From fa601671b685efc72f321b7f627da4d122f8f1a5 Mon Sep 17 00:00:00 2001
From: David Anderson <davea@ssl.berkeley.edu>
Date: Sat, 1 Dec 2007 22:43:11 +0000
Subject: [PATCH] - web: show explanation if try to change team name to one in
 use - web: don't allow bad tags in team name HTML

svn path=/trunk/boinc/; revision=14339
---
 checkin_notes                  |  7 +++++++
 html/inc/bolt_ex.inc           | 15 ++++++++++++++-
 html/user/team_edit_action.php | 23 ++++++++++++++++-------
 3 files changed, 37 insertions(+), 8 deletions(-)

diff --git a/checkin_notes b/checkin_notes
index 66cfbb5a2e..456a9ac2c7 100644
--- a/checkin_notes
+++ b/checkin_notes
@@ -11993,3 +11993,10 @@ David  30 Nov 2007
     html/user/
         forum_index.php
         forum_forum.php
+
+David  1 Dec 2007
+    - web: show explanation if try to change team name to one in use
+    - web: don't allow bad tags in team name HTML
+
+    html/user/
+        team_edit_action.php
diff --git a/html/inc/bolt_ex.inc b/html/inc/bolt_ex.inc
index 6de38f220d..f0121c4a40 100644
--- a/html/inc/bolt_ex.inc
+++ b/html/inc/bolt_ex.inc
@@ -19,7 +19,6 @@ function bolt_exclusive_choice($choices) {
     global $bolt_ex_state;  // output if SHOW, else input
     global $bolt_ex_score;  // output if SCORE
 
-        echo "BLAH";
     switch ($bolt_ex_mode) {
     case BOLT_MODE_SHOW:
         // Shuffle the answers;
@@ -65,4 +64,18 @@ function bolt_exclusive_choice($choices) {
     }
     $bolt_ex_index++;
 }
+
+function bolt_image_rect($img, $rect) {
+    global $bolt_ex_mode;   // input
+    global $bolt_ex_index;  // input
+    global $bolt_ex_state;  // output if SHOW, else input
+    global $bolt_ex_score;  // output if SCORE
+
+    switch ($bolt_ex_mode) {
+    case BOLT_MODE_SHOW:
+        echo "<img src=$img";
+        break;
+    }
+}
+
 ?>
diff --git a/html/user/team_edit_action.php b/html/user/team_edit_action.php
index 7d207a5219..73df465585 100644
--- a/html/user/team_edit_action.php
+++ b/html/user/team_edit_action.php
@@ -2,6 +2,7 @@
 
 require_once("../inc/util.inc");
 require_once("../inc/team.inc");
+require_once("../inc/sanitize_html.inc");
 require_once("../inc/boinc_db.inc");
 
 $user = get_logged_in_user();
@@ -18,8 +19,13 @@ if ($x) {
 }
 $team_name = process_user_text(strip_tags(post_str("name")));
 $team_name_lc = strtolower($team_name);
-$team_name_html = process_user_text(post_str("name_html", true));
-//Do we really not want to scrub out bad HTML tags?
+$tnh = post_str("name_html", true);
+$team_name_html = sanitize_html($tnh);
+
+if ($team_name_html != $tnh) {
+    error_page("HTML name contains disallowed tags: ".htmlspecialchars($tnh));
+}
+$team_name_html = process_user_text($team_name_html);
 
 $team_description = process_user_text(post_str("description", true));
 $type = process_user_text(post_str("type", true));
@@ -31,12 +37,14 @@ if (!is_valid_country($country)) {
     error_page("bad country");
 }
 
-if (! is_numeric($teamid)) {
-    error_page("Team ID must be numeric.");
+$t = BoincTeam::lookup("name='$team_name'");
+if ($t && $t->id != $teamid) {
+    error_page("The name '$team_name' is being used by another team.");
 }
-
-if (strlen($team_name) == 0) { // Should be caught up with the post_str("name"),
-    error_page("Must specify team name"); // but you can never be too safe.
+if (strlen($team_name) == 0) {
+    error_page("Must specify team name");
+    // Should be caught up with the post_str("name"),
+    // but you can never be too safe.
 }
 
 $clause = sprintf(
@@ -55,6 +63,7 @@ $clause = sprintf(
     $type,
     $country
 );
+
 $ret = $team->update($clause);
 if ($ret) {
     Header("Location: team_display.php?teamid=$team->id");