mirrors/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2025-04-29 12:49:57 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

fixed #1701 escaped " ' " for album creation and edit

Browse source
This commit is contained in:
Matthieu Leproux 2022-09-26 14:47:42 +02:00
parent 4d81d28eca
commit d0e32547db
2 changed files with 5 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

3
admin/cat_modify.php
View file

@ -107,6 +107,7 @@ if (isset($_POST['submit']))
@$_POST['comment'] : strip_tags(@$_POST['comment']), @$_POST['comment'] : strip_tags(@$_POST['comment']),
); );
$data['name'] = pwg_db_real_escape_string($data['name']);
if ($conf['activate_comments']) if ($conf['activate_comments'])
{ {
$data['commentable'] = isset($_POST['commentable'])? 'true':'false'; $data['commentable'] = isset($_POST['commentable'])? 'true':'false';
@ -211,7 +212,7 @@ if (!empty($category['id_uppercat']))
$template->assign( $template->assign(
array( array(
'CATEGORIES_NAV' => preg_replace("# {2,}#"," ",preg_replace("#(\r\n|\n\r|\n|\r)#"," ",$navigation)), 'CATEGORIES_NAV' => preg_replace("# {2,}#"," ",preg_replace("#(\r\n|\n\r|\n|\r)#"," ",pwg_db_real_escape_string($navigation))),
'CAT_ID' => $category['id'], 'CAT_ID' => $category['id'],
'CAT_NAME' => @htmlspecialchars($category['name']), 'CAT_NAME' => @htmlspecialchars($category['name']),
'CAT_COMMENT' => @htmlspecialchars($category['comment']), 'CAT_COMMENT' => @htmlspecialchars($category['comment']),

1
include/ws_functions/pwg.categories.php
View file

@ -648,6 +648,7 @@ function ws_categories_add($params, &$service)
$options['comment'] = strip_tags($params['comment']); $options['comment'] = strip_tags($params['comment']);
} }
$params['name'] = pwg_db_real_escape_string($params['name']);
$creation_output = create_virtual_category( $creation_output = create_virtual_category(
strip_tags($params['name']), // TODO do not strip tags if pwg_token is provided (and valid) strip_tags($params['name']), // TODO do not strip tags if pwg_token is provided (and valid)
$params['parent'], $params['parent'],