Threaded Mode | Linear Mode

***ZiNgA BuRgA*** · 06-16-2011 09:17 AM

(06-14-2011 05:24 PM)euantor Wrote: Edit: Just looking through and I don't believe I should be using htmlspecialchars though, right? I already use the MyBB post parser and that should run htmlspecialchars should HTML be disabled, right? I also allow the use of HTML if the setting is on.

Paste the following code in your userpage:

Code:

hi
</textarea>
<script type="text/javascript"> alert('hi'); </script>

Then go to edit your user page from the ModCP.

Also a quick look at your newer version (note, I'm not looking through everything), this is incorrect:

PHP Code:

	global $mybb, $db, $lang, $cache, $page, $templates, $theme, $headerinclude, $header, $footer, $usercpnav, $smilieinserter, $codebuttons, $currentuserpage, $templatelist;

	$lang->load('userpages');
	
	$usergroups_cache = $cache->read("usergroups");
	
	$templatelsit .= ",userpages_usercp_main";
	
	$templates->cache($db->escape_string($templatelist));

1) typo "templatelsit"
2) templates need to be cached from global_start (or earler)
3) caching one template will use a query, pointless, since the template->get call will automatically query anyway (though this will make the stats look a little better)
4) templates->cache overwrites all cached templates, so since you're pulling the entire templatelist, all dynamic modifications will be overwritten (plus it's unnecessary overhead)
5) I know MyBB does it, but $db->escape_string here is pointless and incorrect

Threaded Mode \| Linear Mode Userpages v1.0 Review
Please note that this is pretty much a negative criticism post, rather than a balanced review as mentioned in this thread. Also be aware that stuff posted here may be highly subjective. Please feel free to criticise this post, however. Plugin Reviewed: Userpages for MyBB Plugin Version: 1.0 (last updated 7th June 2011) Plugin Author: euantor
Author	Message