID FROM PackageComments LEFT JOIN Users "; - $q.= "ON PackageComments.UsersID = Users.ID "; + $q = "SELECT PackageComments.ID, A.UserName AS UserName, UsersID, Comments, "; + $q.= "CommentTS, EditedTS, B.UserName AS EditUserName, "; + $q.= "DelUsersID, C.UserName AS DelUserName FROM PackageComments "; + $q.= "LEFT JOIN Users A ON PackageComments.UsersID = A.ID "; + $q.= "LEFT JOIN Users B ON PackageComments.EditedUsersID = B.ID "; + $q.= "LEFT JOIN Users C ON PackageComments.DelUsersID = C.ID "; $q.= "WHERE PackageBaseID = " . $base_id . " "; if (!$include_deleted) { $q.= "AND DelUsersID IS NULL "; diff --git a/web/template/pkg_comments.php b/web/template/pkg_comments.php index 6cc9555..380c858 100644 --- a/web/template/pkg_comments.php +++ b/web/template/pkg_comments.php @@ -16,9 +16,21 @@ $count = pkgbase_comments_count($base_id, $include_deleted); </h3> <?php while (list($indx, $row) = each($comments)): ?> - <?php if ($row['UserName'] && $SID): - $row['UserName'] = "<a href=\"" . get_user_uri($row['UserName']) . "\">{$row['UserName']}</a>"; - endif; ?> + <?php if ($row['UserName'] && $SID) { + $row['UserName'] = '<a href="' . get_user_uri($row['UserName']) . '">' . htmlspecialchars($row['UserName']) . '</a>'; + } else { + $row['UserName'] = htmlspecialchars($row['UserName']); + } + if ($row['DelUserName'] && $SID) { + $row['DelUserName'] = '<a href="' . get_user_uri($row['DelUserName']) . '">' . htmlspecialchars($row['DelUserName']) . '</a>'; + } else { + $row['DelUserName'] = htmlspecialchars($row['DelUserName']); + } + if ($row['EditUserName'] && $SID) { + $row['EditUserName'] = '<a href="' . get_user_uri($row['EditUserName']) . '">' . htmlspecialchars($row['EditUserName']) . '</a>'; + } else { + $row['EditUserName'] = htmlspecialchars($row['EditUserName']); + } ?> <h4<?php if ($row['DelUsersID']): ?> class="comment-deleted"<?php endif; ?>> <?php if ($row['UserName']): ?> <?= __('%s commented', $row['UserName']) ?> @@ -47,6 +59,15 @@ $count = pkgbase_comments_count($base_id, $include_deleted); <p> <?= parse_comment($row['Comments']) ?> </p> + <?php if ($row['EditedTS']): ?> + <p class="edited"> + <?php if ($row['DelUsersID']) { + echo __('Deleted %s by %s', gmdate('Y-m-d H:i', $row['EditedTS']), $row['DelUserName']); + } else { + echo __('Last edited %s by %s', gmdate('Y-m-d H:i', $row['EditedTS']), $row['EditUserName']); + }?> + </p> + <?php endif; ?> </div> <?php endwhile; ?> </div> -- 2.4.5