From 0380cfa9eee1293b0c81802884aefbadaaab9671 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Mon, 13 Feb 2012 12:46:20 +0400 Subject: [PATCH] fix customize CSS dialog disappearing newlines --- classes/rpc.php | 5 ++--- include/db-prefs.php | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/classes/rpc.php b/classes/rpc.php index ef89a2141..7ecb1ae63 100644 --- a/classes/rpc.php +++ b/classes/rpc.php @@ -212,10 +212,9 @@ class RPC extends Protected_Handler { function setpref() { $value = str_replace("\n", "
", $_REQUEST['value']); - $key = db_escape_string($_REQUEST["key"]); - $value = db_escape_string($value); + // set_pref escapes input, so no need to double escape it here - set_pref($this->link, $key, $value); + set_pref($this->link, $key, $value, $_SESSION['uid'], false); print json_encode(array("param" =>$key, "value" => $value)); } diff --git a/include/db-prefs.php b/include/db-prefs.php index b62e01a7b..696aae5d1 100644 --- a/include/db-prefs.php +++ b/include/db-prefs.php @@ -79,9 +79,9 @@ } } - function set_pref($link, $pref_name, $value, $user_id = false) { + function set_pref($link, $pref_name, $value, $user_id = false, $strip_tags = true) { $pref_name = db_escape_string($pref_name); - $value = db_escape_string($value); + $value = db_escape_string($value, $strip_tags); if (!$user_id) { $user_id = $_SESSION["uid"];