fixes #23 only admins can use HTML in photo/album properties

Piwigo · Mar 1, 2024 · 4597c19 · 4597c19
1 parent 51028c7
commit 4597c19
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/include/events.inc.php b/include/events.inc.php
@@ -301,16 +301,16 @@ function admintools_save_picture()
     check_pwg_token();
 
     $data = array(
-      'name' =>   $_POST['name'],
-      'author' => $_POST['author'],
+      'name' =>   (is_admin() and $conf['allow_html_descriptions']) ? $_POST['name'] : strip_tags($_POST['name']),
+      'author' => (is_admin() and $conf['allow_html_descriptions']) ? $_POST['author'] : strip_tags($_POST['author']),
       );
 
     if ($MultiView->is_admin())
     {
       $data['level'] = $_POST['level'];
     }
 
-    if ($conf['allow_html_descriptions'])
+    if (is_admin() and $conf['allow_html_descriptions'])
     {
       $data['comment'] = @$_POST['comment'];
     }
@@ -354,11 +354,13 @@ function admintools_save_category()
 
   if (@$_POST['action'] == 'quick_edit')
   {
+    check_pwg_token();
+
     $data = array(
-      'name' => $_POST['name'],
+      'name' => (is_admin() and $conf['allow_html_descriptions']) ? $_POST['name'] : strip_tags($_POST['name']),
       );
 
-    if ($conf['allow_html_descriptions'])
+    if (is_admin() and $conf['allow_html_descriptions'])
     {
       $data['comment'] = @$_POST['comment'];
     }