From: Michael J. Rubinsky <mrubinsk@horde.org>
Date: Sun, 9 May 2010 17:06:46 +0000 (-0400)
Subject: Merge from CVS (Bug # 9005).
X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=630a32e184831be163232908ce7a99936d834c26;p=horde.git

Merge from CVS (Bug # 9005).
---

diff --git a/ansel/docs/CHANGES b/ansel/docs/CHANGES
index 415d33ccf..7e63781f4 100644
--- a/ansel/docs/CHANGES
+++ b/ansel/docs/CHANGES
@@ -10,6 +10,7 @@ v2.0-git
 v1.1.2-cvs
 ----------
 
+[mjr] Enforce the same allowed characters for tags as slugs (Bug #9005).
 [mjr] Fix clicking on image edit actions causes logout when not using cookies.
 [mjr] Fix adding a face name from the gallery faces view (Bug #9002).
 
diff --git a/ansel/lib/Tags.php b/ansel/lib/Tags.php
index cd186b7e7..7f40ae64b 100644
--- a/ansel/lib/Tags.php
+++ b/ansel/lib/Tags.php
@@ -39,6 +39,9 @@ class Ansel_Tags {
         $insert = $GLOBALS['ansel_db']->prepare('INSERT INTO ansel_tags (tag_id, tag_name) VALUES(?, ?)');
         foreach ($tags as $tag) {
             if (!empty($tag)) {
+                if (!preg_match("/^[a-zA-Z0-9%_+.!*',()~-]*$/", $tag)) {
+                    return PEAR::raiseError(_("Invalid characters in tag"));
+                }
                 $tag = Horde_String::lower(trim($tag));
                 $sql = $GLOBALS['ansel_db']->prepare('SELECT tag_id FROM ansel_tags WHERE tag_name = ?');
                 $result = $sql->execute(Horde_String::convertCharset($tag, Horde_Nls::getCharset(), $GLOBALS['conf']['sql']['charset']));