Dotclear

Changeset 3441:5210efb51a5e


Ignore:
Timestamp:
12/05/16 14:30:56 (9 years ago)
Author:
franck <carnet.franck.paul@…>
Branch:
2.10
source:
5536ac77e915c6f888796188185621effac42e6d
Message:

Prevents XSS injection in media title, closes #2224, thanks smarterbitbybit for report

Location:
admin
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • admin/media.php

    r3295 r3441  
    276276               files::uploadStatus($upfile); 
    277277 
    278                $f_title = (isset($_POST['upfiletitle']) ? $_POST['upfiletitle'] : ''); 
     278               $f_title = (isset($_POST['upfiletitle']) ? html::escapeHTML($_POST['upfiletitle']) : ''); 
    279279               $f_private = (isset($_POST['upfilepriv']) ? $_POST['upfilepriv'] : false); 
    280280 

  • admin/media_item.php

    r3167 r3441  
    117117          $newFile->relname = $newFile->basename; 
    118118     } 
    119      $newFile->media_title = $_POST['media_title']; 
     119     $newFile->media_title = html::escapeHTML($_POST['media_title']); 
    120120     $newFile->media_dt = strtotime($_POST['media_dt']); 
    121121     $newFile->media_dtstr = $_POST['media_dt']; 
Note: See TracChangeset for help on using the changeset viewer.

Sites map