Use explicit blog plugin category type id instead of req.get('categor…

…y'). fc2blog#338

app/src/Web/Controller/Admin/BlogPluginsController.php

@@ -9,6 +9,7 @@
 use Fc2blog\Model\BlogTemplatesModel;
 use Fc2blog\Model\Model;
 use Fc2blog\Model\PluginsModel;
+use Fc2blog\Util\Log;
 use Fc2blog\Web\Request;
 
 class BlogPluginsController extends AdminController
@@ -73,6 +74,8 @@ public function share_search(Request $request): string
         return $this->plugin_search($request, false);
     }
 
+    const ALLOWED_PLUGIN_CATEGORY_TYPE_RANGE = "1-3";
+
     /**
      * プラグイン検索 （内部呼び出し）
      * @param Request $request
@@ -117,6 +120,11 @@ private function plugin_search(Request $request, bool $is_official = true): stri
         $this->set('req_device_name', __(BlogTemplatesModel::getDeviceName((int)$request->get('device_type'))));
         $this->set('device_key', App::getDeviceFc2Key($request->get('device_type')));
         $this->set('is_official', $is_official);
+        if (!preg_match('/\A[' . self::ALLOWED_PLUGIN_CATEGORY_TYPE_RANGE . ']\z/u', $request->get('category'))) {
+            Log::notice("Request invalid plugin category type " . $request->get('category'));
+            return $this->error400();
+        }
+        $this->set('plugin_category_type_id', $request->get('category'));
 
         return 'admin/blog_plugins/plugin_search.twig';
     }

app/twig_templates/admin/blog_plugins/plugin_search.twig

@@ -29,10 +29,10 @@
                 <td>{{ t(plugin.title, 20) }}</td>
                 <td>{{ plugin.body|nl2br }}</td>
                 <td class="center">
-                    <a href="{{ url(req, 'blog_plugins', 'download', {id: plugin.id, category: req.get('category'), sig: sig}) }}">{{ _('Download') }}</a>
+                    <a href="{{ url(req, 'blog_plugins', 'download', {id: plugin.id, category: plugin_category_type_id, sig: sig}) }}">{{ _('Download') }}</a>
                 </td>
                 <td class="center">
-                    <a href="{{ url(req, 'Entries', 'preview', {blog_id: blog.id, plugin_id: plugin.id, category: req.get('category'), device_key: 1}, false, true, false) }}" target="_blank">{{ _('Preview') }}</a>
+                    <a href="{{ url(req, 'Entries', 'preview', {blog_id: blog.id, plugin_id: plugin.id, category: plugin_category_type_id, device_key: 1}, false, true, false) }}" target="_blank">{{ _('Preview') }}</a>
                 </td>
                 {% if not is_official %}
                     <td class="center">

app/twig_templates/admin/blog_plugins/plugin_search_sp.twig

@@ -13,8 +13,8 @@
                 <h4>{{ t(plugin.title, 20) }}</h4>
                 <p>{{ t(plugin.body, 20) }}</p>
                 <div class="parallel_btn">
-                    <a class="btn_contents touch" href="{{ url(req, 'blog_plugins', 'download', {id: plugin.id, category: req.get('category'), sig: sig}) }}">{{ _('Add') }}</a>
-                    <a class="btn_contents touch" href="{{ url(req, 'Entries', 'preview', {blog_id: blog.id, plugin_id: plugin.id, category: req.get('category'), device_key: 1}, false, true) }}" target="_blank">{{ _('Preview') }}</a>
+                    <a class="btn_contents touch" href="{{ url(req, 'blog_plugins', 'download', {id: plugin.id, category: plugin_category_type_id, sig: sig}) }}">{{ _('Add') }}</a>
+                    <a class="btn_contents touch" href="{{ url(req, 'Entries', 'preview', {blog_id: blog.id, plugin_id: plugin.id, category: plugin_category_type_id, device_key: 1}, false, true) }}" target="_blank">{{ _('Preview') }}</a>
                 </div>
             </li>
         {% endfor %}