diff --git a/admin/themes/default/js/cat_modify.js b/admin/themes/default/js/cat_modify.js index 4fcaa562d..156eac782 100644 --- a/admin/themes/default/js/cat_modify.js +++ b/admin/themes/default/js/cat_modify.js @@ -73,6 +73,7 @@ jQuery(document).ready(function() { comment: $("#cat-comment").val(), visible: $("#cat-locked").is(":checked") ? 'false' : 'true', commentable: $("#cat-commentable").is(":checked") ? "true":"false", + pwg_token: pwg_token, }, success:function(data) { if (data.stat == "ok") { diff --git a/include/ws_functions/pwg.categories.php b/include/ws_functions/pwg.categories.php index 48fa441ff..ab61d6d4d 100644 --- a/include/ws_functions/pwg.categories.php +++ b/include/ws_functions/pwg.categories.php @@ -670,6 +670,11 @@ function ws_categories_add($params, &$service) global $conf; + if (isset($params['pwg_token']) and get_pwg_token() != $params['pwg_token']) + { + return new PwgError(403, 'Invalid security token'); + } + if (!empty($params['position']) and in_array($params['position'], array('first','last'))) { //TODO make persistent with user prefs @@ -684,12 +689,11 @@ function ws_categories_add($params, &$service) if (!empty($params['comment'])) { - // TODO do not strip tags if pwg_token is provided (and valid) - $options['comment'] = strip_tags($params['comment']); + $options['comment'] = (!$conf['allow_html_descriptions'] or !isset($params['pwg_token'])) ? strip_tags($params['comment']) : $params['comment']; } $creation_output = create_virtual_category( - strip_tags($params['name']), // TODO do not strip tags if pwg_token is provided (and valid) + (!$conf['allow_html_descriptions'] or !isset($params['pwg_token'])) ? strip_tags($params['name']) : $params['name'], $params['parent'], $options ); @@ -800,6 +804,13 @@ SELECT id */ function ws_categories_setInfo($params, &$service) { + global $conf; + + if (isset($params['pwg_token']) and get_pwg_token() != $params['pwg_token']) + { + return new PwgError(403, 'Invalid security token'); + } + // does the category really exist? $query = ' SELECT * @@ -854,8 +865,7 @@ SELECT * if (isset($params[$key])) { $perform_update = true; - // TODO do not strip tags if pwg_token is provided (and valid) - $update[$key] = strip_tags($params[$key]); + $update[$key] = (!$conf['allow_html_descriptions'] or !isset($params['pwg_token'])) ? strip_tags($params[$key]) : $params[$key]; } } diff --git a/include/ws_functions/pwg.images.php b/include/ws_functions/pwg.images.php index 27a198238..48bec1e1a 100644 --- a/include/ws_functions/pwg.images.php +++ b/include/ws_functions/pwg.images.php @@ -2292,6 +2292,11 @@ function ws_images_setInfo($params, $service) { global $conf; + if (isset($params['pwg_token']) and get_pwg_token() != $params['pwg_token']) + { + return new PwgError(403, 'Invalid security token'); + } + include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); $query=' @@ -2323,14 +2328,11 @@ SELECT * { if (isset($params[$key])) { - if (!$conf['allow_html_descriptions']) + if (!$conf['allow_html_descriptions'] or !isset($params['pwg_token'])) { $params[$key] = strip_tags($params[$key], ''); } - // TODO do not strip tags if pwg_token is provided (and valid) - $params[$key] = strip_tags($params[$key]); - if ('fill_if_empty' == $params['single_value_mode']) { if (empty($image_row[$key])) diff --git a/ws.php b/ws.php index 2ee49565e..f49ff8e74 100644 --- a/ws.php +++ b/ws.php @@ -627,8 +627,9 @@ function ws_addDefaultMethods( $arr ) 'commentable' => array('default'=>true, 'type'=>WS_TYPE_BOOL), 'position' => array('default'=>null, 'info'=>'first, last'), + 'pwg_token' => array('flags'=>WS_PARAM_OPTIONAL), ), - 'Adds an album.', + 'Adds an album.

pwg_token required if you want to use HTML in name/comment.', $ws_functions_root . 'pwg.categories.php', array('admin_only'=>true) ); @@ -848,11 +849,13 @@ function ws_addDefaultMethods( $arr ) 'type'=>WS_TYPE_INT|WS_TYPE_POSITIVE), 'single_value_mode' => array('default'=>'fill_if_empty'), 'multiple_value_mode' => array('default'=>'append'), + 'pwg_token' => array('flags'=>WS_PARAM_OPTIONAL), ), 'Changes properties of an image.
single_value_mode can be "fill_if_empty" (only use the input value if the corresponding values is currently empty) or "replace" (overwrite any existing value) and applies to single values properties like name/author/date_creation/comment. -
multiple_value_mode can be "append" (no change on existing values, add the new values) or "replace" and applies to multiple values properties like tag_ids/categories.', +
multiple_value_mode can be "append" (no change on existing values, add the new values) or "replace" and applies to multiple values properties like tag_ids/categories. +
pwg_token required if you want to use HTML in name/comment/author.', $ws_functions_root . 'pwg.images.php', array('admin_only'=>true, 'post_only'=>true) ); @@ -877,8 +880,9 @@ function ws_addDefaultMethods( $arr ) 'apply_commentable_to_subalbums' => array('default'=>null, 'flags'=>WS_PARAM_OPTIONAL, 'info'=>'If true, set commentable to all sub album'), + 'pwg_token' => array('flags'=>WS_PARAM_OPTIONAL), ), - 'Changes properties of an album.', + 'Changes properties of an album.

pwg_token required if you want to use HTML in name/comment.', $ws_functions_root . 'pwg.categories.php', array('admin_only'=>true, 'post_only'=>true) );