fixes #871, CVE-2018-7722 strip tags on methods pwg.categories.add, pwg.categories.setInfo, pwg.images.setInfo

Adding pwg_token would be a better solution but would break remote applications (like the iOS app)

include/ws_functions/pwg.categories.php

@@ -565,11 +565,12 @@ function ws_categories_add($params, &$service)
 
   if (!empty($params['comment']))
   {
-    $options['comment'] = $params['comment'];
+    // TODO do not strip tags if pwg_token is provided (and valid)
+    $options['comment'] = strip_tags($params['comment']);
   }
 
   $creation_output = create_virtual_category(
-    $params['name'],
+    strip_tags($params['name']), // TODO do not strip tags if pwg_token is provided (and valid)
     $params['parent'],
     $options
     );
@@ -634,7 +635,8 @@ SELECT *
     if (isset($params[$key]))
     {
       $perform_update = true;
-      $update[$key] = $params[$key];
+      // TODO do not strip tags if pwg_token is provided (and valid)
+      $update[$key] = strip_tags($params[$key]);
     }
   }
 

include/ws_functions/pwg.images.php

@@ -1648,6 +1648,9 @@ SELECT *
         $params[$key] = strip_tags($params[$key], '<b><strong><em><i>');
       }
 
+      // TODO do not strip tags if pwg_token is provided (and valid)
+      $params[$key] = strip_tags($params[$key]);
+
       if ('fill_if_empty' == $params['single_value_mode'])
       {
         if (empty($image_row[$key]))