Closed Bug 291297 Opened 20 years ago Closed 20 years ago

Improve Report Comments

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Public Pages
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: cso, Assigned: cso)

References

(
URL
)

Details

Attachments

(1 file, 2 obsolete files)

Patch v3
7.79 KB, patch
morgamic
: first-review+
Details | Diff | Splinter Review 
Currently, report comments keeps getting spammed presumably due to spidering.

The following patch removes the JavaScript prompt, and makes a user confirm they
want to report the comment on a seperate page - this should hopefully cut down
on the spamming of reporting comments.
Attached patch Patch v1 (obsolete) — Splinter Review 
Patch as described.
Attachment #181412 - Flags: first-review?(mike.morgan)
Attached patch Patch v2 (obsolete) — Splinter Review 
As before, but with spaces instead of tabs.
Attachment #181412 - Attachment is obsolete: true
Attachment #181413 - Flags: first-review?(mike.morgan)
Attachment #181412 - Flags: first-review?(mike.morgan)
Comment on attachment 181413 [details] [diff] [review]
Patch v2

Not all inputs are properly escaped:

+	     $sql = "UPDATE `feedback` SET `flag`='YES' WHERE
`CommentID`='".$commentid."' LIMIT 1";

It would be cleaner to assign commentid and id just once, and when you do it,
escape both since they will be used in the queries.

Everything else looked fine.  Just double check that all vars are escaped and
post an updated patch.	Thanks, Colin.	:)
Attachment #181413 - Flags: first-review?(mike.morgan) → first-review-
(In reply to comment #3)
> (From update of attachment 181413 [details] [diff] [review] [edit])
> Not all inputs are properly escaped:
> 
> +	     $sql = "UPDATE `feedback` SET `flag`='YES' WHERE
> `CommentID`='".$commentid."' LIMIT 1";

Fixed, will post a new patch when I get a chance.

> It would be cleaner to assign commentid and id just once, and when you do it,
> escape both since they will be used in the queries.
> 
> Everything else looked fine.  Just double check that all vars are escaped and
> post an updated patch.	Thanks, Colin.	:)

If you mean the fact its assigned twice from $_GET and $_POST depending, then I
prefer this method to using $_REQUEST, incase a server is misconfigured.
Summary: Improve Report Comments → Improve Report Comments
Attached patch Patch v3Splinter Review 
v3
Attachment #181413 - Attachment is obsolete: true
Attachment #181455 - Flags: first-review?(mike.morgan)
Comment on attachment 181455 [details] [diff] [review]
Patch v3

Looks good - Thanks Colin.
Attachment #181455 - Flags: first-review?(mike.morgan) → first-review+
Pushed - will be live after next update.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: