Asset: let slugs consist only of an explicit set of allowed characters #41

Merged
Roflin merged 1 commits from clean-slugs into master 2023-11-22 16:03:55 +01:00
2 changed files with 12 additions and 2 deletions

View File

@ -63,7 +63,7 @@ class EditAsset extends HTMLController
{
$date_captured = !empty($_POST['date_captured']) ?
new DateTime(str_replace('T', ' ', $_POST['date_captured'])) : null;
$slug = strtr($_POST['slug'], [' ' => '-', '--' => '-', '&' => 'and', '=>' => '', "'" => "", ":"=> "", '\\' => '-']);
$slug = Asset::cleanSlug($_POST['slug']);
$asset->setKeyData(htmlspecialchars($_POST['title']), $slug, $date_captured, intval($_POST['priority']));
}

View File

@ -36,6 +36,16 @@ class Asset
$this->date_captured = new DateTime($data['date_captured']);
}
public static function cleanSlug($slug)
{
// Only alphanumerical chars, underscores and forward slashes are allowed
if (!preg_match_all('~([A-z0-9\/_]+)~', $slug, $allowedTokens, PREG_PATTERN_ORDER))
throw new UnexpectedValueException('Slug does not make sense.');
// Join valid substrings together with hyphens
return implode('-', $allowedTokens[1]);
}
public static function fromId($id_asset, $return_format = 'object')
{
$row = Registry::get('db')->queryAssoc('
@ -214,7 +224,7 @@ class Asset
$title = $data['title'] ?? $basename;
// Same with the slug.
$slug = $data['slug'] ?? sprintf('%s/%s', $preferred_subdir, $basename);
$slug = $data['slug'] ?? self::cleanSlug(sprintf('%s/%s', $preferred_subdir, $basename));
// Detected an image?
if (substr($mimetype, 0, 5) == 'image')