From 630a32e184831be163232908ce7a99936d834c26 Mon Sep 17 00:00:00 2001
From: "Michael J. Rubinsky" <mrubinsk@horde.org>
Date: Sun, 9 May 2010 13:06:46 -0400
Subject: [PATCH] Merge from CVS (Bug # 9005).

---
 ansel/docs/CHANGES | 1 +
 ansel/lib/Tags.php | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/ansel/docs/CHANGES b/ansel/docs/CHANGES
index 415d33ccf..7e63781f4 100644
--- a/ansel/docs/CHANGES
+++ b/ansel/docs/CHANGES
@@ -10,6 +10,7 @@ v2.0-git
 v1.1.2-cvs
 ----------
 
+[mjr] Enforce the same allowed characters for tags as slugs (Bug #9005).
 [mjr] Fix clicking on image edit actions causes logout when not using cookies.
 [mjr] Fix adding a face name from the gallery faces view (Bug #9002).
 
diff --git a/ansel/lib/Tags.php b/ansel/lib/Tags.php
index cd186b7e7..7f40ae64b 100644
--- a/ansel/lib/Tags.php
+++ b/ansel/lib/Tags.php
@@ -39,6 +39,9 @@ class Ansel_Tags {
         $insert = $GLOBALS['ansel_db']->prepare('INSERT INTO ansel_tags (tag_id, tag_name) VALUES(?, ?)');
         foreach ($tags as $tag) {
             if (!empty($tag)) {
+                if (!preg_match("/^[a-zA-Z0-9%_+.!*',()~-]*$/", $tag)) {
+                    return PEAR::raiseError(_("Invalid characters in tag"));
+                }
                 $tag = Horde_String::lower(trim($tag));
                 $sql = $GLOBALS['ansel_db']->prepare('SELECT tag_id FROM ansel_tags WHERE tag_name = ?');
                 $result = $sql->execute(Horde_String::convertCharset($tag, Horde_Nls::getCharset(), $GLOBALS['conf']['sql']['charset']));
-- 
2.11.0