From 4e95149c4b228829a19ab77d97f5a4ac99c236a8 Mon Sep 17 00:00:00 2001
From: Shish <shish@shishnet.org>
Date: Tue, 24 Nov 2009 13:57:37 +0000
Subject: [PATCH] updates from sein

---
 contrib/forum/main.php  | 8 ++++----
 contrib/forum/theme.php | 8 +++++---
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/contrib/forum/main.php b/contrib/forum/main.php
index a8bedf58..be76d166 100644
--- a/contrib/forum/main.php
+++ b/contrib/forum/main.php
@@ -197,7 +197,7 @@ class Forum extends SimpleExtension {
                 $hasErrors = true;
                 $errors .= "<div id='error'>You cannot have an empty title.</div>";
             }
-            else if (strlen(mysql_real_escape_string(htmlspecialchars($_POST["title"]))) > 255)
+            else if (strlen(mysql_real_escape_string(html_escape($_POST["title"]))) > 255)
             {
                 $hasErrors = true;
                 $errors .= "<div id='error'>Your title is too long.</div>";
@@ -274,7 +274,7 @@ class Forum extends SimpleExtension {
                 "INNER JOIN forum_posts AS p ".
                 "ON p.thread_id = f.id ".
                 "GROUP BY f.id, f.sticky, f.title, f.date, u.name, u.email, u.admin ".
-                "ORDER BY f.sticky DESC, f.uptodate DESC LIMIT ?, ?"
+                "ORDER BY f.sticky ASC, f.uptodate DESC LIMIT ?, ?"
                 , array($pageNumber * $threadsPerPage, $threadsPerPage)
             );
 			
@@ -318,7 +318,7 @@ class Forum extends SimpleExtension {
 
         private function save_new_thread($user)
         {
-            $title = mysql_real_escape_string(htmlspecialchars($_POST["title"]));
+            $title = mysql_real_escape_string(html_escape($_POST["title"]));
 			$sticky = html_escape($_POST["sticky"]);
 			
 			if($sticky == ""){
@@ -344,7 +344,7 @@ class Forum extends SimpleExtension {
         {
 			global $config;
             $userID = $user->id;
-            $message = mysql_real_escape_string(htmlspecialchars($_POST["message"]));
+            $message = mysql_real_escape_string(html_escape($_POST["message"]));
 			
 			$max_characters = $config->get_int('forumMaxCharsPerPost');
 			$message = substr($message, 0, $max_characters);
diff --git a/contrib/forum/theme.php b/contrib/forum/theme.php
index de3acb15..d31490e9 100644
--- a/contrib/forum/theme.php
+++ b/contrib/forum/theme.php
@@ -110,9 +110,11 @@ class ForumTheme extends Themelet {
             $message = str_replace('\n', '<br>', $message);
             $message = str_replace('\r', '<br>', $message);
 			
+			$message = stripslashes($message);
+			
             $user = "<a href='".make_link("user/".$post["user_name"]."")."'>".$post["user_name"]."</a>";
 
-			$poster = User::by_name($post["user_name"]);
+            $poster = User::by_name($post["user_name"]);
 			$gravatar = $poster->get_avatar_html();
 
             $oe = ($n++ % 2 == 0) ? "even" : "odd";
@@ -120,7 +122,7 @@ class ForumTheme extends Themelet {
 			if ($post["user_admin"] == "Y") {
 			$rank = "<sup>admin</sup>";
 			} else {
-			$rank = "<small>user</small>";
+			$rank = "<sup>user</sup>";
 			}
 			
 			$postID = $post['id'];
@@ -224,4 +226,4 @@ class ForumTheme extends Themelet {
         return $html;
     }
 }
-?>
+?>
\ No newline at end of file