merge r19417 from branch 2.4 to trunk

bug 2805: avoid XSS from EXIF/IPTC git-svn-id: http://piwigo.org/svn/trunk@19418 68402e56-0260-453c-a942-63ccdbb3a9ee
author: plegall <plg@piwigo.org> 2012-12-13 09:33:10 +0000
committer: plegall <plg@piwigo.org> 2012-12-13 09:33:10 +0000
commit: 703465f7fcfb22e4a2e583618232091f918329bb (patch)
tree: 7c20e21175a550839c8dca71bdeff6623ef847f0
parent: 3f838630b8c06ec77490cf3b802b3c114d7ae051 (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/include/functions_metadata.inc.php b/include/functions_metadata.inc.php
index 5a8671d77..0c7b4de52 100644
--- a/include/functions_metadata.inc.php
+++ b/include/functions_metadata.inc.php
@@ -60,7 +60,10 @@ function get_iptc_data($filename, $map)
 
           foreach (array_keys($map, $iptc_key) as $pwg_key)
           {
-            $result[$pwg_key] = $value;
+            // in case the origin of the photo is unsecure (user upload), we
+            // remove HTML tags to avoid XSS (malicious execution of
+            // javascript)
+            $result[$pwg_key] = strip_tags($value);
           }
         }
       }
@@ -140,6 +143,13 @@ function get_exif_data($filename, $map)
     }
   }
 
+  foreach ($result as $key => $value)
+  {
+    // in case the origin of the photo is unsecure (user upload), we remove
+    // HTML tags to avoid XSS (malicious execution of javascript)
+    $result[$key] = strip_tags($value);
+  }
+
   return $result;
 }
 ?>
 \ No newline at end of file
author	plegall <plg@piwigo.org>	2012-12-13 09:33:10 +0000
committer	plegall <plg@piwigo.org>	2012-12-13 09:33:10 +0000
commit	703465f7fcfb22e4a2e583618232091f918329bb (patch)
tree	7c20e21175a550839c8dca71bdeff6623ef847f0
parent	3f838630b8c06ec77490cf3b802b3c114d7ae051 (diff)