From: Dylan Lloyd <dylan@dylansserver.com>
Date: Wed, 13 Feb 2013 08:50:54 +0000 (-0500)
Subject: use htmlspecialchars to escape authorname
X-Git-Url: https://disinclined.org/git/?a=commitdiff_plain;h=a3778d8897496a7b491b6e51b80f3b8d8598d232;p=dylansserver.git

use htmlspecialchars to escape authorname
---

diff --git a/model/note.php b/model/note.php
index 8e863f1..f0c54cb 100644
--- a/model/note.php
+++ b/model/note.php
@@ -85,11 +85,11 @@ class note extends model {
     $i = 0;
     foreach ($result as $row => $entry) {
       $this->comment[$i]['date_posted'] = $entry['date_posted'];
-      $this->comment[$i]['author']  = $entry['author'];
+      $this->comment[$i]['author']  = htmlspecialchars($entry['author']);
       $this->comment[$i]['text'] = htmlspecialchars($entry['text']);
-      $this->comment[$i]['head'] = "<h3>" . htmlspecialchars($author) . "</h3>";
       $i++;
     }
+    require_once('view/comment.php');
   }
 
   public function display_comment_form() {