From a3778d8897496a7b491b6e51b80f3b8d8598d232 Mon Sep 17 00:00:00 2001
From: Dylan Lloyd <dylan@dylansserver.com>
Date: Wed, 13 Feb 2013 03:50:54 -0500
Subject: [PATCH] use htmlspecialchars to escape authorname

---
 model/note.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/model/note.php b/model/note.php
index 8e863f1..f0c54cb 100644
--- a/model/note.php
+++ b/model/note.php
@@ -85,11 +85,11 @@ class note extends model {
     $i = 0;
     foreach ($result as $row => $entry) {
       $this->comment[$i]['date_posted'] = $entry['date_posted'];
-      $this->comment[$i]['author']  = $entry['author'];
+      $this->comment[$i]['author']  = htmlspecialchars($entry['author']);
       $this->comment[$i]['text'] = htmlspecialchars($entry['text']);
-      $this->comment[$i]['head'] = "<h3>" . htmlspecialchars($author) . "</h3>";
       $i++;
     }
+    require_once('view/comment.php');
   }
 
   public function display_comment_form() {
-- 
2.30.2