XOOPS is a CMS, possible made as a reaction to the old *(PHP|Nuke)* CMS-systems that were ifamous for various reasons. Back in 2000 when setting up polarBoing I thought pre-made off-the-shelve CMS-es was a good idea so that I could concentrate on the content rather than spending lots of time on coding and adding fancy features. This is of course good as many sites have had a quick death due to lots of thinking of design and features, but not realizing the only thing users care about is content, content, content.
Since I'm part of the Amiga community and we still don't have a modern browser that does CSS or anything beyond HTML 3.2/4.01 most of the time I use of-the-shelve products I end up modifiying a lot of its "clever" template or style code to make it at least be halfway usable in non-CSS browsers, for example AROS-Exec and Aminet wiki. This is somewhat tiresome and sometimes I end up making my own solutions instead, like the webpages for uka.no in 2003 or UtilityBase. The Aminet Wiki is Mediawiki with an own theme and some hacks in the code to be able to add some table-based layout without breaking stuff for modern browsers. AROS-Exec is a stock Xoops2 with a tailored theme.
Anyway, when setting up AROS-Exec, a community site for AROS users I suggested to use the heavily modified CMS I already used for polarBoing.com. This was mainly PHP-Nuke which I got sick and tired of keeping up to date, adding patches and hacks to fix security errors and of course re-implement features I have added when official updates finally came around. After some years it had turned out to be usable though. Unluckily I was told to use something modern and nice so we ended up on Xoops2 which was one major version "better" than regular Xoops that was used on sites like Amigaworld.net and Amiga.org.
Xoops2 has actually some nice features with quite a few 3rd party modules that can be added due to the CMS' nature. Unfortunately it has quite a few annoying features too, like security holes, a structure/system that complicated and hard to get familiar with to add hacks and patches and for instance I've still not been able to let people log in and stay logged in for longer than a given period. For some reason the maintainers thinks logging out people every 30 minutes or so is good. (Most of the sites I use or make lets you be remembered "for ever").
In addition there is no IRC channel to get support or quickly provide patches for the maintainers or other users. The mantainers refuse to use IRC as it "can't be archived" as "does not provide a central search", which is just nonsense, of course. Besides one can still have an IRC channel to give instant support or let users support themselves in a quick fashion in addition to their preferred method, namely forums that require registration.
Anyway the latest problem that led me to write this rant about Xoops2 was the following. I moved a site from server A to server B, everything seemed to work OK. Except some days later when it was reported that the posts count for all users were set to -1. This meant that no user had access to post in the forums (you need a post karma of minimum 0). Paranoid as I am I thought it was some kind of security hole that someone had exploited and quickly surfed over to Xoops.org to see if the current 2.2 branch we used had any security errors.
The 2.2 branch which was previously said to be the natural upgrade from 2.0 and that supposedly had many improvements planned was suddenly discontinued and the only thing I found was the latest 2.0.14rc1 version which was a long-awaited fix/upgrade for 2.0 "to make a smooth transition to 2.3". They also encouraged 2.2 people to go back to 2.0. Since I still thought there could've been some holes in our 2.2 I did what I could to downgrade to 2.0. Searching forums for a while led me to a script that supposedly helped one downgrade. From a different 2.2.x version of course, but I decided to give it a try. It did work kind of, except I got some weird questions about templtes that were to be merged and some cryptic errors here and there. After trying the site things seemed to work ok, except some small changes needed to be done in some templates and some parts of the database.
Everything seemed ok, but one thing. When people previewed their posts, all the BBCode was translated to HTML code in the preview form, which led people to post HTML messages rather than BBCode messages and since the post was not marked as being a HTML message, the literal HTML code appeared instead. Editing of messages worked ok, and simply posting bbcode messages also worked, but preview was b0rken.
Like I said earlier, the code of Xoops2 is not exactly clearly set out. After vading thru forums and Google I saw people have had the same problems in the combination of the newbb module which really is CBB aka NewBB2. Of course none of this forums had any answers and I was not ready to register and do a "me too". So, I finally gave in and tried to sort it out by myself.
The error was strange because the variable used when posting and previewing was the same $_POST['message'] one. But after some echo-debugging I found the culprit. A function that is supposed to return a massaged version of a variable, also changed the variable that was passed. The function was declared with & in front of the variable and it probably altered the variable inside the function.
Got to love when something that is returning something also edits the in-parameters. I know some C functions do this, but then you pass pointers explicitly and they tell you explictly in the docs. Anyway, this was the solution to it (I didn't dare to "fix" the function as maybe other modules or functionality relied on the "feature".) A temporary variable did the trick in modules/newbb/post.php:
$myts =& MyTextSanitizer::getInstance(); $p_subject = $myts->htmlSpecialChars($myts->stripSlashesGPC($_POST['subject'])); $dosmiley = empty($_POST['dosmiley']) ? 0 : 1; $dohtml = empty($_POST['dohtml']) ? 0 : 1; $doxcode = empty($_POST['doxcode']) ? 0 : 1; $dobr = empty($_POST['dobr']) ? 0 : 1; + $temp_message = $_POST['message']; // To avoid conversion of bbcode done in previewTareas(&text,...) from module.textsanitizer.php $p_message = $myts->previewTarea($temp_message,$dohtml,$dosmiley,$doxcode,1,$dobr); echo "<table cellpadding='4' cellspacing='1' width='98%' class='outer'>"; echo "<tr><td class='head'>".$p_subject."</td></tr>";