From 619849ff8b39f536e9ce40687c07589f8b262278 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Fri, 7 Feb 2020 17:05:56 +0100
Subject: [PATCH] fixes #1150 prevent HTML code in group name

It avoids any stored XSS between administrators and it's totally useless to have HTML code in the group name.
---
 admin/group_list.php                         | 14 +++++++++++++-
 admin/themes/default/template/group_list.tpl |  8 +++-----
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/admin/group_list.php b/admin/group_list.php
index ba9c89fef..7e7a3bd9f 100644
--- a/admin/group_list.php
+++ b/admin/group_list.php
@@ -45,6 +45,11 @@
   {
     $page['errors'][] = l10n('The name of a group must not contain " or \' or be empty.');
   }
+  else
+  {
+    $_POST['groupname'] = strip_tags($_POST['groupname']);
+  }
+
   if (count($page['errors']) == 0)
   {
     // is the group not already existing ?
@@ -107,7 +112,7 @@
     $group_names = array_from_query($query, 'name');
     foreach($groups as $group)
     {
-      $_POST['rename_'.$group] = stripslashes($_POST['rename_'.$group]);
+      $_POST['rename_'.$group] = strip_tags(stripslashes($_POST['rename_'.$group]));
 
       if (in_array($_POST['rename_'.$group], $group_names))
       {
@@ -181,6 +186,8 @@
 
   if ($action=="merge" and count($groups) > 1)
   {
+    $_POST['merge'] = strip_tags($_POST['merge']);
+
     // is the group not already existing ?
     $query = '
 SELECT COUNT(*)
@@ -268,6 +275,11 @@
       {
         break;
       }
+      else
+      {
+        $_POST['duplicate_'.$group.''] = strip_tags(stripslashes($_POST['duplicate_'.$group.'']));
+      }
+
       // is the group not already existing ?
       $query = '
   SELECT COUNT(*)
diff --git a/admin/themes/default/template/group_list.tpl b/admin/themes/default/template/group_list.tpl
index b14ff1725..6f0291f3c 100644
--- a/admin/themes/default/template/group_list.tpl
+++ b/admin/themes/default/template/group_list.tpl
@@ -128,7 +128,7 @@ $(document).ready(function() {
         {if not empty($groups)}
         {foreach from=$groups item=group}
         <p group_id="{$group.ID}" class="grp_action">
-          <input type="text" class="large" name="rename_{$group.ID}" value="{$group.NAME}" onfocus="this.value=(this.value=='{$group.NAME}') ? '' : this.value;" onblur="this.value=(this.value=='') ? '{$group.NAME}' : this.value;">
+          <input type="text" class="large" name="rename_{$group.ID}" value="{$group.NAME}">
         </p>
         {/foreach}
         {/if}
@@ -137,9 +137,8 @@ $(document).ready(function() {
         <!-- merge -->
         <div id="action_merge" class="bulkAction">
           <p id="two_to_select">{'Please select at least two groups'|@translate}</p>
-          {assign var='mergeDefaultValue' value='Type here the name of the new group'|@translate}
           <p id="two_atleast">
-            <input type="text" class="large" name="merge" value="{$mergeDefaultValue}" onfocus="this.value=(this.value=='{$mergeDefaultValue}') ? '' : this.value;" onblur="this.value=(this.value=='') ? '{$mergeDefaultValue}' : this.value;">
+            <input type="text" class="large" name="merge" value="" placeholder="{'Type here the name of the new group'|translate}">
           </p>
         </div>
 
@@ -150,11 +149,10 @@ $(document).ready(function() {
 
         <!-- duplicate -->
         <div id="action_duplicate" class="bulkAction">
-        {assign var='duplicateDefaultValue' value='Type here the name of the new group'|@translate}
         {if not empty($groups)}
         {foreach from=$groups item=group}
         <p group_id="{$group.ID}" class="grp_action">
-          {$group.NAME} > <input type="text" class="large" name="duplicate_{$group.ID}" value="{$duplicateDefaultValue}" onfocus="this.value=(this.value=='{$duplicateDefaultValue}') ? '' : this.value;" onblur="this.value=(this.value=='') ? '{$duplicateDefaultValue}' : this.value;">
+          {$group.NAME} > <input type="text" class="large" name="duplicate_{$group.ID}" value="" placeholder="{'Type here the name of the new group'|@translate}">
         </p>
         {/foreach}
         {/if}