Peter M. Groen / knowledgetree

Commit be137659a7fa10f0dc9b49ff55e34a9fc3979cdf

Authored by megan_w
1 parent 1836e59e

KTS-2873 

"Double quote (") is not accepted as valid input for metadata when the name of a Lookup field or a Tree field has a Double quote in."
Fixed. Sanitised the values.

Committed by: Megan Watson
Reviewed by: Conrad Vermeulen



git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@8029 c91229c3-7414-0410-bfa2-8a42b809f60b
Inline Side-by-side
Showing 3 changed files with 38 additions and 37 deletions
lib/documentmanagement/MDTree.inc
  View file @be13765
@@ -5,32 +5,32 @@ @@ -5,32 +5,32 @@
5 * KnowledgeTree Open Source Edition 5 * KnowledgeTree Open Source Edition
6 * Document Management Made Simple 6 * Document Management Made Simple
7 * Copyright (C) 2004 - 2008 The Jam Warehouse Software (Pty) Limited 7 * Copyright (C) 2004 - 2008 The Jam Warehouse Software (Pty) Limited
8 - * 8 + *
9 * This program is free software; you can redistribute it and/or modify it under 9 * This program is free software; you can redistribute it and/or modify it under
10 * the terms of the GNU General Public License version 3 as published by the 10 * the terms of the GNU General Public License version 3 as published by the
11 * Free Software Foundation. 11 * Free Software Foundation.
12 - * 12 + *
13 * This program is distributed in the hope that it will be useful, but WITHOUT 13 * This program is distributed in the hope that it will be useful, but WITHOUT
14 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS 14 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
15 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more 15 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
16 * details. 16 * details.
17 - * 17 + *
18 * You should have received a copy of the GNU General Public License 18 * You should have received a copy of the GNU General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>. 19 * along with this program. If not, see <http://www.gnu.org/licenses/>.
20 - * 20 + *
21 * You can contact The Jam Warehouse Software (Pty) Limited, Unit 1, Tramber Place, 21 * You can contact The Jam Warehouse Software (Pty) Limited, Unit 1, Tramber Place,
22 * Blake Street, Observatory, 7925 South Africa. or email info@knowledgetree.com. 22 * Blake Street, Observatory, 7925 South Africa. or email info@knowledgetree.com.
23 - * 23 + *
24 * The interactive user interfaces in modified source and object code versions 24 * The interactive user interfaces in modified source and object code versions
25 * of this program must display Appropriate Legal Notices, as required under 25 * of this program must display Appropriate Legal Notices, as required under
26 * Section 5 of the GNU General Public License version 3. 26 * Section 5 of the GNU General Public License version 3.
27 - * 27 + *
28 * In accordance with Section 7(b) of the GNU General Public License version 3, 28 * In accordance with Section 7(b) of the GNU General Public License version 3,
29 * these Appropriate Legal Notices must retain the display of the "Powered by 29 * these Appropriate Legal Notices must retain the display of the "Powered by
30 - * KnowledgeTree" logo and retain the original copyright notice. If the display of the 30 + * KnowledgeTree" logo and retain the original copyright notice. If the display of the
31 * logo is not reasonably feasible for technical reasons, the Appropriate Legal Notices 31 * logo is not reasonably feasible for technical reasons, the Appropriate Legal Notices
32 - * must display the words "Powered by KnowledgeTree" and retain the original  
33 - * copyright notice. 32 + * must display the words "Powered by KnowledgeTree" and retain the original
  33 + * copyright notice.
34 * Contributor( s): ______________________________________ 34 * Contributor( s): ______________________________________
35 * 35 *
36 */ 36 */
@@ -44,7 +44,7 @@ require_once(KT_LIB_DIR . &quot;/util/sanitize.inc&quot;); @@ -44,7 +44,7 @@ require_once(KT_LIB_DIR . &quot;/util/sanitize.inc&quot;);
44 class MDTreeNode extends KTEntity { 44 class MDTreeNode extends KTEntity {
45 /** boilerplate DB code. */ 45 /** boilerplate DB code. */
46 /** primary key */ 46 /** primary key */
47 - var $iId = -1; 47 + var $iId = -1;
48 var $iFieldId; 48 var $iFieldId;
49 var $sName; 49 var $sName;
50 var $iParentNode; 50 var $iParentNode;
@@ -81,7 +81,7 @@ class MDTreeNode extends KTEntity { @@ -81,7 +81,7 @@ class MDTreeNode extends KTEntity {
81 81
82 } 82 }
83 83
84 -/* simple class to encapsulate tree-as-a-whole behaviour. 84 +/* simple class to encapsulate tree-as-a-whole behaviour.
85 NBM - should this move, be refactored? It certainly doesn't belong in the DB, 85 NBM - should this move, be refactored? It certainly doesn't belong in the DB,
86 since its just an aggregate utility. 86 since its just an aggregate utility.
87 */ 87 */
@@ -100,11 +100,11 @@ class MDTree { @@ -100,11 +100,11 @@ class MDTree {
100 $this->contents = null; 100 $this->contents = null;
101 $this->mapnodes = null; 101 $this->mapnodes = null;
102 $this->root = null; 102 $this->root = null;
103 - $this->lookups = null; 103 + $this->lookups = null;
104 $this->field_id = null; 104 $this->field_id = null;
105 } 105 }
106 106
107 - /* function buildForField 107 + /* function buildForField
108 * 108 *
109 * build a tree for a particular field instance. 109 * build a tree for a particular field instance.
110 * sets contents, so we can edit "stuff". 110 * sets contents, so we can edit "stuff".
@@ -112,7 +112,7 @@ class MDTree { @@ -112,7 +112,7 @@ class MDTree {
112 function buildForField($iFieldId) 112 function buildForField($iFieldId)
113 { 113 {
114 global $default; 114 global $default;
115 - // before we start, we need to check that 115 + // before we start, we need to check that
116 // the specified field exists and is organised into a tree. 116 // the specified field exists and is organised into a tree.
117 $organisedField =& DocumentField::get($iFieldId); 117 $organisedField =& DocumentField::get($iFieldId);
118 if (PEAR::isError($organisedField) || ($organisedField === false)) { 118 if (PEAR::isError($organisedField) || ($organisedField === false)) {
@@ -182,8 +182,8 @@ class MDTree { @@ -182,8 +182,8 @@ class MDTree {
182 } 182 }
183 183
184 $leafArray = null; 184 $leafArray = null;
185 - if (!array_key_exists("leaves", $target_set)) {  
186 - $target_set["leaves"] = array($lookup_value->getId()); 185 + if (!array_key_exists("leaves", $target_set)) {
  186 + $target_set["leaves"] = array($lookup_value->getId());
187 } 187 }
188 else 188 else
189 { 189 {
@@ -193,14 +193,14 @@ class MDTree { @@ -193,14 +193,14 @@ class MDTree {
193 193
194 $this->lookups[$lookup_value->getId()] = $lookup_value; 194 $this->lookups[$lookup_value->getId()] = $lookup_value;
195 195
196 - } 196 + }
197 $this->root =& $this->contents[0]; 197 $this->root =& $this->contents[0];
198 $default->log->debug("MDTree::buildForField done: " . print_r($this, true)); 198 $default->log->debug("MDTree::buildForField done: " . print_r($this, true));
199 - 199 +
200 } 200 }
201 201
202 // handle deleting subtrees 202 // handle deleting subtrees
203 - function deleteNode($iNode) { 203 + function deleteNode($iNode) {
204 $stack = array(); 204 $stack = array();
205 array_push($stack, $iNode); 205 array_push($stack, $iNode);
206 while (count($stack) != 0) 206 while (count($stack) != 0)
@@ -215,7 +215,7 @@ class MDTree { @@ -215,7 +215,7 @@ class MDTree {
215 $this->lookups[$leaf]->setTreeParent(0); 215 $this->lookups[$leaf]->setTreeParent(0);
216 $this->lookups[$leaf]->update(); 216 $this->lookups[$leaf]->update();
217 $this->contents[0]["leaves"][] = $leaf; 217 $this->contents[0]["leaves"][] = $leaf;
218 - } 218 + }
219 } 219 }
220 else array_push($stack, $value); 220 else array_push($stack, $value);
221 } 221 }
@@ -225,7 +225,7 @@ class MDTree { @@ -225,7 +225,7 @@ class MDTree {
225 $iParent = $this->mapnodes[$iNode]->getParentNode(); 225 $iParent = $this->mapnodes[$iNode]->getParentNode();
226 foreach ($this->contents[$iParent] as $index => $val) 226 foreach ($this->contents[$iParent] as $index => $val)
227 if ($iNode === $val) unset($this->contents[$iParent][$index]); 227 if ($iNode === $val) unset($this->contents[$iParent][$index]);
228 - } 228 + }
229 229
230 // add a node to the mapping after the fact (e.g. created later in the process.) 230 // add a node to the mapping after the fact (e.g. created later in the process.)
231 function addNode($oNode) { 231 function addNode($oNode) {
@@ -244,7 +244,7 @@ class MDTree { @@ -244,7 +244,7 @@ class MDTree {
244 $oNewParent = $this->mapnodes[$destination_parent_id]; 244 $oNewParent = $this->mapnodes[$destination_parent_id];
245 // we will have failed by here if its bogus. 245 // we will have failed by here if its bogus.
246 //$default->log->debug('MDTree::reparentKeyword '.print_r($oNewParent, true)); 246 //$default->log->debug('MDTree::reparentKeyword '.print_r($oNewParent, true));
247 - 247 +
248 // if its 0 or NULL, we reparent to null. 248 // if its 0 or NULL, we reparent to null.
249 if (($oNewParent === null) or ($desintation_parent_id === 0)) { 249 if (($oNewParent === null) or ($desintation_parent_id === 0)) {
250 $new_home = 0; 250 $new_home = 0;
@@ -256,19 +256,19 @@ class MDTree { @@ -256,19 +256,19 @@ class MDTree {
256 if (!empty($this->contents[$oldparent])) { 256 if (!empty($this->contents[$oldparent])) {
257 $KWIndex = array_search($lookup_id, $this->contents[$oldParent]["leaves"]); 257 $KWIndex = array_search($lookup_id, $this->contents[$oldParent]["leaves"]);
258 unset($this->contents[$oldParent]["leaves"][$KWIndex]); 258 unset($this->contents[$oldParent]["leaves"][$KWIndex]);
259 - 259 +
260 } 260 }
261 $this->contents[$new_home]["leaves"][] = $oKeyword->getId(); 261 $this->contents[$new_home]["leaves"][] = $oKeyword->getId();
262 $oKeyword->update(); 262 $oKeyword->update();
263 - }  
264 - 263 + }
  264 +
265 265
266 // STUB FUNCTIONS: need to be filled in. 266 // STUB FUNCTIONS: need to be filled in.
267 - 267 +
268 268
269 // REALLY need to deprecate this, but how? 269 // REALLY need to deprecate this, but how?
270 function render($bEditable) { return null; } // render using a template (with edit / buttons.) FIXME build a widget / renderer. 270 function render($bEditable) { return null; } // render using a template (with edit / buttons.) FIXME build a widget / renderer.
271 - 271 +
272 272
273 /* ----------------------- EVIL HACK -------------------------- 273 /* ----------------------- EVIL HACK --------------------------
274 * 274 *
@@ -307,7 +307,7 @@ class MDTree { @@ -307,7 +307,7 @@ class MDTree {
307 } 307 }
308 $treeStr .= '</ul>'; 308 $treeStr .= '</ul>';
309 return $treeStr; 309 return $treeStr;
310 - 310 +
311 } 311 }
312 312
313 // I can't seem to do recursion in smarty, and recursive templates seems a bad solution. 313 // I can't seem to do recursion in smarty, and recursive templates seems a bad solution.
@@ -348,7 +348,8 @@ class MDTree { @@ -348,7 +348,8 @@ class MDTree {
348 if ($leaf === $this->activevalue) { 348 if ($leaf === $this->activevalue) {
349 $is_selected=' checked="checked"'; 349 $is_selected=' checked="checked"';
350 } 350 }
351 - $treeStr .= '<li class="leafnode"><input type="radio" name="'.$inputname.'" value="'.$treeToRender->lookups[$leaf]->getName().'" '.$is_selected.'>' . $treeToRender->lookups[$leaf]->getName() .'</input>'; 351 + $sValue = htmlentities($treeToRender->lookups[$leaf]->getName());
  352 + $treeStr .= '<li class="leafnode"><input type="radio" name="'.$inputname.'" value="'.$sValue.'" '.$is_selected.'>' . $sValue .'</input>';
352 $treeStr .= '</li>'; 353 $treeStr .= '</li>';
353 } 354 }
354 } 355 }
@@ -357,9 +358,9 @@ class MDTree { @@ -357,9 +358,9 @@ class MDTree {
357 //$treeStr .= '</li></ul>'; 358 //$treeStr .= '</li></ul>';
358 359
359 return $treeStr; 360 return $treeStr;
360 - 361 +
361 } 362 }
362 - 363 +
363 // again, not pretty. set a particular item as "active" 364 // again, not pretty. set a particular item as "active"
364 function setActiveItem($sMetadataMatch) { 365 function setActiveItem($sMetadataMatch) {
365 // also need to: 366 // also need to:
templates/kt3/fields/lookup.smarty
  View file @be13765
@@ -13,7 +13,7 @@ @@ -13,7 +13,7 @@
13 13
14 <select name="{$name}" {if $has_id}id="{$id}"{/if} {if $options.multi}multiple="true"{/if} {if $options.size}size="{$options.size}"{/if}> 14 <select name="{$name}" {if $has_id}id="{$id}"{/if} {if $options.multi}multiple="true"{/if} {if $options.size}size="{$options.size}"{/if}>
15 {foreach item=lookup key=lookup_key from=$options.vocab} 15 {foreach item=lookup key=lookup_key from=$options.vocab}
16 - <option value="{$lookup_key}" {if ($value == $lookup_key)}selected="selected"{/if}>{$lookup|sanitize}</option> 16 + <option value="{$lookup_key|sanitize}" {if ($value == $lookup_key)}selected="selected"{/if}>{$lookup|sanitize}</option>
17 {/foreach} 17 {/foreach}
18 </select> 18 </select>
19 <input type="hidden" name="kt_core_fieldsets_expect[{$name}]" value ="1" /> 19 <input type="hidden" name="kt_core_fieldsets_expect[{$name}]" value ="1" />
templates/ktcore/forms/widgets/selection.smarty
  View file @be13765
1 {if empty($vocab)} 1 {if empty($vocab)}
2 <div class="ktInfoMessage"><span>{$context->sEmptyMessage}</span></div> 2 <div class="ktInfoMessage"><span>{$context->sEmptyMessage}</span></div>
3 {else} 3 {else}
4 - <select name="{$name}"  
5 - {if $has_id}id="{$id}"{/if}  
6 - {if $options.multi}multiple="true"{/if} 4 + <select name="{$name}"
  5 + {if $has_id}id="{$id}"{/if}
  6 + {if $options.multi}multiple="true"{/if}
7 > 7 >
8 {if $options.initial_string} 8 {if $options.initial_string}
9 <option value="">{$options.initial_string}</option> 9 <option value="">{$options.initial_string}</option>
10 - {/if} 10 + {/if}
11 {foreach item=lookup key=lookup_key from=$vocab} 11 {foreach item=lookup key=lookup_key from=$vocab}
12 12
13 - <option value="{$lookup_key}" {if ($value == $lookup_key)}selected="selected"{/if}>{$lookup}</option> 13 + <option value="{$lookup_key|sanitize}" {if ($value == $lookup_key)}selected="selected"{/if}>{$lookup|sanitize}</option>
14 {/foreach} 14 {/foreach}
15 </select> 15 </select>
16 {/if} 16 {/if}