vadvs (vadvs) wrote in changelog,
vadvs
vadvs
changelog

[livejournal] r20877: LJSUP-10924: add some checks.

Committer: vad
LJSUP-10924: add some checks.
U   trunk/htdocs/editjournal.bml
Modified: trunk/htdocs/editjournal.bml
===================================================================
--- trunk/htdocs/editjournal.bml	2012-01-10 08:04:30 UTC (rev 20876)
+++ trunk/htdocs/editjournal.bml	2012-01-10 09:08:39 UTC (rev 20877)
@@ -30,7 +30,7 @@
 
     my $skip = $GET{'skip'} || $POST{'skip'} || 0;
     my $mode = $GET{'mode'} || $POST{'mode'} || "init";
-    my $only_me_checked = LJ::did_post() ? $POST{'only_me'} : $GET{'only_me'};
+    my $only_me_checked = (LJ::did_post() ? $POST{'only_me'} : $GET{'only_me'}) ? 1 : 0;
 
     if ( $GET{'itemid'} || $POST{'itemid'} ) { $mode = "edit"; }
     if ( $GET{'delayedid'} || $POST{'delayedid'} ) { $mode = "edit"; }
@@ -71,17 +71,23 @@
 
     # are we modify a community post?
     my $usejournal = $GET{'usejournal'} || $POST{'usejournal'} || $GET{'journal'};
+    undef $usejournal unless LJ::load_user($usejournal);   # ignore unknown journals
     undef $usejournal if $usejournal eq $remote->{'user'}; # ignore if it's the user
     my $usejournal_u = LJ::load_user ($usejournal) || $remote;
+    undef $usejournal unless $usejournal_u;
 
     my ($year, $month, $day) = ($POST{'year'} || $GET{'year'}, $POST{'month'} || $GET{'month'}, $POST{'day'} || $GET{'day'});
     my $ymd = join "-", ($year, $month, $day);
+    ## check income parameters.
+    if ($ymd !~ /^[\d\-]+$/){
+        $year = $month = $day = $ymd = undef;
+    }
 
     my $show = $GET{'show'} || undef;
 
     # extra get arguments
     my $getextra;
-    $getextra .= "usejournal=$usejournal&" if $usejournal;
+    $getextra .= "usejournal=$usejournal&" if $usejournal; 
     $getextra .= "year=$year&month=$month&day=$day&" if $year && $month && $day;
     $getextra .= "only_me=$only_me_checked&" if $only_me_checked;
     chop $getextra;
@@ -695,7 +701,6 @@
 
         # edit form
 
-
         $ret .= "<form action='editjournal.bml$getextra' method='get' class='b-editentries-form";
         if ($day) {
             $ret .= " b-editentries-form-withdate";

Tags: bml, livejournal, vad, vadvs
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments