Merge remote-tracking branch 'ArthurHoaro/input-escape' into next

[github/shaarli/Shaarli.git] / application / LinkDB.php

diff --git a/application/LinkDB.php b/application/LinkDB.php
index 388002f666eff8f80608fd31a4d3423b80da6f57..2b3fb60bb47be7fe9bd09728044315e55289186a 100644 (file)
--- a/application/LinkDB.php
+++ b/application/LinkDB.php
@@ -45,6 +45,9 @@ class LinkDB implements Iterator, Countable, ArrayAccess
     // Is the user logged in? (used to filter private links)
     private $loggedIn;
 
+    // Hide public links
+    private $hidePublicLinks;
+
     /**
      * Creates a new LinkDB
      *
@@ -52,10 +55,11 @@ class LinkDB implements Iterator, Countable, ArrayAccess
      *
      * @param $isLoggedIn is the user logged in?
      */
-    function __construct($isLoggedIn)
+    function __construct($isLoggedIn, $hidePublicLinks)
     {
         // FIXME: do not access $GLOBALS, pass the datastore instead
         $this->loggedIn = $isLoggedIn;
+        $this->hidePublicLinks = $hidePublicLinks;
         $this->checkDB();
         $this->readdb();
     }
@@ -208,6 +212,13 @@ class LinkDB implements Iterator, Countable, ArrayAccess
      */
     private function readdb()
     {
+
+        // Public links are hidden and user not logged in => nothing to show
+        if ($this->hidePublicLinks && !$this->loggedIn) {
+            $this->links = array();
+            return;
+        }
+
         // Read data
         // Note that gzinflate is faster than gzuncompress.
         // See: http://www.php.net/manual/en/function.gzdeflate.php#96439
@@ -238,6 +249,11 @@ class LinkDB implements Iterator, Countable, ArrayAccess
         foreach ($this->links as $link) {
             $this->urls[$link['url']] = $link['linkdate'];
         }
+
+        // Escape links data
+        foreach($this->links as &$link) { 
+            sanitizeLink($link); 
+        }
     }
 
     /**