fixes #2046 avoid strip_tags if pwg_token is provided

* pwg.categories.setInfo
* pwg.categories.add
* pwg.images.setInfo

admin/themes/default/js/cat_modify.js

@@ -73,6 +73,7 @@ jQuery(document).ready(function() {
         comment: $("#cat-comment").val(),
         visible: $("#cat-locked").is(":checked") ? 'false' : 'true',
         commentable: $("#cat-commentable").is(":checked") ? "true":"false",
+        pwg_token: pwg_token,
       },
       success:function(data) {
         if (data.stat == "ok") {

include/ws_functions/pwg.categories.php

@@ -670,6 +670,11 @@ function ws_categories_add($params, &$service)
 
   global $conf;
 
+  if (isset($params['pwg_token']) and get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   if (!empty($params['position']) and in_array($params['position'], array('first','last')))
   {
     //TODO make persistent with user prefs
@@ -684,12 +689,11 @@ function ws_categories_add($params, &$service)
 
   if (!empty($params['comment']))
   {
-    // TODO do not strip tags if pwg_token is provided (and valid)
-    $options['comment'] = strip_tags($params['comment']);
+    $options['comment'] = (!$conf['allow_html_descriptions'] or !isset($params['pwg_token'])) ? strip_tags($params['comment']) : $params['comment'];
   }
   
   $creation_output = create_virtual_category(
-    strip_tags($params['name']), // TODO do not strip tags if pwg_token is provided (and valid)
+    (!$conf['allow_html_descriptions'] or !isset($params['pwg_token'])) ? strip_tags($params['name']) : $params['name'],
     $params['parent'],
     $options
     );
@@ -800,6 +804,13 @@ SELECT id
  */
 function ws_categories_setInfo($params, &$service)
 {
+  global $conf;
+
+  if (isset($params['pwg_token']) and get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   // does the category really exist?
   $query = '
 SELECT *
@@ -854,8 +865,7 @@ SELECT *
     if (isset($params[$key]))
     {
       $perform_update = true;
-      // TODO do not strip tags if pwg_token is provided (and valid)
-      $update[$key] = strip_tags($params[$key]);
+      $update[$key] = (!$conf['allow_html_descriptions'] or !isset($params['pwg_token'])) ? strip_tags($params[$key]) : $params[$key];
     }
   }
 

include/ws_functions/pwg.images.php

@@ -2292,6 +2292,11 @@ function ws_images_setInfo($params, $service)
 {
   global $conf;
 
+  if (isset($params['pwg_token']) and get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 
   $query='
@@ -2323,14 +2328,11 @@ SELECT *
   {
     if (isset($params[$key]))
     {
-      if (!$conf['allow_html_descriptions'])
+      if (!$conf['allow_html_descriptions'] or !isset($params['pwg_token']))
       {
         $params[$key] = strip_tags($params[$key], '<b><strong><em><i>');
       }
 
-      // TODO do not strip tags if pwg_token is provided (and valid)
-      $params[$key] = strip_tags($params[$key]);
-
       if ('fill_if_empty' == $params['single_value_mode'])
       {
         if (empty($image_row[$key]))

ws.php

@@ -627,8 +627,9 @@ function ws_addDefaultMethods( $arr )
         'commentable' =>  array('default'=>true,
                                 'type'=>WS_TYPE_BOOL),
         'position' =>     array('default'=>null, 'info'=>'first, last'),
+        'pwg_token' => array('flags'=>WS_PARAM_OPTIONAL),
         ),
-      'Adds an album.',
+      'Adds an album.<br><br><b>pwg_token</b> required if you want to use HTML in name/comment.',
       $ws_functions_root . 'pwg.categories.php',
       array('admin_only'=>true)
     );
@@ -848,11 +849,13 @@ function ws_addDefaultMethods( $arr )
                                   'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE),
         'single_value_mode' =>    array('default'=>'fill_if_empty'),
         'multiple_value_mode' =>  array('default'=>'append'),
+        'pwg_token' => array('flags'=>WS_PARAM_OPTIONAL),
         ),
       'Changes properties of an image.
 <br><b>single_value_mode</b> can be "fill_if_empty" (only use the input value if the corresponding values is currently empty) or "replace"
 (overwrite any existing value) and applies to single values properties like name/author/date_creation/comment.
-<br><b>multiple_value_mode</b> can be "append" (no change on existing values, add the new values) or "replace" and applies to multiple values properties like tag_ids/categories.',
+<br><b>multiple_value_mode</b> can be "append" (no change on existing values, add the new values) or "replace" and applies to multiple values properties like tag_ids/categories.
+<br><b>pwg_token</b> required if you want to use HTML in name/comment/author.',
       $ws_functions_root . 'pwg.images.php',
       array('admin_only'=>true, 'post_only'=>true)
     );
@@ -877,8 +880,9 @@ function ws_addDefaultMethods( $arr )
         'apply_commentable_to_subalbums' =>  array('default'=>null,
                                 'flags'=>WS_PARAM_OPTIONAL,
                                 'info'=>'If true, set commentable to all sub album'),
+        'pwg_token' => array('flags'=>WS_PARAM_OPTIONAL),
         ),
-      'Changes properties of an album.',
+      'Changes properties of an album.<br><br><b>pwg_token</b> required if you want to use HTML in name/comment.',
       $ws_functions_root . 'pwg.categories.php',
       array('admin_only'=>true, 'post_only'=>true)
     );