From f4311d6999688a97e69368017d511cd13e4b7c1f Mon Sep 17 00:00:00 2001
From: Dylan Lloyd <dylan@miniscule.localdomain>
Date: Mon, 12 Dec 2011 11:58:05 -0500
Subject: [PATCH] Fixed double comment sanitation.

Now ONLY sanitizing output. Input is safe for mysql with bound parameters.
---
 index.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/index.php b/index.php
index 88f82d2..485b063 100644
--- a/index.php
+++ b/index.php
@@ -435,8 +435,8 @@ class note extends cms {
       // and a default author needs to be set
       // for no-javascript users.
       $stmt->bind_param('sss',
-                          htmlspecialchars($_POST['name']),
-                          htmlspecialchars($_POST['text']),
+                          $_POST['name'],
+                          $_POST['text'],
                         $this->id);
       $stmt->execute();
     }
@@ -491,7 +491,7 @@ END_OF_NAVIGATION;
       $date_posted = $entry['date_posted'];
       $author = $entry['author'];
       $text = htmlspecialchars($entry['text']);
-      $head = "<h3>$author</h3>";
+      $head = "<h3>" . htmlspecialchars($author) . "</h3>";
       echo <<<END_OF_COMMENT
       <div class='comment'>
       $head
-- 
2.30.2