diff --git a/functions.php b/functions.php
index 289ae364..4b1fae84 100644
--- a/functions.php
+++ b/functions.php
@@ -925,13 +925,9 @@
foreach ($entry_tags as $tag) {
- $tag = mb_strtolower($tag, 'utf-8');
+ $tag = sanitize_tag($tag);
$tag = db_escape_string($tag);
- $tag = str_replace("+", " ", $tag);
- $tag = str_replace("\"", "", $tag);
- $tag = str_replace("technorati tag: ", "", $tag);
-
if (!tag_is_valid($tag)) continue;
$result = db_query($link, "SELECT id FROM ttrss_tags
@@ -942,8 +938,6 @@
if ($result && db_num_rows($result) == 0) {
- // print "tagging $entry_id as $tag
";
-
db_query($link, "INSERT INTO ttrss_tags
(owner_uid,tag_name,post_int_id)
VALUES ('$owner_uid','$tag', '$entry_int_id')");
@@ -3561,8 +3555,10 @@
while ($tmp_line = db_fetch_assoc($tmp_result)) {
$num_tags++;
- $tag = $tmp_line["tag_name"];
- $tag_str = "$tag, ";
+ $tag = $tmp_line["tag_name"];
+ $tag_escaped = str_replace("'", "\\'", $tag);
+
+ $tag_str = "$tag, ";
if ($num_tags == 6) {
$tags_str .= "...";
@@ -3988,4 +3984,15 @@
echo sprintf("", $ts - $s);
return $ts;
}
+
+ function sanitize_tag($tag) {
+ $tag = trim($tag);
+
+ $tag = mb_strtolower($tag, 'utf-8');
+
+ $tag = str_replace("+", " ", $tag);
+ $tag = str_replace("technorati tag: ", "", $tag);
+
+ return $tag;
+ }
?>
diff --git a/modules/backend-rpc.php b/modules/backend-rpc.php
index 425a855f..e70b7552 100644
--- a/modules/backend-rpc.php
+++ b/modules/backend-rpc.php
@@ -202,7 +202,9 @@
}
if ($subop == "setArticleTags") {
+
$id = db_escape_string($_GET["id"]);
+
$tags_str = db_escape_string($_GET["tags_str"]);
$tags = array_unique(trim_array(split(",", $tags_str)));
@@ -220,7 +222,7 @@
post_int_id = $int_id AND owner_uid = '".$_SESSION["uid"]."'");
foreach ($tags as $tag) {
- $tag = trim($tag);
+ $tag = sanitize_tag($tag);
if (!tag_is_valid($tag)) {
continue;
@@ -229,6 +231,8 @@
if (preg_match("/^[0-9]*$/", $tag)) {
continue;
}
+
+// print "";
if ($tag != '') {
db_query($link, "INSERT INTO ttrss_tags
diff --git a/viewfeed.js b/viewfeed.js
index 604af1ba..18264eb6 100644
--- a/viewfeed.js
+++ b/viewfeed.js
@@ -727,7 +727,11 @@ function editTagsSave() {
var query = Form.serialize("tag_edit_form");
- xmlhttp_rpc.open("GET", "backend.php?op=rpc&subop=setArticleTags&" + query, true);
+ query = "backend.php?op=rpc&subop=setArticleTags&" + query;
+
+ debug(query);
+
+ xmlhttp_rpc.open("GET", query, true);
xmlhttp_rpc.onreadystatechange=tag_saved_callback;
xmlhttp_rpc.send(null);