From be137659a7fa10f0dc9b49ff55e34a9fc3979cdf Mon Sep 17 00:00:00 2001
From: megan_w <megan_w@c91229c3-7414-0410-bfa2-8a42b809f60b>
Date: Mon, 11 Feb 2008 10:25:55 +0000
Subject: [PATCH] KTS-2873 "Double quote (") is not accepted as valid input for metadata when the name of a Lookup field or a Tree field has a Double quote in." Fixed. Sanitised the values.

---
 lib/documentmanagement/MDTree.inc               | 63 ++++++++++++++++++++++++++++++++-------------------------------
 templates/kt3/fields/lookup.smarty              |  2 +-
 templates/ktcore/forms/widgets/selection.smarty | 10 +++++-----
 3 files changed, 38 insertions(+), 37 deletions(-)

diff --git a/lib/documentmanagement/MDTree.inc b/lib/documentmanagement/MDTree.inc
index 1925cd3..7477be9 100644
--- a/lib/documentmanagement/MDTree.inc
+++ b/lib/documentmanagement/MDTree.inc
@@ -5,32 +5,32 @@
  * KnowledgeTree Open Source Edition
  * Document Management Made Simple
  * Copyright (C) 2004 - 2008 The Jam Warehouse Software (Pty) Limited
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License version 3 as published by the
  * Free Software Foundation.
- * 
+ *
  * This program is distributed in the hope that it will be useful, but WITHOUT
  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  * details.
- * 
+ *
  * You should have received a copy of the GNU General Public License
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- * 
+ *
  * You can contact The Jam Warehouse Software (Pty) Limited, Unit 1, Tramber Place,
  * Blake Street, Observatory, 7925 South Africa. or email info@knowledgetree.com.
- * 
+ *
  * The interactive user interfaces in modified source and object code versions
  * of this program must display Appropriate Legal Notices, as required under
  * Section 5 of the GNU General Public License version 3.
- * 
+ *
  * In accordance with Section 7(b) of the GNU General Public License version 3,
  * these Appropriate Legal Notices must retain the display of the "Powered by
- * KnowledgeTree" logo and retain the original copyright notice. If the display of the 
+ * KnowledgeTree" logo and retain the original copyright notice. If the display of the
  * logo is not reasonably feasible for technical reasons, the Appropriate Legal Notices
- * must display the words "Powered by KnowledgeTree" and retain the original 
- * copyright notice. 
+ * must display the words "Powered by KnowledgeTree" and retain the original
+ * copyright notice.
  * Contributor( s): ______________________________________
  *
  */
@@ -44,7 +44,7 @@ require_once(KT_LIB_DIR . "/util/sanitize.inc");
 class MDTreeNode extends KTEntity {
     /** boilerplate DB code. */
     /** primary key */
-    var $iId = -1; 
+    var $iId = -1;
     var $iFieldId;
     var $sName;
     var $iParentNode;
@@ -81,7 +81,7 @@ class MDTreeNode extends KTEntity {
 
 }
 
-/* simple class to encapsulate tree-as-a-whole behaviour. 
+/* simple class to encapsulate tree-as-a-whole behaviour.
     NBM - should this move, be refactored?  It certainly doesn't belong in the DB,
             since its just an aggregate utility.
 */
@@ -100,11 +100,11 @@ class MDTree {
         $this->contents = null;
         $this->mapnodes = null;
         $this->root = null;
-        $this->lookups = null;  
+        $this->lookups = null;
         $this->field_id = null;
     }
 
-    /* function buildForField 
+    /* function buildForField
      *
      * build a tree for a particular field instance.
      * sets contents, so we can edit "stuff".
@@ -112,7 +112,7 @@ class MDTree {
     function buildForField($iFieldId)
      {
         global $default;
-        // before we start, we need to check that 
+        // before we start, we need to check that
         // the specified field exists and is organised into a tree.
         $organisedField =& DocumentField::get($iFieldId);
         if (PEAR::isError($organisedField) || ($organisedField === false)) {
@@ -182,8 +182,8 @@ class MDTree {
             }
 
             $leafArray = null;
-            if (!array_key_exists("leaves", $target_set)) { 
-                $target_set["leaves"] = array($lookup_value->getId()); 
+            if (!array_key_exists("leaves", $target_set)) {
+                $target_set["leaves"] = array($lookup_value->getId());
             }
             else
             {
@@ -193,14 +193,14 @@ class MDTree {
 
             $this->lookups[$lookup_value->getId()] = $lookup_value;
 
-        }      
+        }
         $this->root =& $this->contents[0];
         $default->log->debug("MDTree::buildForField done: " . print_r($this, true));
-        
+
     }
 
     // handle deleting subtrees
-    function deleteNode($iNode) { 
+    function deleteNode($iNode) {
         $stack = array();
         array_push($stack, $iNode);
         while (count($stack) != 0)
@@ -215,7 +215,7 @@ class MDTree {
                         $this->lookups[$leaf]->setTreeParent(0);
                         $this->lookups[$leaf]->update();
                         $this->contents[0]["leaves"][] = $leaf;
-                    }   
+                    }
                 }
                 else array_push($stack, $value);
             }
@@ -225,7 +225,7 @@ class MDTree {
         $iParent = $this->mapnodes[$iNode]->getParentNode();
         foreach ($this->contents[$iParent] as $index => $val)
             if ($iNode === $val) unset($this->contents[$iParent][$index]);
-    }     
+    }
 
     // add a node to the mapping after the fact (e.g. created later in the process.)
     function addNode($oNode) {
@@ -244,7 +244,7 @@ class MDTree {
         $oNewParent = $this->mapnodes[$destination_parent_id];
         // we will have failed by here if its bogus.
         //$default->log->debug('MDTree::reparentKeyword '.print_r($oNewParent, true));
-        
+
         // if its 0 or NULL, we reparent to null.
         if (($oNewParent === null) or ($desintation_parent_id === 0)) {
             $new_home = 0;
@@ -256,19 +256,19 @@ class MDTree {
         if (!empty($this->contents[$oldparent])) {
              $KWIndex = array_search($lookup_id, $this->contents[$oldParent]["leaves"]);
              unset($this->contents[$oldParent]["leaves"][$KWIndex]);
-            
+
         }
         $this->contents[$new_home]["leaves"][] = $oKeyword->getId();
         $oKeyword->update();
-    }   
-    
+    }
+
 
     // STUB FUNCTIONS:  need to be filled in.
-    
+
 
     // REALLY need to deprecate this, but how?
     function render($bEditable) { return null; }     // render using a template (with edit / buttons.) FIXME build a widget / renderer.
-    
+
 
     /* ----------------------- EVIL HACK --------------------------
      *
@@ -307,7 +307,7 @@ class MDTree {
         }
         $treeStr .= '</ul>';
         return $treeStr;
-        
+
     }
 
     // I can't seem to do recursion in smarty, and recursive templates seems a bad solution.
@@ -348,7 +348,8 @@ class MDTree {
                     if ($leaf === $this->activevalue) {
                        $is_selected=' checked="checked"';
                     }
-                    $treeStr .= '<li class="leafnode"><input type="radio" name="'.$inputname.'" value="'.$treeToRender->lookups[$leaf]->getName().'" '.$is_selected.'>' . $treeToRender->lookups[$leaf]->getName() .'</input>';
+                    $sValue = htmlentities($treeToRender->lookups[$leaf]->getName());
+                    $treeStr .= '<li class="leafnode"><input type="radio" name="'.$inputname.'" value="'.$sValue.'" '.$is_selected.'>' . $sValue .'</input>';
                     $treeStr .=  '</li>';
                 }
             }
@@ -357,9 +358,9 @@ class MDTree {
         //$treeStr .= '</li></ul>';
 
         return $treeStr;
-    
+
     }
-    
+
     // again, not pretty.  set a particular item as "active"
     function setActiveItem($sMetadataMatch) {
         // also need to:
diff --git a/templates/kt3/fields/lookup.smarty b/templates/kt3/fields/lookup.smarty
index 28b7283..5b4dbe2 100644
--- a/templates/kt3/fields/lookup.smarty
+++ b/templates/kt3/fields/lookup.smarty
@@ -13,7 +13,7 @@
 
       <select name="{$name}" {if $has_id}id="{$id}"{/if} {if $options.multi}multiple="true"{/if} {if $options.size}size="{$options.size}"{/if}>
       {foreach item=lookup key=lookup_key from=$options.vocab}
-           <option value="{$lookup_key}" {if ($value == $lookup_key)}selected="selected"{/if}>{$lookup|sanitize}</option>
+           <option value="{$lookup_key|sanitize}" {if ($value == $lookup_key)}selected="selected"{/if}>{$lookup|sanitize}</option>
       {/foreach}
       </select>
       <input type="hidden" name="kt_core_fieldsets_expect[{$name}]" value ="1" />
diff --git a/templates/ktcore/forms/widgets/selection.smarty b/templates/ktcore/forms/widgets/selection.smarty
index 8b85705..3465c59 100644
--- a/templates/ktcore/forms/widgets/selection.smarty
+++ b/templates/ktcore/forms/widgets/selection.smarty
@@ -1,16 +1,16 @@
 {if empty($vocab)}
     <div class="ktInfoMessage"><span>{$context->sEmptyMessage}</span></div>
 {else}
-  <select name="{$name}" 
-    {if $has_id}id="{$id}"{/if} 
-    {if $options.multi}multiple="true"{/if} 
+  <select name="{$name}"
+    {if $has_id}id="{$id}"{/if}
+    {if $options.multi}multiple="true"{/if}
     >
     {if $options.initial_string}
     <option value="">{$options.initial_string}</option>
-    {/if}    
+    {/if}
   {foreach item=lookup key=lookup_key from=$vocab}
 
-       <option value="{$lookup_key}" {if ($value == $lookup_key)}selected="selected"{/if}>{$lookup}</option>
+       <option value="{$lookup_key|sanitize}" {if ($value == $lookup_key)}selected="selected"{/if}>{$lookup|sanitize}</option>
   {/foreach}
   </select>
 {/if}
--
libgit2 0.21.4