From b57ac1c4c761d359ff42ff67b899338be169fb6e Mon Sep 17 00:00:00 2001
From: "Michael J. Rubinsky" <mrubinsk@horde.org>
Date: Mon, 21 Dec 2009 17:02:40 -0500
Subject: [PATCH] urlencode/decdode and escape html for tags, general clean up

---
 kronolith/js/tagactions.js              | 2 +-
 kronolith/lib/Ajax/Imple/TagActions.php | 4 ++--
 kronolith/lib/Event.php                 | 2 +-
 kronolith/templates/edit/edit.inc       | 1 -
 kronolith/templates/panel.inc           | 2 +-
 kronolith/templates/view/view.inc       | 2 +-
 6 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/kronolith/js/tagactions.js b/kronolith/js/tagactions.js
index 9dd3f13c5..4a2e98c8f 100644
--- a/kronolith/js/tagactions.js
+++ b/kronolith/js/tagactions.js
@@ -1,7 +1,7 @@
 function addTag(resource, type, endpoint)
 {
     if (!$('newtags-input_' + resource).value.blank()) {
-        var params = { "params": "resource=" + resource + "/type=" + type + "/tags=" + $('newtags-input_' + resource).value };
+        var params = { "params": "resource=" + resource + "/type=" + type + "/tags=" + encodeURIComponent($('newtags-input_' + resource).value) };
         new Ajax.Updater({success:'tags_' + resource},
                          endpoint + "/action=add/post=params",
                          {
diff --git a/kronolith/lib/Ajax/Imple/TagActions.php b/kronolith/lib/Ajax/Imple/TagActions.php
index 6f58a9f80..4a291e16c 100644
--- a/kronolith/lib/Ajax/Imple/TagActions.php
+++ b/kronolith/lib/Ajax/Imple/TagActions.php
@@ -45,7 +45,7 @@ class Kronolith_Ajax_Imple_TagActions extends Horde_Ajax_Imple_Base
 
         $request = $args['action'];
         $content = array('id' => $post['resource'], 'type' => $post['type']);
-        $tags = $post['tags'];
+        $tags = rawurldecode($post['tags']);
 
         // Check perms
         if ($post['type'] == 'calendar') {
@@ -98,7 +98,7 @@ class Kronolith_Ajax_Imple_TagActions extends Horde_Ajax_Imple_Base
         }
 
         foreach ($tags as $tag_id => $tag) {
-            $html .= '<li class="panel-tags">' .  $tag . ($hasEdit ? '<a href="#" onclick="removeTag(\'' . $id . '\', \'' . $type . '\',' . $tag_id . ', \'' . Horde::url('imple.php', true) . '\'); Event.stop(event)" id="remove' . md5($id . $tag_id) . '">' . Horde::img('delete-small.png', _("Remove Tag"), '', $GLOBALS['registry']->getImageDir('horde')) . '</a>' : '') . '</li>';
+            $html .= '<li class="panel-tags">' . htmlspecialchars($tag) . ($hasEdit ? '<a href="#" onclick="removeTag(\'' . $id . '\', \'' . $type . '\',' . $tag_id . ', \'' . Horde::url('imple.php', true) . '\'); Event.stop(event)" id="remove' . md5($id . $tag_id) . '">' . Horde::img('delete-small.png', _("Remove Tag"), '', $GLOBALS['registry']->getImageDir('horde')) . '</a>' : '') . '</li>';
         }
 
         return $html;
diff --git a/kronolith/lib/Event.php b/kronolith/lib/Event.php
index aa69265d4..deb07524d 100644
--- a/kronolith/lib/Event.php
+++ b/kronolith/lib/Event.php
@@ -1902,7 +1902,7 @@ abstract class Kronolith_Event
         }
 
         // Tags.
-        $this->tags = Horde_Util::getFormData('tags', $this->tags);
+        $this->tags = htmlspecialchars_decode(Horde_Util::getFormData('tags', $this->tags));
 
         // Geolocation
         $this->geoLocation = array('lat' => Horde_Util::getFormData('lat'),
diff --git a/kronolith/templates/edit/edit.inc b/kronolith/templates/edit/edit.inc
index 1782df834..6783a9a13 100644
--- a/kronolith/templates/edit/edit.inc
+++ b/kronolith/templates/edit/edit.inc
@@ -402,7 +402,6 @@ endif;
  </td>
  <td colspan="4">
    <input type="text" name="tags" id="tags" value="<?php echo (!empty($tags) ? htmlspecialchars($tags) : '')?>" size="40" />
-   <div id="tags_results" name="tags_results" class="autocomplete"></div>
    <span id="tags_loading_img" style="display:none;"><?php echo Horde::img('loading.gif', _("Loading...")) ?></span>
    <?php $tac = Horde_Ajax_Imple::factory(array('kronolith', 'TagAutoCompleter'), array('triggerId' => 'tags', 'id' => $event->uid));
          $tac->attach();
diff --git a/kronolith/templates/panel.inc b/kronolith/templates/panel.inc
index aa2e7b2ec..a79e2baec 100644
--- a/kronolith/templates/panel.inc
+++ b/kronolith/templates/panel.inc
@@ -67,7 +67,7 @@ $tagger = Kronolith::getTagger();
         <?php foreach ($tags as $tag_id => $tag): ?>
          <li class="panel-tags">
 <?php
-echo $tag;
+echo htmlspecialchars($tag);
 if ($cal->hasPermission(Horde_Auth::getAuth(), Horde_Perms::EDIT)) {
     echo '<a href="#" id="remove' . md5($id . $tag_id) . '">'
         . Horde::img('delete-small.png', _("Remove Tag"), '', $registry->getImageDir('horde'))
diff --git a/kronolith/templates/view/view.inc b/kronolith/templates/view/view.inc
index e90df702a..e5bd45a6b 100644
--- a/kronolith/templates/view/view.inc
+++ b/kronolith/templates/view/view.inc
@@ -140,7 +140,7 @@ if ($this->event->initialized && $this->event->alarm > 0):
      <td colspan="2" class="control"><strong><?php echo _("Tags")?></strong></td>
     </tr>
     <tr>
-     <td colspan="2"><?php echo $tags?></td>
+     <td colspan="2"><?php echo htmlspecialchars($tags)?></td>
     </tr>
 <?php endif;?>
 
-- 
2.11.0