Dotclear

Changeset 3440:5536ac77e915


Ignore:
Timestamp:
12/05/16 14:30:56 (7 years ago)
Author:
franck <carnet.franck.paul@…>
Branch:
default
Message:

Prevents XSS injection in media title, closes #2224, thanks smarterbitbybit for report

Location:
admin
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • admin/media.php

    r3398 r3440  
    282282               files::uploadStatus($upfile); 
    283283 
    284                $f_title = (isset($_POST['upfiletitle']) ? $_POST['upfiletitle'] : ''); 
     284               $f_title = (isset($_POST['upfiletitle']) ? html::escapeHTML($_POST['upfiletitle']) : ''); 
    285285               $f_private = (isset($_POST['upfilepriv']) ? $_POST['upfilepriv'] : false); 
    286286 
  • admin/media_item.php

    r3434 r3440  
    117117          $newFile->relname = $newFile->basename; 
    118118     } 
    119      $newFile->media_title = $_POST['media_title']; 
     119     $newFile->media_title = html::escapeHTML($_POST['media_title']); 
    120120     $newFile->media_dt = strtotime($_POST['media_dt']); 
    121121     $newFile->media_dtstr = $_POST['media_dt']; 
Note: See TracChangeset for help on using the changeset viewer.

Sites map