From 93298095b3c4455aa1a4c676d6e2f9915ca06caa Mon Sep 17 00:00:00 2001
From: Christian Weiske <cweiske@cweiske.de>
Date: Fri, 24 Oct 2014 07:39:12 +0200
Subject: make linking of notes with <speci"a'l> chars work

---
 lib/notestorage.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'lib')

diff --git a/lib/notestorage.php b/lib/notestorage.php
index 7ecf049..0aeef9e 100644
--- a/lib/notestorage.php
+++ b/lib/notestorage.php
@@ -246,9 +246,13 @@ class NoteStorage
     }
 
     /**
-     * Load a GUID of a note by the note title
+     * Load a GUID of a note by the note title.
      *
-     * @param string  $title Note title
+     * The note title is stored html-escaped in the database because we
+     * get it that way from tomboy. Thus we have to escape the search
+     * input, too.
+     *
+     * @param string $title Note title.
      *
      * @return string GUID, NULL if note could not be found
      */
@@ -257,7 +261,7 @@ class NoteStorage
         $row = \OC_DB::executeAudited(
             'SELECT note_guid FROM `*PREFIX*grauphel_notes`'
             . ' WHERE `note_user` = ? AND `note_title` = ?',
-            array($this->username, $title)
+            array($this->username, htmlspecialchars($title))
         )->fetchRow();
 
         if ($row === false) {
-- 
cgit v1.2.3