From 4c6ede19a3fb6b84df07d9d4717589960b62eb28 Mon Sep 17 00:00:00 2001
From: BodgeMaster <>
Date: Thu, 12 Mar 2020 23:14:03 +0100
Subject: [PATCH] fixed html injection

---
 threadr/board/board.php | 35 +++++++++++++++++++++--------------
 1 file changed, 21 insertions(+), 14 deletions(-)

diff --git a/threadr/board/board.php b/threadr/board/board.php
index d29a57e..dee5fbc 100644
--- a/threadr/board/board.php
+++ b/threadr/board/board.php
@@ -5,20 +5,27 @@ $statement->execute(array("bid"=>$id));
 foreach($statement->fetchAll() as $ROW) {
   $statement = $pdo->prepare("SELECT * FROM users WHERE id=:uid");
   $statement->execute(array("uid"=>$ROW[user_id]));
-  $post_user = $statement->fetch();
-  echo "<section>";
-  echo "<h1>$ROW[title]</h1>";
-  echo "<article>";
-  echo "<header>";
-  echo "<div>";
-  echo "<p class='beige'>$post_user[name] <time datetime='$ROW[post_time]'>$ROW[post_time]</time></p>";
-  echo "</div>";
-  echo "</header>";
-  echo "<div class='postcontent'>";
-  echo "<p>$ROW[content]</p>";
-  echo "</div>";
-  echo "</article>";
-  echo "</section>";
+
+  $post_creator = $statement->fetch();
+
+  $post_title = htmlspecialchars($ROW['title']);
+  $post_creator_name = htmlspecialchars($post_creator['name']);
+  $post_time = htmlspecialchars($ROW['post_time']);
+  $post_content = htmlspecialchars($ROW['content']);
+
+  echo "<section>
+<h1>$post_title</h1>
+<article>
+<header>
+<div>
+<p class='beige'> $post_creator_name <time datetime='$post_time'>$post_time</time></p>
+</div>
+</header>
+<div class='postcontent'>
+<p>$post_content</p>
+</div>
+</article>
+</section>";
 }
 ?>