fix: escape apostrophe in FORM_HELP_LABELS string (Database.php:2005)

app/public/admin/actions/form-help.php

@@ -0,0 +1,39 @@
+<?php
+/**
+ * Save handler for form help blocks (student-facing explanatory text shown
+ * in the /partage share-link submission form).
+ */
+require_once __DIR__ . '/../../../bootstrap.php';
+require_once __DIR__ . '/../../../src/AdminAuth.php';
+AdminAuth::requireLogin();
+
+if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])
+    || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
+    App::flash('error', 'Erreur de sécurité : token invalide.');
+    header('Location: /admin/contenus.php');
+    exit;
+}
+
+$key     = $_POST['form_help_key'] ?? '';
+$content = $_POST['content']       ?? '';
+
+require_once APP_ROOT . '/src/Database.php';
+$db = new Database();
+
+if (!in_array($key, Database::FORM_HELP_KEYS, true)) {
+    App::flash('error', 'Clé de bloc invalide.');
+    header('Location: /admin/contenus.php');
+    exit;
+}
+
+try {
+    $db->setFormHelpBlock($key, $content);
+    App::flash('success', 'Bloc « ' . htmlspecialchars($key) . ' » mis à jour.');
+} catch (Exception $e) {
+    error_log('form-help save error: ' . $e->getMessage());
+    App::flash('error', 'Erreur lors de la sauvegarde : ' . htmlspecialchars($e->getMessage()));
+}
+
+$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+header('Location: /admin/contenus.php#form-help-blocks');
+exit;

app/public/admin/contenus-edit.php

@@ -12,8 +12,9 @@ if (empty($_SESSION["csrf_token"])) {
 $allowedPageSlugs = ["about", "licenses", "charte"];
 $allowedApropos   = ["contacts", "credits"];
 
-$pageSlug   = $_GET["slug"] ?? "";
-$aproposKey = $_GET["apropos"] ?? "";
+$pageSlug    = $_GET["slug"]       ?? "";
+$aproposKey  = $_GET["apropos"]    ?? "";
+$formHelpKey = $_GET["form_block"] ?? "";
 
 if ($pageSlug && !in_array($pageSlug, $allowedPageSlugs)) {
     $pageSlug = "";
@@ -21,8 +22,11 @@ if ($pageSlug && !in_array($pageSlug, $allowedPageSlugs)) {
 if ($aproposKey && !in_array($aproposKey, $allowedApropos)) {
     $aproposKey = "";
 }
+if ($formHelpKey && !in_array($formHelpKey, Database::FORM_HELP_KEYS, true)) {
+    $formHelpKey = "";
+}
 
-if (!$pageSlug && !$aproposKey) {
+if (!$pageSlug && !$aproposKey && !$formHelpKey) {
     header("Location: /admin/contenus.php");
     exit();
 }
@@ -37,6 +41,10 @@ try {
         }
         $editTitle = $page["title"];
         $editType  = "page";
+    } elseif ($formHelpKey) {
+        $editType        = "form_help";
+        $formHelpContent = $db->getFormHelpBlock($formHelpKey);
+        $editTitle       = Database::FORM_HELP_LABELS[$formHelpKey] ?? $formHelpKey;
     } else {
         $editType  = "apropos";
         $value     = $db->getAproposContent($aproposKey);
@@ -65,6 +73,8 @@ JS;
 $initialContent = '';
 if ($editType === 'page') {
     $initialContent = $page["content"] ?? "";
+} elseif ($editType === 'form_help') {
+    $initialContent = $formHelpContent;
 }
 
 $isAdmin = true;

app/public/admin/contenus.php

@@ -6,10 +6,15 @@ require_once __DIR__ . '/../../src/Database.php';
 
 $pageTitle = "Contenus";
 
+if (empty($_SESSION['csrf_token'])) {
+    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+}
+
 try {
     $db = new Database();
-    $pages = $db->getAllPages();
-    $aproposKeys = $db->getAllAproposContents();
+    $pages          = $db->getAllPages();
+    $aproposKeys    = $db->getAllAproposContents();
+    $formHelpBlocks = $db->getAllFormHelpBlocks();
 } catch (Exception $e) {
     error_log("Error loading contenus: " . $e->getMessage());
     die("Erreur lors du chargement des contenus.");