mirror of
https://github.com/Piwigo/Piwigo.git
synced 2026-03-28 17:42:57 +01:00
fixes #1150 prevent HTML code in group name
It avoids any stored XSS between administrators and it's totally useless to have HTML code in the group name.
This commit is contained in:
plegall
@@ -45,6 +45,11 @@ if (isset($_POST['submit_add']))
|
||||
{
|
||||
$page['errors'][] = l10n('The name of a group must not contain " or \' or be empty.');
|
||||
}
|
||||
else
|
||||
{
|
||||
$_POST['groupname'] = strip_tags($_POST['groupname']);
|
||||
}
|
||||
|
||||
if (count($page['errors']) == 0)
|
||||
{
|
||||
// is the group not already existing ?
|
||||
@@ -107,7 +112,7 @@ SELECT name
|
||||
$group_names = array_from_query($query, 'name');
|
||||
foreach($groups as $group)
|
||||
{
|
||||
$_POST['rename_'.$group] = stripslashes($_POST['rename_'.$group]);
|
||||
$_POST['rename_'.$group] = strip_tags(stripslashes($_POST['rename_'.$group]));
|
||||
|
||||
if (in_array($_POST['rename_'.$group], $group_names))
|
||||
{
|
||||
@@ -181,6 +186,8 @@ SELECT name
|
||||
|
||||
if ($action=="merge" and count($groups) > 1)
|
||||
{
|
||||
$_POST['merge'] = strip_tags($_POST['merge']);
|
||||
|
||||
// is the group not already existing ?
|
||||
$query = '
|
||||
SELECT COUNT(*)
|
||||
@@ -268,6 +275,11 @@ SELECT COUNT(*)
|
||||
{
|
||||
break;
|
||||
}
|
||||
else
|
||||
{
|
||||
$_POST['duplicate_'.$group.''] = strip_tags(stripslashes($_POST['duplicate_'.$group.'']));
|
||||
}
|
||||
|
||||
// is the group not already existing ?
|
||||
$query = '
|
||||
SELECT COUNT(*)
|
||||
|
||||
@@ -128,7 +128,7 @@ $(document).ready(function() {
|
||||
{if not empty($groups)}
|
||||
{foreach from=$groups item=group}
|
||||
<p group_id="{$group.ID}" class="grp_action">
|
||||
<input type="text" class="large" name="rename_{$group.ID}" value="{$group.NAME}" onfocus="this.value=(this.value=='{$group.NAME}') ? '' : this.value;" onblur="this.value=(this.value=='') ? '{$group.NAME}' : this.value;">
|
||||
<input type="text" class="large" name="rename_{$group.ID}" value="{$group.NAME}">
|
||||
</p>
|
||||
{/foreach}
|
||||
{/if}
|
||||
@@ -137,9 +137,8 @@ $(document).ready(function() {
|
||||
<!-- merge -->
|
||||
<div id="action_merge" class="bulkAction">
|
||||
<p id="two_to_select">{'Please select at least two groups'|@translate}</p>
|
||||
{assign var='mergeDefaultValue' value='Type here the name of the new group'|@translate}
|
||||
<p id="two_atleast">
|
||||
<input type="text" class="large" name="merge" value="{$mergeDefaultValue}" onfocus="this.value=(this.value=='{$mergeDefaultValue}') ? '' : this.value;" onblur="this.value=(this.value=='') ? '{$mergeDefaultValue}' : this.value;">
|
||||
<input type="text" class="large" name="merge" value="" placeholder="{'Type here the name of the new group'|translate}">
|
||||
</p>
|
||||
</div>
|
||||
|
||||
@@ -150,11 +149,10 @@ $(document).ready(function() {
|
||||
|
||||
<!-- duplicate -->
|
||||
<div id="action_duplicate" class="bulkAction">
|
||||
{assign var='duplicateDefaultValue' value='Type here the name of the new group'|@translate}
|
||||
{if not empty($groups)}
|
||||
{foreach from=$groups item=group}
|
||||
<p group_id="{$group.ID}" class="grp_action">
|
||||
{$group.NAME} > <input type="text" class="large" name="duplicate_{$group.ID}" value="{$duplicateDefaultValue}" onfocus="this.value=(this.value=='{$duplicateDefaultValue}') ? '' : this.value;" onblur="this.value=(this.value=='') ? '{$duplicateDefaultValue}' : this.value;">
|
||||
{$group.NAME} > <input type="text" class="large" name="duplicate_{$group.ID}" value="" placeholder="{'Type here the name of the new group'|@translate}">
|
||||
</p>
|
||||
{/foreach}
|
||||
{/if}
|
||||
|
||||
Reference in New Issue
Block a user