Work on this blogging tool

Corey reported four XSS vulnerabilities in B2Evo, with instructions for patching. Did the patches.

Each post title in the report table is now preceded by a small page image linking directly to the post itself. We can now use the report tool as another type of search engine to find a post and then jump to it.

Took a bit longer than it should to do this because I'm sick in bed and not firing on all cylinders.

I spent a little time playing with the system and thinking about the reports, and it seems to me that we need to include in each report item (ie blog posting) a link back to the original posting. I'm already using the reporting interface to find stuff in previous posts, so being able to jump back to it will be handy.

Other than that, I think we have a system we can work with for a few months, till we're used to it, and then we can revisit it and perhaps do some more customization.

minutes worked on get report format working

In the process of working on the report backend, I discovered some problems with the language settings. Users can choose to post in various languages, according to the locale they choose, and then their posts will be stored in that charset. When any page combines posts from different locales, some characters will be garbled. This needs to be fixed, but the nature of the system is such that it can't be fixed without re-working the entire language system of B2Evo. This requires substantial research ahead of time. Discussed this at length with Greg.

Finished the core PHP for reports:

• Finished tidying up the SQL (stripping off a WHERE at the end where no params were supplied, so a query for everything now works).
• Added some controls for what columns should be included in the table.
• Rewrote the output code to respond to those controls.
• Added header and closing tag generation for the standalone page, based on code in /blogs/a_noskin.php.
• Tested the standalone page for validation errors; found lots, mainly due to ampersands etc. not escaped. Fixed those.
• Hooked in the CSS and JS for the report form. Kept it absolutely simple (no fonts specified, for instance), because it is a report and shouldn't really be decorative. Most often it will be saved and massaged in another program.
• Tested and tweaked.

(Worked with Stew for some of the time.)

posting minutes I worked yesterday with martin on reporting backend

Worked on the reporting backend:

• With David and Stew's help, got the SQL query building worked out. We were hampered by the fact that we're on mySQL 4.0, so we don't have embedded SELECT available, and bracketing is a little unusual; ended up writing lots of pre-queries which are executed before the main query.
• Got the query working correctly, with the exception of trapping for when no selections are made; that should probably be prevented in JavaScript.
• Got the basic table output built.
• Added a permalink to a URL which will consist only of the report. Only the shell of this is done; the reports.php page can tell when it's a standalone, and it will supply header and footer eventually.
• Wrote the arithmetic stuff for figuring out minutes worked for all retrieved posts.
• Confirmed that the hooked-in CSS file is working (CSS is not written yet).

Modified the following file:

/blogs/skins_adm/evo/_adminUI.class.php

to add a link to a stylesheet which sits in the hcmc_stats folder:

/blogs/inc/CONTROL/hcmc_stats/hcmc_stats.css

posting minutes worked with martin on start of backend for reporting