sanitise categories, only allow numbers letters and spaces

michield · michield · commit ba8507fcedbf · 2020-05-27T23:05:31.000+01:00
diff --git a/public_html/lists/admin/configure.php b/public_html/lists/admin/configure.php
@@ -85,6 +85,14 @@
                     $value = str_replace('[DOMAIN]', '', $value);
                     $value = str_replace('[WEBSITE]', '', $value);
                 }
+                if ($id == 'list_categories') {
+                    $categories = explode(',',$value);
+                    $clean = array();
+                    foreach ($categories as $category) {
+                        $clean[] = preg_replace('/[^A-Z0-9\. ]+/i','',$category);
+                    }
+                    $value = implode(',',$clean);
+                }
                 if (empty($value) && !$info['allowempty']) {
                     //    Error($info['description']. ' ' . $GLOBALS['I18N']->get('cannot be empty'));
                     $haserror = $info['description'].' '.$GLOBALS['I18N']->get('cannot be empty');
diff --git a/public_html/lists/admin/list.php b/public_html/lists/admin/list.php
@@ -177,7 +177,7 @@ function listMemberCounts($listId)
     }
     $tabs = new WebblerTabs();
     foreach ($aListCategories as $category) {
-        $category = trim($category);
+        $category = trim(htmlspecialchars($category));
         if ($category == '') {
             $category = s('Uncategorised');
         }

Original file line number	Diff line number	Diff line change
`@@ -177,7 +177,7 @@ function listMemberCounts($listId)`
`177`	`177`	`}`
`178`	`178`	`$tabs = new WebblerTabs();`
`179`	`179`	`foreach ($aListCategories as $category) {`
`180`		`- $category = trim($category);`
	`180`	`+ $category = trim(htmlspecialchars($category));`
`181`	`181`	`if ($category == '') {`
`182`	`182`	`$category = s('Uncategorised');`
`183`	`183`	`}`