Peter M. Groen / knowledgetree

Commit be137659a7fa10f0dc9b49ff55e34a9fc3979cdf

Authored by megan_w
1 parent 1836e59e

KTS-2873 

"Double quote (") is not accepted as valid input for metadata when the name of a Lookup field or a Tree field has a Double quote in."
Fixed. Sanitised the values.

Committed by: Megan Watson
Reviewed by: Conrad Vermeulen



git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@8029 c91229c3-7414-0410-bfa2-8a42b809f60b
Inline Side-by-side
Showing 3 changed files with 38 additions and 37 deletions
lib/documentmanagement/MDTree.inc
  View file @be13765
... ... @@ -5,32 +5,32 @@
5 5 * KnowledgeTree Open Source Edition
6 6 * Document Management Made Simple
7 7 * Copyright (C) 2004 - 2008 The Jam Warehouse Software (Pty) Limited
8   - *
  8 + *
9 9 * This program is free software; you can redistribute it and/or modify it under
10 10 * the terms of the GNU General Public License version 3 as published by the
11 11 * Free Software Foundation.
12   - *
  12 + *
13 13 * This program is distributed in the hope that it will be useful, but WITHOUT
14 14 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
15 15 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
16 16 * details.
17   - *
  17 + *
18 18 * You should have received a copy of the GNU General Public License
19 19 * along with this program. If not, see <http://www.gnu.org/licenses/>.
20   - *
  20 + *
21 21 * You can contact The Jam Warehouse Software (Pty) Limited, Unit 1, Tramber Place,
22 22 * Blake Street, Observatory, 7925 South Africa. or email info@knowledgetree.com.
23   - *
  23 + *
24 24 * The interactive user interfaces in modified source and object code versions
25 25 * of this program must display Appropriate Legal Notices, as required under
26 26 * Section 5 of the GNU General Public License version 3.
27   - *
  27 + *
28 28 * In accordance with Section 7(b) of the GNU General Public License version 3,
29 29 * these Appropriate Legal Notices must retain the display of the "Powered by
30   - * KnowledgeTree" logo and retain the original copyright notice. If the display of the
  30 + * KnowledgeTree" logo and retain the original copyright notice. If the display of the
31 31 * logo is not reasonably feasible for technical reasons, the Appropriate Legal Notices
32   - * must display the words "Powered by KnowledgeTree" and retain the original
33   - * copyright notice.
  32 + * must display the words "Powered by KnowledgeTree" and retain the original
  33 + * copyright notice.
34 34 * Contributor( s): ______________________________________
35 35 *
36 36 */
... ... @@ -44,7 +44,7 @@ require_once(KT_LIB_DIR . &quot;/util/sanitize.inc&quot;);
44 44 class MDTreeNode extends KTEntity {
45 45 /** boilerplate DB code. */
46 46 /** primary key */
47   - var $iId = -1;
  47 + var $iId = -1;
48 48 var $iFieldId;
49 49 var $sName;
50 50 var $iParentNode;
... ... @@ -81,7 +81,7 @@ class MDTreeNode extends KTEntity {
81 81  
82 82 }
83 83  
84   -/* simple class to encapsulate tree-as-a-whole behaviour.
  84 +/* simple class to encapsulate tree-as-a-whole behaviour.
85 85 NBM - should this move, be refactored? It certainly doesn't belong in the DB,
86 86 since its just an aggregate utility.
87 87 */
... ... @@ -100,11 +100,11 @@ class MDTree {
100 100 $this->contents = null;
101 101 $this->mapnodes = null;
102 102 $this->root = null;
103   - $this->lookups = null;
  103 + $this->lookups = null;
104 104 $this->field_id = null;
105 105 }
106 106  
107   - /* function buildForField
  107 + /* function buildForField
108 108 *
109 109 * build a tree for a particular field instance.
110 110 * sets contents, so we can edit "stuff".
... ... @@ -112,7 +112,7 @@ class MDTree {
112 112 function buildForField($iFieldId)
113 113 {
114 114 global $default;
115   - // before we start, we need to check that
  115 + // before we start, we need to check that
116 116 // the specified field exists and is organised into a tree.
117 117 $organisedField =& DocumentField::get($iFieldId);
118 118 if (PEAR::isError($organisedField) || ($organisedField === false)) {
... ... @@ -182,8 +182,8 @@ class MDTree {
182 182 }
183 183  
184 184 $leafArray = null;
185   - if (!array_key_exists("leaves", $target_set)) {
186   - $target_set["leaves"] = array($lookup_value->getId());
  185 + if (!array_key_exists("leaves", $target_set)) {
  186 + $target_set["leaves"] = array($lookup_value->getId());
187 187 }
188 188 else
189 189 {
... ... @@ -193,14 +193,14 @@ class MDTree {
193 193  
194 194 $this->lookups[$lookup_value->getId()] = $lookup_value;
195 195  
196   - }
  196 + }
197 197 $this->root =& $this->contents[0];
198 198 $default->log->debug("MDTree::buildForField done: " . print_r($this, true));
199   -
  199 +
200 200 }
201 201  
202 202 // handle deleting subtrees
203   - function deleteNode($iNode) {
  203 + function deleteNode($iNode) {
204 204 $stack = array();
205 205 array_push($stack, $iNode);
206 206 while (count($stack) != 0)
... ... @@ -215,7 +215,7 @@ class MDTree {
215 215 $this->lookups[$leaf]->setTreeParent(0);
216 216 $this->lookups[$leaf]->update();
217 217 $this->contents[0]["leaves"][] = $leaf;
218   - }
  218 + }
219 219 }
220 220 else array_push($stack, $value);
221 221 }
... ... @@ -225,7 +225,7 @@ class MDTree {
225 225 $iParent = $this->mapnodes[$iNode]->getParentNode();
226 226 foreach ($this->contents[$iParent] as $index => $val)
227 227 if ($iNode === $val) unset($this->contents[$iParent][$index]);
228   - }
  228 + }
229 229  
230 230 // add a node to the mapping after the fact (e.g. created later in the process.)
231 231 function addNode($oNode) {
... ... @@ -244,7 +244,7 @@ class MDTree {
244 244 $oNewParent = $this->mapnodes[$destination_parent_id];
245 245 // we will have failed by here if its bogus.
246 246 //$default->log->debug('MDTree::reparentKeyword '.print_r($oNewParent, true));
247   -
  247 +
248 248 // if its 0 or NULL, we reparent to null.
249 249 if (($oNewParent === null) or ($desintation_parent_id === 0)) {
250 250 $new_home = 0;
... ... @@ -256,19 +256,19 @@ class MDTree {
256 256 if (!empty($this->contents[$oldparent])) {
257 257 $KWIndex = array_search($lookup_id, $this->contents[$oldParent]["leaves"]);
258 258 unset($this->contents[$oldParent]["leaves"][$KWIndex]);
259   -
  259 +
260 260 }
261 261 $this->contents[$new_home]["leaves"][] = $oKeyword->getId();
262 262 $oKeyword->update();
263   - }
264   -
  263 + }
  264 +
265 265  
266 266 // STUB FUNCTIONS: need to be filled in.
267   -
  267 +
268 268  
269 269 // REALLY need to deprecate this, but how?
270 270 function render($bEditable) { return null; } // render using a template (with edit / buttons.) FIXME build a widget / renderer.
271   -
  271 +
272 272  
273 273 /* ----------------------- EVIL HACK --------------------------
274 274 *
... ... @@ -307,7 +307,7 @@ class MDTree {
307 307 }
308 308 $treeStr .= '</ul>';
309 309 return $treeStr;
310   -
  310 +
311 311 }
312 312  
313 313 // I can't seem to do recursion in smarty, and recursive templates seems a bad solution.
... ... @@ -348,7 +348,8 @@ class MDTree {
348 348 if ($leaf === $this->activevalue) {
349 349 $is_selected=' checked="checked"';
350 350 }
351   - $treeStr .= '<li class="leafnode"><input type="radio" name="'.$inputname.'" value="'.$treeToRender->lookups[$leaf]->getName().'" '.$is_selected.'>' . $treeToRender->lookups[$leaf]->getName() .'</input>';
  351 + $sValue = htmlentities($treeToRender->lookups[$leaf]->getName());
  352 + $treeStr .= '<li class="leafnode"><input type="radio" name="'.$inputname.'" value="'.$sValue.'" '.$is_selected.'>' . $sValue .'</input>';
352 353 $treeStr .= '</li>';
353 354 }
354 355 }
... ... @@ -357,9 +358,9 @@ class MDTree {
357 358 //$treeStr .= '</li></ul>';
358 359  
359 360 return $treeStr;
360   -
  361 +
361 362 }
362   -
  363 +
363 364 // again, not pretty. set a particular item as "active"
364 365 function setActiveItem($sMetadataMatch) {
365 366 // also need to:
... ...
templates/kt3/fields/lookup.smarty
  View file @be13765
... ... @@ -13,7 +13,7 @@
13 13  
14 14 <select name="{$name}" {if $has_id}id="{$id}"{/if} {if $options.multi}multiple="true"{/if} {if $options.size}size="{$options.size}"{/if}>
15 15 {foreach item=lookup key=lookup_key from=$options.vocab}
16   - <option value="{$lookup_key}" {if ($value == $lookup_key)}selected="selected"{/if}>{$lookup|sanitize}</option>
  16 + <option value="{$lookup_key|sanitize}" {if ($value == $lookup_key)}selected="selected"{/if}>{$lookup|sanitize}</option>
17 17 {/foreach}
18 18 </select>
19 19 <input type="hidden" name="kt_core_fieldsets_expect[{$name}]" value ="1" />
... ...
templates/ktcore/forms/widgets/selection.smarty
  View file @be13765
1 1 {if empty($vocab)}
2 2 <div class="ktInfoMessage"><span>{$context->sEmptyMessage}</span></div>
3 3 {else}
4   - <select name="{$name}"
5   - {if $has_id}id="{$id}"{/if}
6   - {if $options.multi}multiple="true"{/if}
  4 + <select name="{$name}"
  5 + {if $has_id}id="{$id}"{/if}
  6 + {if $options.multi}multiple="true"{/if}
7 7 >
8 8 {if $options.initial_string}
9 9 <option value="">{$options.initial_string}</option>
10   - {/if}
  10 + {/if}
11 11 {foreach item=lookup key=lookup_key from=$vocab}
12 12  
13   - <option value="{$lookup_key}" {if ($value == $lookup_key)}selected="selected"{/if}>{$lookup}</option>
  13 + <option value="{$lookup_key|sanitize}" {if ($value == $lookup_key)}selected="selected"{/if}>{$lookup|sanitize}</option>
14 14 {/foreach}
15 15 </select>
16 16 {/if}
... ...