__ http://apps.owncloud.com/content/show.php?action=content&content=166654
__ http://git.cweiske.de/grauphel.git/
__ https://github.com/cweiske/grauphel
+
+
+=================
+Development hints
+=================
+* JSON coming from Tomboy: Title is html-escaped already
+ (e.g. ``>`` is ``>``).
+ We store it that way in the database, so there is no need to escape the
+ output.
+* ``latest-sync-revision`` sent from Tomboy during PUT sync is already
+ incremented by 1.
}
/**
- * Load a GUID of a note by the note title
+ * Load a GUID of a note by the note title.
*
- * @param string $title Note title
+ * The note title is stored html-escaped in the database because we
+ * get it that way from tomboy. Thus we have to escape the search
+ * input, too.
+ *
+ * @param string $title Note title.
*
* @return string GUID, NULL if note could not be found
*/
$row = \OC_DB::executeAudited(
'SELECT note_guid FROM `*PREFIX*grauphel_notes`'
. ' WHERE `note_user` = ? AND `note_title` = ?',
- array($this->username, $title)
+ array($this->username, htmlspecialchars($title))
)->fetchRow();
if ($row === false) {
<script type="text/javascript" src="<?php p(OCP\Util::linkTo('grauphel','js/grauphel.js')); ?>"></script>
<div id="app-content" class="content">
- <h1><?php p($_['note']->title); ?></h1>
+ <h1><?php echo ($_['note']->title); ?></h1>
<p class="muted">
Last modified:
<?php p(\OCP\Util::formatDate(strtotime($_['note']->{'last-change-date'}))); ?>
<?php foreach ($_['notes'] as $note) { ?>
<tr id="note-<?php p($note['guid']); ?>">
<td>
- <a class="cellclick" href="<?php p(OCP\Util::linkToRoute('grauphel.gui.note', array('guid' => $note['guid']))); ?>"><?php p($note['title']); ?></a>
+ <a class="cellclick" href="<?php p(OCP\Util::linkToRoute('grauphel.gui.note', array('guid' => $note['guid']))); ?>"><?php echo ($note['title']); ?></a>
</td>
<td>
</td>
git.cweiske.de / grauphel.git / commitdiff