Public/pics
2
2
Fork 2
Code Issues 5 Pull Requests Releases Wiki Activity

Asset: let slugs consist only of an explicit set of allowed characters #41

Merged
Roflin merged 1 commits from clean-slugs into master 2023-11-22 16:03:55 +01:00
Conversation 1 Commits 1 Files Changed 2 +12 -2
2 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
controllers/EditAsset.php
View File

@ -63,7 +63,7 @@ class EditAsset extends HTMLController
{ {
$date_captured = !empty($_POST['date_captured']) ? $date_captured = !empty($_POST['date_captured']) ?
new DateTime(str_replace('T', ' ', $_POST['date_captured'])) : null; new DateTime(str_replace('T', ' ', $_POST['date_captured'])) : null;
$slug = strtr($_POST['slug'], [' ' => '-', '--' => '-', '&' => 'and', '=>' => '', "'" => "", ":"=> "", '\\' => '-']); $slug = Asset::cleanSlug($_POST['slug']);
$asset->setKeyData(htmlspecialchars($_POST['title']), $slug, $date_captured, intval($_POST['priority'])); $asset->setKeyData(htmlspecialchars($_POST['title']), $slug, $date_captured, intval($_POST['priority']));
} }

12
models/Asset.php
View File

@ -36,6 +36,16 @@ class Asset
$this->date_captured = new DateTime($data['date_captured']); $this->date_captured = new DateTime($data['date_captured']);
} }
public static function cleanSlug($slug)
{
// Only alphanumerical chars, underscores and forward slashes are allowed
if (!preg_match_all('~([A-z0-9\/_]+)~', $slug, $allowedTokens, PREG_PATTERN_ORDER))
throw new UnexpectedValueException('Slug does not make sense.');
// Join valid substrings together with hyphens
return implode('-', $allowedTokens[1]);
}
public static function fromId($id_asset, $return_format = 'object') public static function fromId($id_asset, $return_format = 'object')
{ {
$row = Registry::get('db')->queryAssoc(' $row = Registry::get('db')->queryAssoc('
@ -214,7 +224,7 @@ class Asset
$title = $data['title'] ?? $basename; $title = $data['title'] ?? $basename;
// Same with the slug. // Same with the slug.
$slug = $data['slug'] ?? sprintf('%s/%s', $preferred_subdir, $basename); $slug = $data['slug'] ?? self::cleanSlug(sprintf('%s/%s', $preferred_subdir, $basename));
// Detected an image? // Detected an image?
if (substr($mimetype, 0, 5) == 'image') if (substr($mimetype, 0, 5) == 'image')