0.4.9:comment-escaping in backend and proper errormsg when not selecting comments for analysis

serendipity_event_spamblock_bayes/ChangeLog

@@ -1,3 +1,8 @@
+
+0.4.9:
+    Security: Escaped comments in backend
+    Fixed error when selecting no comments in analyse-menu
+
 0.4.8:
     Added option to delete all comments when emptying recycler
 

serendipity_event_spamblock_bayes/admin/bayesAnalysis.tpl

@@ -5,7 +5,7 @@
         <ul class="plainList bayesAnalysis">
             {foreach from=$types item=type}
                 <li class="ratingBox"><div class="commentType">{$type}</div>
-                    <div class="commentPart">{$comment.$type|escape}</div>
+                    <div class="commentPart">{$comment.$type|escape:"html"}</div>
                     <div class="rating">
                         {if $comment.ratings.$type != "-"}
                             {$comment.ratings.$type|regex_replace:"/\..*/":""}%

serendipity_event_spamblock_bayes/admin/bayesAnalysismenu.tpl

@@ -17,7 +17,7 @@
                         <input type="checkbox" id="{$comment.id}" name="comments[{$comment.id}]" />
                         <label for="{$comment.id}"" >{$comment.id}</label>:
                         <div class="bayesComments">
-                            {$comment.author}, {$comment.body}
+                            {$comment.author|escape:"html"}, {$comment.body|escape:"html"}
                         </div>
                     </li>
                 {/foreach}

serendipity_event_spamblock_bayes/admin/bayesRecyclermenu.tpl

@@ -33,8 +33,8 @@
                             </thead>
                             <tbody>
                                 <tr>
-                                    <td>{$comment.author|truncate:20:"..."}</td>
-                                    <td>{$comment.body|truncate:20:"..."}</td>
+                                    <td>{$comment.author|truncate:20:"..."|escape:"html"}</td>
+                                    <td>{$comment.body|truncate:20:"..."|escape:"html"}</td>
                                     <td>{$comment.timestamp|date_format:"%d.%m.%y, %R"}</td>
                                     <td>{$comment.rating|regex_replace:"/\..*/":""}%</td>
                                 </tr>
@@ -44,7 +44,7 @@
                     <dl class="bayesRecyclerList">
                     {foreach from=$types item=type}
                         <dt>{$type}</dt>
-                        <dd>{$comment.$type}</dd>
+                        <dd>{$comment.$type|escape:"html"}</dd>
                     {/foreach}
                     <dt>{$CONST.Article}</dt>
                     <dd><a href="{$comment.article_link}" target="_blank">{$comment.article_title}</a></dd>

serendipity_event_spamblock_bayes/serendipity_event_spamblock_bayes.php

@@ -36,7 +36,7 @@ class serendipity_event_spamblock_bayes extends serendipity_event {
 		$this->title = PLUGIN_EVENT_SPAMBLOCK_BAYES_NAME;
 		$propbag->add ( 'description', PLUGIN_EVENT_SPAMBLOCK_BAYES_DESC);
 		$propbag->add ( 'name', $this->title);
-		$propbag->add ( 'version', '0.4.8' );
+		$propbag->add ( 'version', '0.4.9' );
 		$propbag->add ( 'event_hooks', array ('frontend_saveComment' => true,
 		                                     'backend_spamblock_comments_shown' => true,
 		                                     'external_plugin' => true,
@@ -890,8 +890,10 @@ class serendipity_event_spamblock_bayes extends serendipity_event {
                             $url = 'serendipity_admin.php?serendipity[adminModule]=event_display';
                             $url .= '&serendipity[adminAction]=spamblock_bayes';
                             $url .= '&serendipity[subpage]=4';
-                            foreach ($comment_ids as $comment) {
-                                $url .= '&serendipity[comments]['.$comment.']';
+                            if (isset($_REQUEST['comments'])) {
+                                foreach ($comment_ids as $comment) {
+                                    $url .= '&serendipity[comments]['.$comment.']';
+                                }
                             }
                             if (!empty($msgtype)) {
                                 $url .= '&serendipity['.$msgtype.']='. $msg .'"/>';