admin/batch_manager_global.php

@@ -51,8 +51,21 @@
 }
 else if (isset($_POST['setSelected']))
 {
-  check_input_parameter('whole_set', $_POST, false, '/^\d+(,\d+)*$/');
+  // Here we don't use check_input_parameter because preg_match has a limit in
+  // the repetitive pattern. Found a limit to 3276 but may depend on memory.
+  //
+  // check_input_parameter('whole_set', $_POST, false, '/^\d+(,\d+)*$/');
+  //
+  // Instead, let's break the input parameter into pieces and check pieces one by one.
   $collection = explode(',', $_POST['whole_set']);
+
+  foreach ($collection as $id)
+  {
+    if (!preg_match('/^\d+$/', $id))
+    {
+      fatal_error('[Hacking attempt] the input parameter "whole_set" is not valid');
+    }
+  }
 }
 else if (isset($_POST['selection']))
 {

admin/batch_manager_unit.php

@@ -32,6 +32,7 @@
 
 if (isset($_POST['submit']))
 {
+  check_pwg_token();
   check_input_parameter('element_ids', $_POST, false, '/^\d+(,\d+)*$/');
   $collection = explode(',', $_POST['element_ids']);
 
@@ -110,6 +111,7 @@
     'F_ACTION' => $base_url.get_query_string_diff(array()),
     'level_options' => get_privacy_level_options(),
     'ADMIN_PAGE_TITLE' => l10n('Batch Manager'),
+    'PWG_TOKEN' => get_pwg_token(),
     )
   );
 

admin/cat_modify.php

@@ -359,7 +359,7 @@ function get_min_local_dir($local_dir)
   // representant ?
   if (!empty($category['representative_picture_id']))
   {
-    $tpl_representant['picture'] = get_category_representant_properties($category['representative_picture_id'], IMG_SMALL);
+    $tpl_representant['picture'] = get_category_representant_properties($category['representative_picture_id'], IMG_MEDIUM);
   }
 
   // can the admin choose to set a new random representant ?

admin/include/functions.php

@@ -2365,6 +2365,9 @@ function get_extents($start='')
  */
 function create_tag($tag_name)
 {
+  // clean the tag, no html/js allowed in tag name
+  $tag_name = strip_tags($tag_name);
+
   // does the tag already exists?
   $query = '
 SELECT id
@@ -2862,7 +2865,7 @@ function get_tag_ids($raw_tags, $allow_create=true)
     elseif ($allow_create)
     {
       // we have to create a new tag
-      $tag_ids[] = tag_id_from_tag_name($raw_tag);
+      $tag_ids[] = tag_id_from_tag_name(strip_tags($raw_tag));
     }
   }
 

admin/include/image.class.php

@@ -638,12 +638,14 @@ function rotate($rotation)
 
   function set_compression_quality($quality)
   {
+    global $conf;
+
     if ($this->is_animated_webp)
     {
       // in cas of animated WebP, we need to maximize quality to 70 to avoid
       // heavy thumbnails (or square or whatever is displayed on the thumbnails
       // page)
-      $quality = min($quality, 70);
+      $quality = min($quality, $conf['animated_webp_compression_quality']);
     }
 
     $this->add_command('quality', $quality);

admin/themes/default/js/albums.js

@@ -152,8 +152,15 @@ $(document).ready(() => {
       },
       success: function (raw_data) {
         data = jQuery.parseJSON(raw_data);
-        $("#cat-"+catToEdit).find(".move-cat-title-container p.move-cat-title").html($(".RenameAlbumLabelUsername input").val());
-        $("#cat-"+catToEdit).find(".move-cat-title-container p.move-cat-title").attr('title', $(".RenameAlbumLabelUsername input").val());
+        const node_id = $("#cat-"+catToEdit).find('.move-cat-toogler').attr('data-id');
+        const node = $('.tree').tree('getNodeById', node_id);
+        node.name = $(".RenameAlbumLabelUsername input").val();
+        $('.tree').tree('updateNode', node, $(".RenameAlbumLabelUsername input").val());
+
+        $(".move-cat-title-container").on("click", function () {
+          openRenameAlbumPopIn($(this).find(".move-cat-title").attr("title"));
+          $(".RenameAlbumSubmit").data("cat_id", $(this).attr('data-id'));
+        });
         closeRenameAlbumPopIn();
       },
       error: function(message) {
@@ -583,6 +590,7 @@ function getAllSubAlbumsFromNode(node, nb_sub_cats) {
 function setSubcatsBadge(node) {
   if (node.children.length != 0) {
     $("#cat-"+node.id).find(".nb-subcats").text(node.children.length).show(100);
+    $("#cat-"+node.id).find(".badge-dropdown").find(".nb-subcats").text(x_nb_subcats.replace('%d', node.children.length));
   } else {
     $("#cat-"+node.id).find(".nb-subcats").hide(100)
   }
@@ -758,6 +766,15 @@ function changeParent(node, parent, rank) {
         data = jQuery.parseJSON(raw_data);
         if (data.stat === "ok") {
           changeRank(node, rank)
+          const updated_cats = data.result.updated_cats;
+          if (updated_cats) 
+          {
+            updated_cats.forEach((cat) => {
+              const node = $('.tree').tree('getNodeById', cat.cat_id);
+              node.nb_sub_photos = cat.nb_sub_photos;
+              $('.tree').tree('updateNode', node, node.name);
+            });
+          }
           res();
         } else {
           rej(raw_data);

admin/themes/default/js/cat_modify.js

@@ -481,7 +481,7 @@ jQuery(document).ready(function() {
   });
   $(document).on('keyup', function (e) {
     // 27 is 'Escape'
-    if(e.keyCode === 27) {
+    if(e.keyCode === 27 && desc_modal.is(':visible')) {
       desc_modal.fadeToggle();
     }
   });

admin/themes/default/js/history.js

@@ -47,12 +47,16 @@ $(document).ready(() => {
   });
 
   $('.date-end').on("change", function () {
-    console.log($('.date-end input[name="end"]').attr("value"));
-    if (current_param.end != $('.date-end input[name="end"]').attr("value")) {
-      console.log("HERE");
+    const newValue = $('.date-end input[name="end"]').attr("value");
+    if (current_param.end != newValue) {
       current_param.end = $('.date-end input[name="end"]').attr("value");
       current_param.pageNumber = 0;
-      fillHistoryResult(current_param);
+      // The datepicker first fills the end-date with '1899-12-31',
+      // which triggers an unnecessary ajax request
+      // when you come to the history search page from a photo.
+      if (newValue !== '1899-12-31') {
+        fillHistoryResult(current_param);
+      }
     }
   });
 
@@ -368,13 +372,130 @@ function lineConstructor(line, id, imageDisplay) {
       newLine.find(".type-id").hide();
       break;
     case "search":
+      // for debug
+      // console.log('search n° : ', line.SEARCH_ID, ' ', line.SEARCH_DETAILS);
+      const search_details = line.SEARCH_DETAILS;
+      const search_icons = {
+        'allwords': 'gallery-icon-search',
+        'tags': 'gallery-icon-tag',
+        'date_posted': 'gallery-icon-calendar-plus',
+        'cat': 'gallery-icon-album',
+        'author': 'gallery-icon-user-edit',
+        'added_by': 'gallery-icon-user',
+        'filetypes': 'gallery-icon-file-image',
+      }
       newLine.find(".type-name").html(line.SECTION);
       newLine.find(".type-id").html("#" + line.SEARCH_ID);
       if (!line.SEARCH_ID)
       {
         newLine.find(".type-id").hide();
       }
-      newLine.find(".detail-item-1").hide();
+
+      if (!search_details) 
+      {
+        newLine.find(".detail-item-1").hide();
+        break; 
+      }
+      let active_search_details = {};
+      Object.keys(search_details).forEach(key => {
+          if (search_details[key] !== null) {
+            active_search_details[key] = search_details[key];
+          }
+      });
+      let count_item = 1;
+      let active_more = [];
+      const active_items = Object.keys(active_search_details);
+      if (active_items.length > 0)
+      {
+        if (active_search_details.allwords)
+        {
+          newLine.find(".detail-item-" + count_item).html(active_search_details.allwords.join(' ')).addClass(search_icons.allwords + ' tiptip');
+          newLine.find(".detail-item-" + count_item).attr('title', '<b>' + str_search_details['allwords'] + ' :</b> ' + active_search_details.allwords.join(' '));
+          count_item++;
+          active_more.push('allwords');
+        }
+        if (active_search_details.cat)
+        {
+          const array_cat = Object.values(active_search_details.cat);
+          const cat = array_cat.join(' + ');
+          let temp_div = $('<div>').html(cat);
+          let text = temp_div.text().trim();
+          newLine.find(".detail-item-" + count_item).html(cat).addClass(search_icons.cat + ' tiptip');
+          newLine.find(".detail-item-"+ count_item).attr('title','<b>' + str_search_details['cat'] + ' :</b> ' + text).removeClass("hide");
+          count_item++;
+          active_more.push('cat');
+        }
+        if (count_item <= 2 && active_search_details.tags)
+        {
+          const array_tags = Object.values(active_search_details.tags);
+          newLine.find(".detail-item-" + count_item).html(array_tags.join(' + ')).addClass(search_icons.tags + ' tiptip');
+          newLine.find(".detail-item-"+ count_item).attr('title', '<b>' + str_search_details['tags'] + ' :</b> ' + array_tags.join(' + ')).removeClass("hide");
+          count_item++;
+          active_more.push('tags');
+        }
+        if (count_item <= 2)
+        {
+          let badge_to_add = active_items.length == 1 ? 1 : count_item == 1 ? 2 : 1;
+          let badge_added = 0;
+          active_items.some(key => {
+            if (key !== 'allwords' && key !== 'cat' && key !== 'tags') {
+              let array_key;
+              if (Array.isArray(active_search_details[key]))
+              {
+                array_key = active_search_details[key];
+              }
+              else if (typeof active_search_details[key] === 'object')
+              {
+                array_key = Object.values(active_search_details[key]);
+              }
+              else
+              {
+                array_key = [active_search_details[key]];
+              }
+              newLine.find(".detail-item-" + count_item).html(array_key.join(' + ')).addClass(search_icons[key] + ' tiptip');
+              newLine.find(".detail-item-" + count_item).attr('title', '<b>' + str_search_details[key] + ' :</b> ' + array_key.join(' + ')).removeClass("hide");
+              count_item++;
+              badge_added++;
+              active_more.push(key);
+              if (badge_added === badge_to_add) {
+                return true;
+              }
+            }
+            return false;
+          });
+        }
+      }
+      else
+      {
+        newLine.find(".detail-item-1").hide();
+      }
+      if (active_items.length >= 3) 
+      {
+        let count_more = 0;
+        let search_details_str = Object.entries(active_search_details)
+        .filter(([key]) => !active_more.includes(key))
+          .map(([key, value]) => {
+            let value_str;
+            if(Array.isArray(value)) {
+              value_str = value.join(' + ');
+            } else if (typeof value === 'object') {
+              value_str = Object.entries(value).map(([k, v]) => v).join(' + ');
+            } else {
+              value_str = value;
+            }
+
+            if (key == 'cat')
+            {
+              let temp_div = $('<div>').html(value_str);
+              let text = temp_div.text().trim();
+              value_str = text;
+            }
+            count_more++;
+            return `<b>${str_search_details[key]}</b> : ${value_str}`;
+          }).join(' <br />');
+        newLine.find(".detail-item-3").html(sprintf(str_and_more, count_more)).addClass('icon-info-circled-1 tiptip');
+        newLine.find(".detail-item-3").attr('title', search_details_str).removeClass('hide');
+      }
       break;
     case "favorites":
       newLine.find(".type-name").html(str_favorites);

admin/themes/default/template/batch_manager_unit.tpl

@@ -114,6 +114,7 @@ jQuery("a.preview-box").colorbox( {
 {if !empty($navbar)}{include file='navigation_bar.tpl'|@get_extent:'navbar'}{/if}
 
 <p>
+  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}">
   <button class="buttonLike" type="submit" value="{'Submit'|@translate}" name="submit"><i class="icon-floppy"></i>{'Submit'|@translate}</button>
   <button class="resetButton" type="reset" value="{'Reset'|@translate}" name="reset">{'Reset'|@translate}</button>
 

admin/themes/default/template/cat_modify.tpl

@@ -43,7 +43,7 @@ str_root = '{'Root'|@translate|escape:javascript}';
 
   <div class="cat-modify-header">
     <div class="cat-modify-ariane">
-    <a class="icon-sitemap tiptip" href="{$U_MOVE}" title="{'Manage sub-albums'|@translate}"></a>
+    <span class="icon-home"> /</span>
       {$CATEGORIES_NAV}
     </div>
 

admin/themes/default/template/history.tpl

@@ -50,6 +50,17 @@ const str_guest = '{'guest'|@translate}';
 const str_contact_form = '{'Contact Form'|@translate}';
 const str_edit_img = '{'Edit photo'|@translate}';
 
+const str_search_details = {
+    "allwords": "{'Search for words'|@translate}",
+    "date_posted": "{'Post date'|@translate}",
+    "tags": str_tags,
+    "cat": "{'Album'|@translate}",
+    "author": "{'Author'|@translate}",
+    "added_by": "{'Added by'|@translate}",
+    "filetypes": "{'File type'|@translate}",
+};
+const str_and_more = "{'and %d more'|@translate}"
+
 const guest_id = {$guest_id};
 {/footer_script}
 
@@ -58,6 +69,7 @@ const guest_id = {$guest_id};
 
 {combine_script id='jquery.confirm' load='footer' require='jquery' path='themes/default/js/plugins/jquery-confirm.min.js'}
 {combine_css path="admin/themes/default/fontello/css/animation.css" order=10} {* order 10 is required, see issue 1080 *}
+{combine_css path="themes/default/vendor/fontello/css/gallery-icon.css" order=-10}
 
 <form class="filter" method="post" name="filter" action="">
 <fieldset class="history-filter">
@@ -470,7 +482,7 @@ jQuery(document).ready( function() {
 
 .detail-title,
 .detail-section {
-  max-width: 500px;
+  width: 500px;
   text-align: left;
   padding-left: 10px;
 }
@@ -480,7 +492,7 @@ jQuery(document).ready( function() {
   padding: 4px 8px;
   border-radius: 5px;
 
-  max-width: 250px;
+  max-width: 130px;
   height: 20px;
 
   text-align: center;
@@ -718,4 +730,13 @@ jQuery(document).ready( function() {
 .loading {
   font-size: 25px;
 }
+@media (min-width: 1600px) {
+  .detail-title,
+  .detail-section {
+    max-width: 500px;
+  }
+  .detail-item {
+    max-width: 170px;
+  }
+}
 </style>

admin/themes/default/theme.css

@@ -6224,7 +6224,10 @@ li.plupload_delete a:hover {background: url("images/cancelhover.svg")!important;
 #action_title .large, #action_author .large {padding: 12px 10px; border: 1px solid #787777a6;margin-bottom: 8px;}
 #action_add_tags .selectize-input.items.not-full.has-options, 
 #action_add_tags .selectize-input.items.not-full.has-options.focus.input-active.dropdown-active, .selectize-input.items.not-full, .selectize-input.items.full {
-	padding: 10px 10px; height: 45px; box-shadow: none; border-radius: 0px; border: 1px solid #787777a6;
+	padding: 10px 10px; box-shadow: none; border-radius: 0px; border: 1px solid #787777a6;
+  height: auto !important;
+  min-height: 45px;
+  max-height: 184px;
 }
 
 .pageNumberSelected {background-color: #ffaf58 !important; border: none !important; border-radius: 0 !important;}

include/config_default.inc.php

@@ -925,6 +925,10 @@
 // EXIF/IPTC... from derivative?
 $conf['derivatives_strip_metadata_threshold'] = 256000;
 
+// For animated webP files, to avoid heavy derivatives, set a specific quality,
+// different from derivatives.resize_quality
+$conf['animated_webp_compression_quality'] = 70;
+
 //Maximum Ajax requests at once, for thumbnails on-the-fly generation
 $conf['max_requests']=3;
 

include/constants.php

@@ -7,7 +7,7 @@
 // +-----------------------------------------------------------------------+
 
 // Default settings
-define('PHPWG_VERSION', '14.2.0');
+define('PHPWG_VERSION', '14.3.0');
 define('PHPWG_DEFAULT_LANGUAGE', 'en_UK');
 
 // this constant is only used in the upgrade process, the true default theme