From 0cf52c8461a91b3c8d45fa7b9f73873b12073691 Mon Sep 17 00:00:00 2001
From: Olivier Perez <olivier@olivierperez.fr>
Date: Thu, 7 Jul 2016 14:15:34 +0200
Subject: [PATCH] Merge branch 'bugfix/install-config-escape' into 'develop'

Added escaping for install in config.tpl

In the installation process, string like the one below should be a valid application name (or DB password).
> Framadate c'est vraiment super ! "Datez" comme vous voulez \o/

It missed some escaping for single quote (') and backslash (\\), resulting in PHP parse errors.

It should be cherry-picked to the `release` branch too.

See merge request !136
---
 app/inc/smarty.php   | 3 +++
 tpl/admin/config.tpl | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/app/inc/smarty.php b/app/inc/smarty.php
index 39f191c4..248fc010 100644
--- a/app/inc/smarty.php
+++ b/app/inc/smarty.php
@@ -64,6 +64,9 @@ function smarty_modifier_markdown($md, $clear = false) {
 function smarty_modifier_resource($link) {
     return Utils::get_server_name() . $link;
 }
+function smarty_modifier_addslashes_single_quote($string) {
+    return addcslashes($string, '\\\'');
+}
 
 function smarty_modifier_html($html) {
     return Utils::htmlEscape($html);
diff --git a/tpl/admin/config.tpl b/tpl/admin/config.tpl
index bb5d9dcf..28653592 100644
--- a/tpl/admin/config.tpl
+++ b/tpl/admin/config.tpl
@@ -23,7 +23,7 @@
 // const APP_URL = '<www.mydomain.fr>';
 
 // Application name
-const NOMAPPLICATION = '{$appName}';
+const NOMAPPLICATION = '{$appName|addslashes_single_quote}';
 
 // Database administrator email
 const ADRESSEMAILADMIN = '{$appMail}';
@@ -38,7 +38,7 @@ const DB_CONNECTION_STRING = '{$dbConnectionString}';
 const DB_USER= '{$dbUser}';
 
 // Database password
-const DB_PASSWORD = '{$dbPassword}';
+const DB_PASSWORD = '{$dbPassword|addslashes_single_quote}';
 
 // Table name prefix
 const TABLENAME_PREFIX = '{$dbPrefix}';
-- 
GitLab