Create an ajax response framework that inserts <meta> tags to guard

against UTF-7, and create a $.gallery_autocomplete variant of jQuery's
autocomplete that expects the first line to be a <meta> tag and
discards it.  More complete fix for #1871.

lib/gallery.common.js

@@ -222,4 +222,32 @@
     });
   };
 
+  // Augment jQuery autocomplete to expect the first response line to
+  // be a <meta> tag that protects against UTF-7 attacks.
+  $.fn.gallery_autocomplete = function(url, options) {
+    // Drop the first response - it should be a meta tag
+    options.parse = function(data) {
+      var parsed = [];
+      var rows = data.split("\n");
+      if (rows[0].indexOf("<meta") == -1) {
+        throw 'Missing <meta> tag in first line of autocomplete response';
+      }
+      rows.shift();  // drop <META> tag
+      for (var i=0; i < rows.length; i++) {
+        var row = $.trim(rows[i]);
+        if (row) {
+          row = row.split("|");
+          parsed[parsed.length] = {
+            data: row,
+            value: row[0],
+            result: row[0]
+          };
+        }
+      }
+      return parsed;
+    };
+
+    $(this).autocomplete(url, options);
+  };
+
 })(jQuery);

modules/g2_import/controllers/admin_g2_import.php

@@ -113,7 +113,7 @@ class Admin_g2_import_Controller extends Admin_Controller {
       }
     }
 
-    print implode("\n", $directories);
+    ajax::response(implode("\n", $directories));
   }
 
   private function _get_import_form() {

modules/g2_import/views/admin_g2_import.html.php

@@ -3,7 +3,7 @@
 <?= $theme->script("jquery.autocomplete.js") ?>
 <script type="text/javascript">
 $("document").ready(function() {
-  $("form input[name=embed_path]").autocomplete(
+  $("form input[name=embed_path]").gallery_autocomplete(
     "<?= url::site("__ARGS__") ?>".replace("__ARGS__", "admin/g2_import/autocomplete"),
     {
       max: 256,

modules/gallery/helpers/ajax.php

@@ -0,0 +1,31 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2012 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class ajax_Core {
+  /**
+   * Encode an Ajax response so that it's UTF-7 safe.
+   *
+   * @param  string $message string to print
+   */
+  static function response($content) {
+    header("Content-Type: text/plain; charset=" . Kohana::CHARSET);
+    print "<meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\">\n";
+    print html::clean($content);
+  }
+}

modules/server_add/controllers/admin_server_add.php

@@ -72,6 +72,7 @@ class Admin_Server_Add_Controller extends Admin_Controller {
 
   public function autocomplete() {
     $directories = array();
+
     $path_prefix = Input::instance()->get("q");
     foreach (glob("{$path_prefix}*") as $file) {
       if (is_dir($file) && !is_link($file)) {
@@ -79,7 +80,7 @@ class Admin_Server_Add_Controller extends Admin_Controller {
       }
     }
 
-    print implode("\n", $directories);
+    ajax::response(implode("\n", $directories));
   }
 
   private function _get_admin_form() {

modules/server_add/views/admin_server_add.html.php

@@ -4,7 +4,7 @@
 <?= $theme->script("jquery.autocomplete.js") ?>
 <script type="text/javascript">
 $("document").ready(function() {
-  $("#g-path").autocomplete(
+  $("#g-path").gallery_autocomplete(
     "<?= url::site("__ARGS__") ?>".replace("__ARGS__", "admin/server_add/autocomplete"),
     {
       max: 256,

modules/tag/controllers/tags.php

@@ -57,9 +57,9 @@ class Tags_Controller extends Controller {
       ->limit($limit)
       ->find_all();
     foreach ($tag_list as $tag) {
-      $tags[] = $tag->name;
+      $tags[] = html::clean($tag->name);
     }
 
-    print implode("\n", $tags);
+    ajax::response(implode("\n", $tags));
   }
 }

modules/tag/helpers/tag_event.php

@@ -72,7 +72,7 @@ class tag_event_Core {
     $url = url::site("tags/autocomplete");
     $form->script("")
       ->text("$('form input[name=tags]').ready(function() {
-                $('form input[name=tags]').autocomplete(
+                $('form input[name=tags]').gallery_autocomplete(
                   '$url', {max: 30, multiple: true, multipleSeparator: ',', cacheLength: 1});
               });");
 
@@ -123,7 +123,7 @@ class tag_event_Core {
     $autocomplete_url = url::site("tags/autocomplete");
     $group->script("")
       ->text("$('input[name=tags]')
-                .autocomplete(
+                .gallery_autocomplete(
                   '$autocomplete_url',
                   {max: 30, multiple: true, multipleSeparator: ',', cacheLength: 1}
                 )

modules/tag/views/tag_block.html.php

@@ -2,7 +2,7 @@
 <script type="text/javascript">
   $("#g-add-tag-form").ready(function() {
     var url = $("#g-tag-cloud-autocomplete-url").attr("href");
-    $("#g-add-tag-form input:text").autocomplete(
+    $("#g-add-tag-form input:text").gallery_autocomplete(
       url, {
         max: 30,
         multiple: true,