aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorplegall <plg@piwigo.org>2013-05-14 08:05:06 +0000
committerplegall <plg@piwigo.org>2013-05-14 08:05:06 +0000
commit206d9bee4c086316abd1d39a000e9160b86e0db5 (patch)
treec6614ef2bc5de1bc3c761ef11f2024896e8bd7a8
parent348ab67a887a85ccd139000096e1efe699ee8149 (diff)
merge r22660 from branch 2.5 to trunk
feature 2899: ability to allow HTML in EXIF/IPTC (disabled by default) git-svn-id: http://piwigo.org/svn/trunk@22661 68402e56-0260-453c-a942-63ccdbb3a9ee
-rw-r--r--include/config_default.inc.php5
-rw-r--r--include/functions_metadata.inc.php28
2 files changed, 25 insertions, 8 deletions
diff --git a/include/config_default.inc.php b/include/config_default.inc.php
index 4372e61fe..9f812450b 100644
--- a/include/config_default.inc.php
+++ b/include/config_default.inc.php
@@ -374,6 +374,11 @@ $conf['use_exif_mapping'] = array(
'date_creation' => 'DateTimeOriginal'
);
+// allow_html_in_metadata: in case the origin of the photo is unsecure (user
+// upload), we remove HTML tags to avoid XSS (malicious execution of
+// javascript)
+$conf['allow_html_in_metadata'] = false;
+
// +-----------------------------------------------------------------------+
// | sessions |
// +-----------------------------------------------------------------------+
diff --git a/include/functions_metadata.inc.php b/include/functions_metadata.inc.php
index 4549ca7c6..97724abc1 100644
--- a/include/functions_metadata.inc.php
+++ b/include/functions_metadata.inc.php
@@ -30,6 +30,8 @@
*/
function get_iptc_data($filename, $map)
{
+ global $conf;
+
$result = array();
$imginfo = array();
@@ -60,10 +62,15 @@ function get_iptc_data($filename, $map)
foreach (array_keys($map, $iptc_key) as $pwg_key)
{
- // in case the origin of the photo is unsecure (user upload), we
- // remove HTML tags to avoid XSS (malicious execution of
- // javascript)
- $result[$pwg_key] = strip_tags($value);
+ $result[$pwg_key] = $value;
+
+ if (!$conf['allow_html_in_metadata'])
+ {
+ // in case the origin of the photo is unsecure (user upload), we
+ // remove HTML tags to avoid XSS (malicious execution of
+ // javascript)
+ $result[$pwg_key] = strip_tags($result[$pwg_key]);
+ }
}
}
}
@@ -112,6 +119,8 @@ function clean_iptc_value($value)
*/
function get_exif_data($filename, $map)
{
+ global $conf;
+
$result = array();
if (!function_exists('read_exif_data'))
@@ -143,11 +152,14 @@ function get_exif_data($filename, $map)
}
}
- foreach ($result as $key => $value)
+ if (!$conf['allow_html_in_metadata'])
{
- // in case the origin of the photo is unsecure (user upload), we remove
- // HTML tags to avoid XSS (malicious execution of javascript)
- $result[$key] = strip_tags($value);
+ foreach ($result as $key => $value)
+ {
+ // in case the origin of the photo is unsecure (user upload), we remove
+ // HTML tags to avoid XSS (malicious execution of javascript)
+ $result[$key] = strip_tags($value);
+ }
}
return $result;