- web: show explanation if try to change team name to one in use

- web: don't allow bad tags in team name HTML svn path=/trunk/boinc/; revision=14339
2007-12-01 22:43:11 +00:00 · 2007-12-01 22:43:11 +00:00 · fa601671b6
parent 966a64523e
commit fa601671b6
3 changed files with 37 additions and 8 deletions
--- a/7
+++ b/7
@ -11993,3 +11993,10 @@ David  30 Nov 2007
    html/user/
        forum_index.php
        forum_forum.php
+
+David  1 Dec 2007
+    - web: show explanation if try to change team name to one in use
+    - web: don't allow bad tags in team name HTML
+
+    html/user/
+        team_edit_action.php
--- a/html/inc/bolt_ex.inc
+++ b/html/inc/bolt_ex.inc
@ -19,7 +19,6 @@ function bolt_exclusive_choice($choices) {
    global $bolt_ex_state;  // output if SHOW, else input
    global $bolt_ex_score;  // output if SCORE

-        echo "BLAH";
    switch ($bolt_ex_mode) {
    case BOLT_MODE_SHOW:
        // Shuffle the answers;
@ -65,4 +64,18 @@ function bolt_exclusive_choice($choices) {
    }
    $bolt_ex_index++;
 }
+
+function bolt_image_rect($img, $rect) {
+    global $bolt_ex_mode;   // input
+    global $bolt_ex_index;  // input
+    global $bolt_ex_state;  // output if SHOW, else input
+    global $bolt_ex_score;  // output if SCORE
+
+    switch ($bolt_ex_mode) {
+    case BOLT_MODE_SHOW:
+        echo "<img src=$img";
+        break;
+    }
+}
+
 ?>
--- a/html/user/team_edit_action.php
+++ b/html/user/team_edit_action.php
@ -2,6 +2,7 @@

 require_once("../inc/util.inc");
 require_once("../inc/team.inc");
+require_once("../inc/sanitize_html.inc");
 require_once("../inc/boinc_db.inc");

 $user = get_logged_in_user();
@ -18,8 +19,13 @@ if ($x) {
 }
 $team_name = process_user_text(strip_tags(post_str("name")));
 $team_name_lc = strtolower($team_name);
-$team_name_html = process_user_text(post_str("name_html", true));
-//Do we really not want to scrub out bad HTML tags?
+$tnh = post_str("name_html", true);
+$team_name_html = sanitize_html($tnh);
+
+if ($team_name_html != $tnh) {
+    error_page("HTML name contains disallowed tags: ".htmlspecialchars($tnh));
+}
+$team_name_html = process_user_text($team_name_html);

 $team_description = process_user_text(post_str("description", true));
 $type = process_user_text(post_str("type", true));
@ -31,12 +37,14 @@ if (!is_valid_country($country)) {
    error_page("bad country");
 }

-if (! is_numeric($teamid)) {
-    error_page("Team ID must be numeric.");
+$t = BoincTeam::lookup("name='$team_name'");
+if ($t && $t->id != $teamid) {
+    error_page("The name '$team_name' is being used by another team.");
 }
-
-if (strlen($team_name) == 0) { // Should be caught up with the post_str("name"),
-    error_page("Must specify team name"); // but you can never be too safe.
+if (strlen($team_name) == 0) {
+    error_page("Must specify team name");
+    // Should be caught up with the post_str("name"),
+    // but you can never be too safe.
 }

 $clause = sprintf(
@ -55,6 +63,7 @@ $clause = sprintf(
    $type,
    $country
 );
+
 $ret = $team->update($clause);
 if ($ret) {
    Header("Location: team_display.php?teamid=$team->id");