Update bulma tagsinput

api/tags_autocomplete.php

@@ -4,6 +4,11 @@ define('IN_PONEPASTE', 1);
 require_once(__DIR__ . '/../includes/common.php');
 require_once(__DIR__ . '/../includes/Tag.class.php');
 
+/* get rid of unintended wildcards in a parameter to LIKE queries; not a security issue, just unexpected behaviour. */
+function escapeLikeQuery(string $query) : string {
+    return str_replace(['\\', '_', '%'], ['\\\\', '\\_', '\\%'], $query);
+}
+
 header('Content-Type: application/json');
 
 if (empty($_GET['tag'])) {
@@ -11,11 +16,11 @@ if (empty($_GET['tag'])) {
 }
 
 $tag_name = Tag::cleanTagName($_GET['tag']);
-$tag_name = str_replace('%', '', $tag_name); /* get rid of MySQL LIKE wildcards */
 
-$results = $conn->query('SELECT name FROM tags WHERE name LIKE ? AND name != ?', [$tag_name . '%', $tag_name]);
-$tags = $results->fetchAll();
+$results = $conn->query('SELECT name FROM tags WHERE name LIKE ? AND name != ?', [escapeLikeQuery($tag_name) . '%', $tag_name]);
+$tags = $results->fetchAll(PDO::FETCH_ASSOC);
 
 array_push($tags, ['name' => $tag_name]);
 
+
 echo json_encode($tags);

theme/bulma/main.php

@@ -15,15 +15,9 @@
  */
 
 ?>
-<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>
 <link rel="stylesheet" href="theme/bulma/css/bulma-tagsinput.min.css"/>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>
 <script src="theme/bulma/js/bulma-tagsinput.min.js"></script>
-<script>
-    document.addEventListener('DOMContentLoaded', function () {
-        BulmaTagsInput.attach();
-    });
-</script>
 <script>
     function setupTagsInput() {
         const tagsInput = document.getElementById('tags-with-source');