Sanitize categories and tags

2017-11-01 19:38:56 +01:00 · 2017-11-01 19:38:56 +01:00 · d0c3f369aa
parent 2714560170
commit d0c3f369aa
8 changed files with 111 additions and 94 deletions
--- a/bl-kernel/abstract/dblist.class.php
+++ b/bl-kernel/abstract/dblist.class.php
@ -62,18 +62,27 @@ class dbList extends dbJSON
 	public function generateKey($name)
 	{
-		return Text::cleanUrl($name);
+		$key = Text::cleanUrl($name);
 		if (empty($key)) {
 			return false;
 		}
 		return $key;
 	}
 	public function add($name)
 	{
 		$key = $this->generateKey($name);
-		if( isset($this->db[$key]) ) {
+		if ($key===false) {
 			Log::set(__METHOD__.LOG_SEP.'Error when try to generate the key');
 			return false;
 		}
 		if (isset($this->db[$key])) {
 			Log::set(__METHOD__.LOG_SEP.'Error key already exist: '.$key);
 			return false;
 		}
-		$this->db[$key]['name'] = $name;
+		$this->db[$key]['name'] = Sanitize::html($name);
 		$this->db[$key]['list'] = array();
 		$this->sortAlphanumeric();
@ -97,10 +106,10 @@ class dbList extends dbJSON
 	{
 		$newKey = $this->generateKey($newName);
-		$this->db[$newKey]['name'] = $newName;
+		$this->db[$newKey]['name'] = Sanitize::html($newName);
 		$this->db[$newKey]['list'] = $this->db[$oldKey]['list'];
-		// Remove the old category
+		// Remove the old key
 		if( $oldKey != $newKey ) {
 			unset( $this->db[$oldKey] );
 		}
--- a/bl-kernel/admin/controllers/new-category.php
+++ b/bl-kernel/admin/controllers/new-category.php
@ -13,36 +13,6 @@ if ($Login->role()!=='admin') {
 // Functions
 // ============================================================================
 function add($category)
 {
 	global $dbCategories;
 	global $Language;
 	global $Syslog;
 	if( Text::isEmpty($category) ) {
 		Alert::set($Language->g('Category name is empty'), ALERT_STATUS_FAIL);
 		return false;
 	}
 	if( $dbCategories->add($category) ) {
 		// Add to syslog
 		$Syslog->add(array(
 			'dictionaryKey'=>'new-category-created',
 			'notes'=>$category
 		));
 		// Create an alert
 		Alert::set($Language->g('Category added'), ALERT_STATUS_OK);
 		// Redirect
 		Redirect::page('categories');
 	}
 	else {
 		Log::set(__METHOD__.LOG_SEP.'Error occurred when trying to create the category.');
 		return false;
 	}
 }
 // ============================================================================
 // Main before POST
 // ============================================================================
@ -51,9 +21,9 @@ function add($category)
 // POST Method
 // ============================================================================
-if( $_SERVER['REQUEST_METHOD'] == 'POST' )
+if ($_SERVER['REQUEST_METHOD'] == 'POST') {
-{
+	createCategory($_POST['category']);
-	add($_POST['category']);
+	Redirect::page('categories');
 }
 // ============================================================================
--- a/bl-kernel/admin/themes/default/init.php
+++ b/bl-kernel/admin/themes/default/init.php
@ -2,6 +2,36 @@
 class HTML {
 	// Returns HTML and Javascript code for the box TAGs when you create/edit content
 	public static function tags($args) {
 		global $L;
 		// Javascript
 		$javascript  = '<script>';
 		$javascript .= file_get_contents(PATH_JS.'bludit-tags.js', true);
 		$javascript .= '</script>';
 		// HTML
 		$html  = '<div id="bludit-tags" class="uk-form-row">';
 		$html .= '	<input type="hidden" id="jstags" name="tags" value="">';
 		$html .= '	<label for="jstagInput" class="uk-form-label">'.$args['label'].'</label>';
 		$html .= '	<div class="uk-form-controls">';
 		$html .= '		<input id="jstagInput" type="text" class="uk-width-1-1" autocomplete="off">';
 		$html .= '		<button id="jstagAdd" class="uk-button">'.$L->g('Add').'</button>';
 		$html .= '		<div id="jstagList">';
 		foreach ($args['allTags'] as $tag) {
 			$html .= '		<span data-tag="'.$tag.'" class="'.( in_array($tag, $args['selectedTags'])?'select':'unselect' ).'">'.$tag.'</span>';
 		}
 		$html .= '		</div>';
 		$html .= '	</div>';
 		$html .= '</div>';
 		echo $html.$javascript;
 	}
 	public static function title($args)
 	{
 		$id = empty($args['id']) ? '' : 'id="'.$args['id'].'"';
@ -96,34 +126,7 @@ class HTML {
 		echo $html;
 	}
 	public static function tags($args)
 	{
 		global $L;
 		// Javascript code
 		include(PATH_JS.'bludit-tags.js');
 		$html  = '<div id="bludit-tags" class="uk-form-row">';
 		$html .= '<input type="hidden" id="jstags" name="tags" value="">';
 		$html .= '<label for="jstagInput" class="uk-form-label">'.$args['label'].'</label>';
 		$html .= '<div class="uk-form-controls">';
 		$html .= '<input id="jstagInput" type="text" class="uk-width-1-1" autocomplete="off">';
 		$html .= '<button id="jstagAdd" class="uk-button">'.$L->g('Add').'</button>';
 		$html .= '<div id="jstagList">';
 		foreach($args['allTags'] as $tag) {
 			$html .= '<span data-tag="'.$tag.'" class="'.( in_array($tag, $args['selectedTags'])?'select':'unselect' ).'">'.$tag.'</span>';
 		}
 		$html .= '</div>';
 		$html .= '</div>';
 		$html .= '</div>';
 		echo $html;
 	}
 	public static function formInputPassword($args)
 	{
--- a/bl-kernel/functions.php
+++ b/bl-kernel/functions.php
@ -634,6 +634,34 @@ function editSettings($args) {
 	return false;
 }
 // Add a new category to the system
 // Returns TRUE is success added, FALSE otherwise
 function createCategory($category) {
 	global $dbCategories;
 	global $Language;
 	global $Syslog;
 	if (Text::isEmpty($category)) {
 		// Set an alert
 		Alert::set($Language->g('Category name is empty'), ALERT_STATUS_FAIL);
 		return false;
 	}
 	if ($dbCategories->add($category)) {
 		// Add to syslog
 		$Syslog->add(array(
 			'dictionaryKey'=>'new-category-created',
 			'notes'=>$category
 		));
 		// Set an alert
 		Alert::set($Language->g('Category added'), ALERT_STATUS_OK);
 		return true;
 	}
 	return false;
 }
 function editCategory($oldCategoryKey, $newCategory) {
 	global $Language;
 	global $dbPages;
--- a/bl-kernel/helpers/sanitize.class.php
+++ b/bl-kernel/helpers/sanitize.class.php
@ -81,4 +81,4 @@ class Sanitize {
 			return 0;
 	}
-}
+}
--- a/bl-kernel/helpers/text.class.php
+++ b/bl-kernel/helpers/text.class.php
@ -123,6 +123,9 @@ class Text {
 		return str_replace(array_keys($replace), array_values($replace), $text);
 	}
 	// Convert invalid characters to valid characters for a URL
 	// Characters that cannot be converted will be removed from the string
 	// This function can return an empty string
 	public static function cleanUrl($string, $separator='-')
 	{
 		if (EXTREME_FRIENDLY_URL) {
--- a/bl-kernel/js/bludit-tags.js
+++ b/bl-kernel/js/bludit-tags.js
@ -1,73 +1,65 @@
 <script>
 function insertTag() {
 	var newTag = sanitizeHTML( $("#jstagInput").val() );
-	var newTag = $("#jstagInput").val();
+	if (newTag.trim()=="") {
 	if(newTag.trim()=="") {
 		return true;
 	}
 	// Search if the tag exists
 	var findTag = $("span[data-tag]").filter(function() {
 		return $(this).attr('data-tag').toLowerCase() == newTag.toLowerCase();
 	});
-	if( findTag.length > 0 ) {
+	// If the tag exits select
 	// If the tag doesn't exist, insert on the list and select
 	if (findTag.length > 0) {
 		findTag.removeClass("unselect").addClass("select");
-	}
+	} else {
 	else {
 		$("#jstagList").append("<span data-tag=\""+newTag+"\" class=\"select\">"+newTag+"</span>");
 	}
-	// Clean the input.
+	// Clean the input field
 	$("#jstagInput").val("");
 	return newTag;
 }
 $(document).ready(function() {
-	// Click on tag unselected.
+	// Click on tag unselected
 	$(document).on("click", ".unselect", function() {
 		$(this).removeClass("unselect").addClass("select");
 	});
-	// Click on tag selected.
+	// Click on tag selected
 	$(document).on("click", ".select", function() {
 		$(this).removeClass("select").addClass("unselect");
 	});
-	// Insert tag when click on the button "add".
+	// Insert tag when click on the button "ADD"
 	$(document).on("click", "#jstagAdd", function(e) {
-
+		// Prevent forum submit
 		// Prevent forum submit.
 		e.preventDefault();
 		insertTag();
 	});
-	// Insert tag when press enter key.
+	// Insert tag when press enter key
 	$("#jstagInput").keypress(function(e) {
-
+		if (e.which == 13) {
 		if(e.which == 13) {
 			insertTag();
 		}
 	});
-	// Before form submit.
+	// Before form submit
 	$("form").submit(function(e) {
-
+		// For each span.select make an array then implode with comma glue
 		// For each span.select make an array then implode with comma glue.
 		var list = $("#jstagList > span.select").map(function() {
 			return $(this).html();
 		}).get().join(",");
-		// Insert the tags separated by comma in the input hiden field.
+		// Insert the tags separated by comma in the input hidden field
 		$("#jstags").val( list );
 		return true;
 	});
-
+});
 });
 </script>
--- a/bl-kernel/js/functions.php
+++ b/bl-kernel/js/functions.php
@ -53,4 +53,16 @@ function generateSlug(text, parentKey, currentKey, writeResponse) {
    });
 }
 function sanitizeHTML(text) {
 	var map = {
 		'&': '&amp;',
 		'<': '&lt;',
 		'>': '&gt;',
 		'"': '&quot;',
 		"'": '&#039;'
 	};
 	return text.replace(/[&<>"']/g, function(m) { return map[m]; });
 }
 </script>