在评论中增加了防止插入script的过滤，增加了用户姓名和EMAIL的调用

2011-11-23 08:12:29 +00:00 · 2011-11-23 08:12:29 +00:00 · 5aacc7edb2
parent 6d192de3b9
commit 5aacc7edb2
2 changed files with 29 additions and 6 deletions
--- a/application/default/controllers/DataController.php
+++ b/application/default/controllers/DataController.php
@ -656,8 +656,18 @@ class DataController extends Zend_Controller_Action
 			exit();
 		}
 		if(preg_match("/script/i",$url))
 		{
 			$url = preg_replace("/script/i","ｓｃｒｉｐｔ",$url);
 		}
 		if(strlen($content)<5) exit("评论长度不得少于3个汉字 :)");
 		if(preg_match("/script/i",$content))
 		{
 			$content = preg_replace("/script/i","ｓｃｒｉｐｔ",$content);
 		}
 		$uuid = trim($this->_request->getParam('uuid'));
 		if(!preg_match("/^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$/",$uuid))
--- a/application/default/views/scripts/data/view.phtml
+++ b/application/default/views/scripts/data/view.phtml
@ -257,18 +257,31 @@ echo '</li>';
 <div id="allcomments">
 <div id="loading"><img src="/images/loading.gif" />评论加载中</div>
 </div>
 <?php
 $auth = Zend_Auth::getInstance();
 if($auth->hasIdentity())
 {
 	$user = $auth->getIdentity();
 	$name = $user->realname;
 	$email = $user->email;
 }else
 {
 	$name = "";
 	$email = "";
 }
 ?>
 <form id="postcommentform">
 	<p>
 	<label class="required" style="background:none;">姓名</label>
-    <input type="text" name="author" />
+    <input type="text" name="author" value="<?php echo $name;?>" />
    </p>
    <p>
    <label class="required" style="background:none;">EMAIL</label>
-    <input type="text" name="email" />
+    <input type="text" name="email" value="<?php echo $email;?>" />
    </p>
    <p>
    <label>WEBSITE</label>
-    <input type="text" name="url" />
+    <input type="text" name="url" value="" /> <small>e.g. http://westdc.westgis.ac.cn/</small>
    </p>
    <p>
    <label class="required" style="background:none;">内容</label>