$post['message'] = htmlspecialchars($post['message']);
// 将未插入帖子的附件加入到末尾。
$attachlist = $imagelist = $filelist = array();
if ($post['images'] || $post['files']) {
$attachlist = attach_find_by_pid($post['pid']);
list($imagelist, $filelist) = attach_list_not_in_message($attachlist, $post['message']);
$post['message'] .= post_attach_list_add($imagelist, $filelist);
}
check_standard_browser();
include './flarum/view/post_update.htm';
} elseif ($method == 'POST') {
$subject = htmlspecialchars(param('subject', '', FALSE));
$message = param('message', '', FALSE);
$seo_url = strtolower(param('seo_url'));
empty($message) and message(2, '内容不能为空');
$gid != 1 and $message = xn_html_safe($message);
mb_strlen($message, 'UTF-8') > 2048000 and message('内容太长');
$arr = array();
if ($isfirst) {
$newfid = param('fid');
$forum = forum_read($newfid);
empty($forum) and message(1, '板块不存在:' . $newfid);
if ($fid != $newfid) {
!forum_access_user($fid, $gid, 'allowthread') and message(-1, '您(' . $user['groupname'] . ')无权限在此版块回帖');
$post['uid'] != $uid and !forum_access_mod($fid, $gid, 'allowupdate') and message(-1, '您(' . $user['groupname'] . ')无权限在此版块编辑帖子');
$arr['fid'] = $newfid;
}
if ($seo_url != $thread['seo_url'] && $conf['seo_url_rewrite'] && $group['allowcustomurl']) {
$seo_url = preg_replace('#[\\W]#', '-', $seo_url);
// 只允许英文和 -
$seo_url and thread_read_by_seo_url($seo_url) and message(4, '自定义的 URL 已经存在,请修改。');
<?php
/*
功能:演示使用类库对 HTML 代码进行安全过滤
注意:
缓存类型自行配置 conf.php 文件中的 cache type
返回 NULL 表示结果不存在,返回 FALSE 表示错误。
*/
chdir('../../../');
include './xiunophp/xn_html_safe.func.php';
$s = '<div onclick="alert(123)">xss</div>';
$r = xn_html_safe($s);
echo $r;
/*
结果输出:
<div>xss</div>
*/