adam/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-06-02 04:15:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

fixes #2046 avoid strip_tags if pwg_token is provided

Browse Source 
* pwg.categories.setInfo
* pwg.categories.add
* pwg.images.setInfo
This commit is contained in:
plegall
2023-11-23 19:45:54 +01:00
parent 4ddba31f24
commit eb0759ef12
4 changed files with 29 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
admin/themes/default/js/cat_modify.js
+1
View File
@@ -73,6 +73,7 @@ jQuery(document).ready(function() {
comment: $("#cat-comment").val(), comment: $("#cat-comment").val(),
visible: $("#cat-locked").is(":checked") ? 'false' : 'true', visible: $("#cat-locked").is(":checked") ? 'false' : 'true',
commentable: $("#cat-commentable").is(":checked") ? "true":"false", commentable: $("#cat-commentable").is(":checked") ? "true":"false",
pwg_token: pwg_token,
}, },
success:function(data) { success:function(data) {
if (data.stat == "ok") { if (data.stat == "ok") {
include/ws_functions/pwg.categories.php
+15 -5
View File
@@ -670,6 +670,11 @@ function ws_categories_add($params, &$service)
global $conf; global $conf;
if (isset($params['pwg_token']) and get_pwg_token() != $params['pwg_token'])
{
return new PwgError(403, 'Invalid security token');
}
if (!empty($params['position']) and in_array($params['position'], array('first','last'))) if (!empty($params['position']) and in_array($params['position'], array('first','last')))
{ {
//TODO make persistent with user prefs //TODO make persistent with user prefs
@@ -684,12 +689,11 @@ function ws_categories_add($params, &$service)
if (!empty($params['comment'])) if (!empty($params['comment']))
{ {
// TODO do not strip tags if pwg_token is provided (and valid) $options['comment'] = (!$conf['allow_html_descriptions'] or !isset($params['pwg_token'])) ? strip_tags($params['comment']) : $params['comment'];
$options['comment'] = strip_tags($params['comment']);
} }
$creation_output = create_virtual_category( $creation_output = create_virtual_category(
strip_tags($params['name']), // TODO do not strip tags if pwg_token is provided (and valid) (!$conf['allow_html_descriptions'] or !isset($params['pwg_token'])) ? strip_tags($params['name']) : $params['name'],
$params['parent'], $params['parent'],
$options $options
); );
@@ -800,6 +804,13 @@ SELECT id
*/ */
function ws_categories_setInfo($params, &$service) function ws_categories_setInfo($params, &$service)
{ {
global $conf;
if (isset($params['pwg_token']) and get_pwg_token() != $params['pwg_token'])
{
return new PwgError(403, 'Invalid security token');
}
// does the category really exist? // does the category really exist?
$query = ' $query = '
SELECT * SELECT *
@@ -854,8 +865,7 @@ SELECT *
if (isset($params[$key])) if (isset($params[$key]))
{ {
$perform_update = true; $perform_update = true;
// TODO do not strip tags if pwg_token is provided (and valid) $update[$key] = (!$conf['allow_html_descriptions'] or !isset($params['pwg_token'])) ? strip_tags($params[$key]) : $params[$key];
$update[$key] = strip_tags($params[$key]);
} }
} }
include/ws_functions/pwg.images.php
+6 -4
View File
@@ -2292,6 +2292,11 @@ function ws_images_setInfo($params, $service)
{ {
global $conf; global $conf;
if (isset($params['pwg_token']) and get_pwg_token() != $params['pwg_token'])
{
return new PwgError(403, 'Invalid security token');
}
include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
$query=' $query='
@@ -2323,14 +2328,11 @@ SELECT *
{ {
if (isset($params[$key])) if (isset($params[$key]))
{ {
if (!$conf['allow_html_descriptions']) if (!$conf['allow_html_descriptions'] or !isset($params['pwg_token']))
{ {
$params[$key] = strip_tags($params[$key], '<b><strong><em><i>'); $params[$key] = strip_tags($params[$key], '<b><strong><em><i>');
} }
// TODO do not strip tags if pwg_token is provided (and valid)
$params[$key] = strip_tags($params[$key]);
if ('fill_if_empty' == $params['single_value_mode']) if ('fill_if_empty' == $params['single_value_mode'])
{ {
if (empty($image_row[$key])) if (empty($image_row[$key]))
ws.php
+7 -3
View File
@@ -627,8 +627,9 @@ function ws_addDefaultMethods( $arr )
'commentable' => array('default'=>true, 'commentable' => array('default'=>true,
'type'=>WS_TYPE_BOOL), 'type'=>WS_TYPE_BOOL),
'position' => array('default'=>null, 'info'=>'first, last'), 'position' => array('default'=>null, 'info'=>'first, last'),
'pwg_token' => array('flags'=>WS_PARAM_OPTIONAL),
), ),
'Adds an album.', 'Adds an album.<br><br><b>pwg_token</b> required if you want to use HTML in name/comment.',
$ws_functions_root . 'pwg.categories.php', $ws_functions_root . 'pwg.categories.php',
array('admin_only'=>true) array('admin_only'=>true)
); );
@@ -848,11 +849,13 @@ function ws_addDefaultMethods( $arr )
'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE), 'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE),
'single_value_mode' => array('default'=>'fill_if_empty'), 'single_value_mode' => array('default'=>'fill_if_empty'),
'multiple_value_mode' => array('default'=>'append'), 'multiple_value_mode' => array('default'=>'append'),
'pwg_token' => array('flags'=>WS_PARAM_OPTIONAL),
), ),
'Changes properties of an image. 'Changes properties of an image.
<br><b>single_value_mode</b> can be "fill_if_empty" (only use the input value if the corresponding values is currently empty) or "replace" <br><b>single_value_mode</b> can be "fill_if_empty" (only use the input value if the corresponding values is currently empty) or "replace"
(overwrite any existing value) and applies to single values properties like name/author/date_creation/comment. (overwrite any existing value) and applies to single values properties like name/author/date_creation/comment.
<br><b>multiple_value_mode</b> can be "append" (no change on existing values, add the new values) or "replace" and applies to multiple values properties like tag_ids/categories.', <br><b>multiple_value_mode</b> can be "append" (no change on existing values, add the new values) or "replace" and applies to multiple values properties like tag_ids/categories.
<br><b>pwg_token</b> required if you want to use HTML in name/comment/author.',
$ws_functions_root . 'pwg.images.php', $ws_functions_root . 'pwg.images.php',
array('admin_only'=>true, 'post_only'=>true) array('admin_only'=>true, 'post_only'=>true)
); );
@@ -877,8 +880,9 @@ function ws_addDefaultMethods( $arr )
'apply_commentable_to_subalbums' => array('default'=>null, 'apply_commentable_to_subalbums' => array('default'=>null,
'flags'=>WS_PARAM_OPTIONAL, 'flags'=>WS_PARAM_OPTIONAL,
'info'=>'If true, set commentable to all sub album'), 'info'=>'If true, set commentable to all sub album'),
'pwg_token' => array('flags'=>WS_PARAM_OPTIONAL),
), ),
'Changes properties of an album.', 'Changes properties of an album.<br><br><b>pwg_token</b> required if you want to use HTML in name/comment.',
$ws_functions_root . 'pwg.categories.php', $ws_functions_root . 'pwg.categories.php',
array('admin_only'=>true, 'post_only'=>true) array('admin_only'=>true, 'post_only'=>true)
); );