pngcrush.sh

[tt-rss.git] / classes / pref / labels.php

diff --git a/classes/pref/labels.php b/classes/pref/labels.php
index 8f1f70be94ede47d0a48d570c112371d5923a77e..1dbe3e18c7efb34aae8c1b6c9ce9585d9e03ca2b 100644 (file)
--- a/classes/pref/labels.php
+++ b/classes/pref/labels.php
@@ -8,7 +8,7 @@ class Pref_Labels extends Handler_Protected {
        }
 
        function edit() {
-               $label_id = $_REQUEST['id'];
+               $label_id = clean($_REQUEST['id']);
 
                $sth = $this->pdo->prepare("SELECT * FROM ttrss_labels2 WHERE
                        id = ? AND owner_uid = ?");
@@ -20,6 +20,8 @@ class Pref_Labels extends Handler_Protected {
                        print_hidden("op", "pref-labels");
                        print_hidden("method", "save");
 
+                       print "<form onsubmit='return false;'>";
+
                        print "<div class=\"dlgSec\">".__("Caption")."</div>";
 
                        print "<div class=\"dlgSecCont\">";
@@ -76,11 +78,13 @@ class Pref_Labels extends Handler_Protected {
 #                      print "</form>";
 
                        print "<div class=\"dlgButtons\">";
-                       print "<button dojoType=\"dijit.form.Button\" onclick=\"dijit.byId('labelEditDlg').execute()\">".
+                       print "<button dojoType=\"dijit.form.Button\" type=\"submit\" class=\"btn-primary\" onclick=\"dijit.byId('labelEditDlg').execute()\">".
                                __('Save')."</button>";
                        print "<button dojoType=\"dijit.form.Button\" onclick=\"dijit.byId('labelEditDlg').hide()\">".
                                __('Cancel')."</button>";
                        print "</div>";
+
+                       print "</form>";
                }
        }
 
@@ -119,11 +123,11 @@ class Pref_Labels extends Handler_Protected {
        }
 
        function colorset() {
-               $kind = $_REQUEST["kind"];
-               $ids = explode(',', $_REQUEST["ids"]);
-               $color = $_REQUEST["color"];
-               $fg = $_REQUEST["fg"];
-               $bg = $_REQUEST["bg"];
+               $kind = clean($_REQUEST["kind"]);
+               $ids = explode(',', clean($_REQUEST["ids"]));
+               $color = clean($_REQUEST["color"]);
+               $fg = clean($_REQUEST["fg"]);
+               $bg = clean($_REQUEST["bg"]);
 
                foreach ($ids as $id) {
 
@@ -154,7 +158,7 @@ class Pref_Labels extends Handler_Protected {
        }
 
        function colorreset() {
-               $ids = explode(',', $_REQUEST["ids"]);
+               $ids = explode(',', clean($_REQUEST["ids"]));
 
                foreach ($ids as $id) {
                        $sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET
@@ -174,8 +178,8 @@ class Pref_Labels extends Handler_Protected {
 
        function save() {
 
-               $id = $_REQUEST["id"];
-               $caption = trim($_REQUEST["caption"]);
+               $id = clean($_REQUEST["id"]);
+               $caption = trim(clean($_REQUEST["caption"]));
 
                $this->pdo->beginTransaction();
 
@@ -206,7 +210,7 @@ class Pref_Labels extends Handler_Protected {
 
                                        $sth->execute([$caption, $old_caption, $_SESSION['uid']]);
 
-                                       print $_REQUEST["value"];
+                                       print clean($_REQUEST["value"]);
                                } else {
                                        print $old_caption;
                                }
@@ -221,7 +225,7 @@ class Pref_Labels extends Handler_Protected {
 
        function remove() {
 
-               $ids = explode(",", $_REQUEST["ids"]);
+               $ids = explode(",", clean($_REQUEST["ids"]));
 
                foreach ($ids as $id) {
                        Labels::remove($id, $_SESSION["uid"]);
@@ -230,8 +234,8 @@ class Pref_Labels extends Handler_Protected {
        }
 
        function add() {
-               $caption = $_REQUEST["caption"];
-               $output = $_REQUEST["output"];
+               $caption = clean($_REQUEST["caption"]);
+               $output = clean($_REQUEST["output"]);
 
                if ($caption) {