Index: openacs-4/packages/xowiki/tcl/package-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/package-procs.tcl,v diff -u -r1.291.2.22 -r1.291.2.23 --- openacs-4/packages/xowiki/tcl/package-procs.tcl 27 May 2016 08:26:30 -0000 1.291.2.22 +++ openacs-4/packages/xowiki/tcl/package-procs.tcl 1 Jun 2016 10:41:36 -0000 1.291.2.23 @@ -147,6 +147,13 @@ return [string range [my default_locale] 0 1] } + Package instproc validate_tag {tag} { + if {![regexp {^[\w-]+$} $tag]} { + ad_return_complaint 1 "invalid tag" + ad_script_abort + } + } + Package array set www-file { admin 1 diff 1 @@ -1570,11 +1577,7 @@ if {$(lang) eq "tag"} { # todo: missing: tag links to subdirectories, also on url generation set tag $stripped_url - if {![regexp {^[\w.,: -]+$} $tag]} { - ad_return_complaint 1 "invalid tag" - ad_script_abort - } - + :validate_tag $tag set summary [::xo::cc query_parameter summary 0] set popular [::xo::cc query_parameter popular 0] if {$summary eq ""} {set summary 0} Index: openacs-4/packages/xowiki/tcl/weblog-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/weblog-procs.tcl,v diff -u -r1.70.2.8 -r1.70.2.9 --- openacs-4/packages/xowiki/tcl/weblog-procs.tcl 11 May 2016 07:01:01 -0000 1.70.2.8 +++ openacs-4/packages/xowiki/tcl/weblog-procs.tcl 1 Jun 2016 10:41:36 -0000 1.70.2.9 @@ -66,10 +66,10 @@ set extra_where_clause "" if {$date ne ""} { - if {[regexp -nocase -- {(['\"<>\(\)%*]|null|select)} $date]} { - ns_log Warning "ignoring invalid date '$date'" - set date "" - set query [::xo::update_query $query date ""] + if {![regexp {^\d\d\d\d[-]\d\d[-]\d\d$} $date]} { + ns_log Warning "invalid date '$date'" + ad_return_complaint 1 "invalid date" + ad_script_abort } } if {$date ne ""} { @@ -86,8 +86,8 @@ set category_ids {} foreach cid [split $category_id ,] { if {![string is integer -strict $cid]} { - ns_log warning "weblog: ignoring invalid category_id $cid" - continue + ad_return_complaint 1 "invalid category_id" + ad_script_abort } append extra_where_clause "and exists (select * from category_object_map \ where object_id = ci.item_id and category_id = '$cid')" @@ -102,6 +102,7 @@ } #my msg "tag=$tag" if {$tag ne ""} { + $package_id validate_tag $tag set filter_msg "Filtered by your tag $tag" append extra_from_clause " join xowiki_tags tags on (tags.item_id = bt.item_id) " append extra_where_clause "and tags.tag = :tag and \ @@ -110,6 +111,7 @@ } #my msg "ptag=$ptag" if {$ptag ne ""} { + $package_id validate_tag $ptag set filter_msg "Filtered by popular tag $ptag" append extra_from_clause " join xowiki_tags tags on (tags.item_id = bt.item_id) " append extra_where_clause "and tags.tag = :ptag "