escape mail string before output

typecho · May 15, 2023 · 0433a11 · 0433a11
1 parent 98e4c1d
commit 0433a11
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/admin/manage-comments.php b/admin/manage-comments.php
@@ -131,7 +131,7 @@
                                 <div class="comment-meta">
                                     <strong class="comment-author"><?php $comments->author(true); ?></strong>
                                     <?php if($comments->mail): ?>
-                                    <br /><span><a href="mailto:<?php $comments->mail(); ?>"><?php $comments->mail(); ?></a></span>
+                                    <br /><span><a href="<?php $comments->mail(true); ?>"><?php $comments->mail(); ?></a></span>
                                     <?php endif; ?>
                                     <?php if($comments->ip): ?>
                                     <br /><span><?php $comments->ip(); ?></span>

diff --git a/var/Widget/Base/Comments.php b/var/Widget/Base/Comments.php
@@ -306,6 +306,18 @@ public function excerpt(int $length = 100, string $trim = '...')
         echo Common::subStr(strip_tags($this->content), 0, $length, $trim);
     }
 
+    /**
+     * 输出邮箱地址
+     *
+     * @param bool $link
+     * @return void
+     */
+    public function mail(bool $link = false)
+    {
+        $mail = htmlspecialchars($this->mail);
+        echo $link ? 'mailto:' . $mail : $mail;
+    }
+
     /**
      * 获取查询对象
      *