diff --git a/functions.php b/functions.php index 289ae364..4b1fae84 100644 --- a/functions.php +++ b/functions.php @@ -925,13 +925,9 @@ foreach ($entry_tags as $tag) { - $tag = mb_strtolower($tag, 'utf-8'); + $tag = sanitize_tag($tag); $tag = db_escape_string($tag); - $tag = str_replace("+", " ", $tag); - $tag = str_replace("\"", "", $tag); - $tag = str_replace("technorati tag: ", "", $tag); - if (!tag_is_valid($tag)) continue; $result = db_query($link, "SELECT id FROM ttrss_tags @@ -942,8 +938,6 @@ if ($result && db_num_rows($result) == 0) { - // print "tagging $entry_id as $tag
"; - db_query($link, "INSERT INTO ttrss_tags (owner_uid,tag_name,post_int_id) VALUES ('$owner_uid','$tag', '$entry_int_id')"); @@ -3561,8 +3555,10 @@ while ($tmp_line = db_fetch_assoc($tmp_result)) { $num_tags++; - $tag = $tmp_line["tag_name"]; - $tag_str = "$tag, "; + $tag = $tmp_line["tag_name"]; + $tag_escaped = str_replace("'", "\\'", $tag); + + $tag_str = "$tag, "; if ($num_tags == 6) { $tags_str .= "..."; @@ -3988,4 +3984,15 @@ echo sprintf("", $ts - $s); return $ts; } + + function sanitize_tag($tag) { + $tag = trim($tag); + + $tag = mb_strtolower($tag, 'utf-8'); + + $tag = str_replace("+", " ", $tag); + $tag = str_replace("technorati tag: ", "", $tag); + + return $tag; + } ?> diff --git a/modules/backend-rpc.php b/modules/backend-rpc.php index 425a855f..e70b7552 100644 --- a/modules/backend-rpc.php +++ b/modules/backend-rpc.php @@ -202,7 +202,9 @@ } if ($subop == "setArticleTags") { + $id = db_escape_string($_GET["id"]); + $tags_str = db_escape_string($_GET["tags_str"]); $tags = array_unique(trim_array(split(",", $tags_str))); @@ -220,7 +222,7 @@ post_int_id = $int_id AND owner_uid = '".$_SESSION["uid"]."'"); foreach ($tags as $tag) { - $tag = trim($tag); + $tag = sanitize_tag($tag); if (!tag_is_valid($tag)) { continue; @@ -229,6 +231,8 @@ if (preg_match("/^[0-9]*$/", $tag)) { continue; } + +// print ""; if ($tag != '') { db_query($link, "INSERT INTO ttrss_tags diff --git a/viewfeed.js b/viewfeed.js index 604af1ba..18264eb6 100644 --- a/viewfeed.js +++ b/viewfeed.js @@ -727,7 +727,11 @@ function editTagsSave() { var query = Form.serialize("tag_edit_form"); - xmlhttp_rpc.open("GET", "backend.php?op=rpc&subop=setArticleTags&" + query, true); + query = "backend.php?op=rpc&subop=setArticleTags&" + query; + + debug(query); + + xmlhttp_rpc.open("GET", query, true); xmlhttp_rpc.onreadystatechange=tag_saved_callback; xmlhttp_rpc.send(null);