mirror of
https://github.com/Piwigo/Piwigo.git
synced 2026-05-09 14:55:25 +02:00
It avoids any stored XSS between administrators and it's totally useless to have HTML code in the group name.
This commit is contained in:
plegall
+13
-1
@@ -45,6 +45,11 @@ if (isset($_POST['submit_add']))
|
||||
{
|
||||
$page['errors'][] = l10n('The name of a group must not contain " or \' or be empty.');
|
||||
}
|
||||
else
|
||||
{
|
||||
$_POST['groupname'] = strip_tags($_POST['groupname']);
|
||||
}
|
||||
|
||||
if (count($page['errors']) == 0)
|
||||
{
|
||||
// is the group not already existing ?
|
||||
@@ -107,7 +112,7 @@ SELECT name
|
||||
$group_names = array_from_query($query, 'name');
|
||||
foreach($groups as $group)
|
||||
{
|
||||
$_POST['rename_'.$group] = stripslashes($_POST['rename_'.$group]);
|
||||
$_POST['rename_'.$group] = strip_tags(stripslashes($_POST['rename_'.$group]));
|
||||
|
||||
if (in_array($_POST['rename_'.$group], $group_names))
|
||||
{
|
||||
@@ -181,6 +186,8 @@ SELECT name
|
||||
|
||||
if ($action=="merge" and count($groups) > 1)
|
||||
{
|
||||
$_POST['merge'] = strip_tags($_POST['merge']);
|
||||
|
||||
// is the group not already existing ?
|
||||
$query = '
|
||||
SELECT COUNT(*)
|
||||
@@ -268,6 +275,11 @@ SELECT COUNT(*)
|
||||
{
|
||||
break;
|
||||
}
|
||||
else
|
||||
{
|
||||
$_POST['duplicate_'.$group.''] = strip_tags(stripslashes($_POST['duplicate_'.$group.'']));
|
||||
}
|
||||
|
||||
// is the group not already existing ?
|
||||
$query = '
|
||||
SELECT COUNT(*)
|
||||
|
||||
@@ -128,7 +128,7 @@ $(document).ready(function() {
|
||||
{if not empty($groups)}
|
||||
{foreach from=$groups item=group}
|
||||
<p group_id="{$group.ID}" class="grp_action">
|
||||
<input type="text" class="large" name="rename_{$group.ID}" value="{$group.NAME}" onfocus="this.value=(this.value=='{$group.NAME}') ? '' : this.value;" onblur="this.value=(this.value=='') ? '{$group.NAME}' : this.value;">
|
||||
<input type="text" class="large" name="rename_{$group.ID}" value="{$group.NAME}">
|
||||
</p>
|
||||
{/foreach}
|
||||
{/if}
|
||||
@@ -137,9 +137,8 @@ $(document).ready(function() {
|
||||
<!-- merge -->
|
||||
<div id="action_merge" class="bulkAction">
|
||||
<p id="two_to_select">{'Please select at least two groups'|@translate}</p>
|
||||
{assign var='mergeDefaultValue' value='Type here the name of the new group'|@translate}
|
||||
<p id="two_atleast">
|
||||
<input type="text" class="large" name="merge" value="{$mergeDefaultValue}" onfocus="this.value=(this.value=='{$mergeDefaultValue}') ? '' : this.value;" onblur="this.value=(this.value=='') ? '{$mergeDefaultValue}' : this.value;">
|
||||
<input type="text" class="large" name="merge" value="" placeholder="{'Type here the name of the new group'|translate}">
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -150,11 +149,10 @@ $(document).ready(function() {
|
||||
|
||||
<!-- duplicate -->
|
||||
<div id="action_duplicate" class="bulkAction">
|
||||
{assign var='duplicateDefaultValue' value='Type here the name of the new group'|@translate}
|
||||
{if not empty($groups)}
|
||||
{foreach from=$groups item=group}
|
||||
<p group_id="{$group.ID}" class="grp_action">
|
||||
{$group.NAME} > <input type="text" class="large" name="duplicate_{$group.ID}" value="{$duplicateDefaultValue}" onfocus="this.value=(this.value=='{$duplicateDefaultValue}') ? '' : this.value;" onblur="this.value=(this.value=='') ? '{$duplicateDefaultValue}' : this.value;">
|
||||
{$group.NAME} > <input type="text" class="large" name="duplicate_{$group.ID}" value="" placeholder="{'Type here the name of the new group'|@translate}">
|
||||
</p>
|
||||
{/foreach}
|
||||
{/if}
|
||||
|
||||
Reference in New Issue
Block a user