Skip to content

Commit c1e28b5

Browse files
mrflosmrflos
committed
fix(attach/tags): better sanitization
1 parent 8355e20 commit c1e28b5

File tree

2 files changed

+10
-9
lines changed

2 files changed

+10
-9
lines changed

tools/attach/libs/attach.lib.php

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -659,7 +659,8 @@ public function showUpdateLink()
659659
*/
660660
public function showFileNotExits()
661661
{
662-
echo '<a href="' . $this->wiki->href('upload', $this->wiki->GetPageTag(), "file=$this->file") . '" class="btn btn-primary"><i class="fa fa-upload icon-upload icon-white"></i> ' . _t('UPLOAD_FILE') . ' ' . $this->file . '</a>';
662+
$filename = htmlspecialchars($this->file);
663+
echo '<a href="' . $this->wiki->href('upload', $this->wiki->GetPageTag(), "file=$filename") . '" class="btn btn-primary"><i class="fa fa-upload icon-upload icon-white"></i> ' . _t('UPLOAD_FILE') . ' ' . $this->file . '</a>';
663664
}
664665

665666
/**

tools/tags/services/TagsManager.php

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ public function deleteAll($page)
3030
if ($this->securityController->isWikiHibernated()) {
3131
throw new \Exception(_t('WIKI_IN_HIBERNATION'));
3232
}
33-
//on recupere les anciens tags de la page courante
33+
// on recupere les anciens tags de la page courante
3434
$tabtagsexistants = $this->tripleStore->getAll($page, 'http://outils-reseaux.org/_vocabulary/tag', '', '');
3535
if (is_array($tabtagsexistants)) {
3636
foreach ($tabtagsexistants as $tab) {
@@ -49,29 +49,29 @@ public function save($page, $liste_tags)
4949
// TODO check if we need to escape here, or if we can do that in the tripleStore methods
5050
$tags = explode(',', $this->dbService->escape(_convert($liste_tags, YW_CHARSET, true)));
5151

52-
//on recupere les anciens tags de la page courante
52+
// on recupere les anciens tags de la page courante
5353
$tabtagsexistants = $this->tripleStore->getAll($page, 'http://outils-reseaux.org/_vocabulary/tag', '', '');
5454
if (is_array($tabtagsexistants)) {
5555
foreach ($tabtagsexistants as $tab) {
5656
$tags_restants_a_effacer[] = $tab['value'];
5757
}
5858
}
5959

60-
//on ajoute le tag s il n existe pas déjà
60+
// on ajoute le tag s il n existe pas déjà
6161
foreach ($tags as $tag) {
6262
trim($tag);
6363
if ($tag != '') {
64-
if (!$this->tripleStore->exist($page, 'http://outils-reseaux.org/_vocabulary/tag', $tag, '', '')) {
65-
$this->tripleStore->create($page, 'http://outils-reseaux.org/_vocabulary/tag', $tag, '', '');
64+
if (!$this->tripleStore->exist($page, 'http://outils-reseaux.org/_vocabulary/tag', htmlspecialchars($tag), '', '')) {
65+
$this->tripleStore->create($page, 'http://outils-reseaux.org/_vocabulary/tag', htmlspecialchars($tag), '', '');
6666
}
67-
//on supprime ce tag du tableau des tags restants a effacer
67+
// on supprime ce tag du tableau des tags restants a effacer
6868
if (isset($tags_restants_a_effacer)) {
6969
unset($tags_restants_a_effacer[array_search($tag, $tags_restants_a_effacer)]);
7070
}
7171
}
7272
}
7373

74-
//on supprime les tags restants a effacer
74+
// on supprime les tags restants a effacer
7575
if (isset($tags_restants_a_effacer)) {
7676
foreach ($tags_restants_a_effacer as $tag) {
7777
$this->tripleStore->delete($page, 'http://outils-reseaux.org/_vocabulary/tag', $tag, '', '');
@@ -107,7 +107,7 @@ public function getPagesByTags($tags = '', $type = '', $nb = '', $tri = '')
107107
$req .= ' GROUP BY resource ';
108108
$req .= ' HAVING COUNT(resource)=' . $nbdetags . ') ';
109109

110-
//gestion du tri de l'affichage
110+
// gestion du tri de l'affichage
111111
if ($tri == 'alpha') {
112112
$req .= ' ORDER BY tag ASC ';
113113
} elseif ($tri == 'date') {

0 commit comments

Comments
 (0)