From 68c0ce65118669e70eb47e46e553ddcd4c48de53 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Tue, 14 May 2013 08:04:33 +0000
Subject: feature 2899: ability to allow HTML in EXIF/IPTC (disabled by
 default)

git-svn-id: http://piwigo.org/svn/branches/2.5@22660 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 include/config_default.inc.php     |  5 +++++
 include/functions_metadata.inc.php | 28 ++++++++++++++++++++--------
 2 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/include/config_default.inc.php b/include/config_default.inc.php
index 2a9ea1cad..8af8e256f 100644
--- a/include/config_default.inc.php
+++ b/include/config_default.inc.php
@@ -374,6 +374,11 @@ $conf['use_exif_mapping'] = array(
   'date_creation' => 'DateTimeOriginal'
   );
 
+// allow_html_in_metadata: in case the origin of the photo is unsecure (user
+// upload), we remove HTML tags to avoid XSS (malicious execution of
+// javascript)
+$conf['allow_html_in_metadata'] = false;
+
 // +-----------------------------------------------------------------------+
 // |                               sessions                                |
 // +-----------------------------------------------------------------------+
diff --git a/include/functions_metadata.inc.php b/include/functions_metadata.inc.php
index 4549ca7c6..97724abc1 100644
--- a/include/functions_metadata.inc.php
+++ b/include/functions_metadata.inc.php
@@ -30,6 +30,8 @@
  */
 function get_iptc_data($filename, $map)
 {
+  global $conf;
+  
   $result = array();
 
   $imginfo = array();
@@ -60,10 +62,15 @@ function get_iptc_data($filename, $map)
 
           foreach (array_keys($map, $iptc_key) as $pwg_key)
           {
-            // in case the origin of the photo is unsecure (user upload), we
-            // remove HTML tags to avoid XSS (malicious execution of
-            // javascript)
-            $result[$pwg_key] = strip_tags($value);
+            $result[$pwg_key] = $value;
+
+            if (!$conf['allow_html_in_metadata'])
+            {
+              // in case the origin of the photo is unsecure (user upload), we
+              // remove HTML tags to avoid XSS (malicious execution of
+              // javascript)
+              $result[$pwg_key] = strip_tags($result[$pwg_key]);
+            }
           }
         }
       }
@@ -112,6 +119,8 @@ function clean_iptc_value($value)
  */
 function get_exif_data($filename, $map)
 {
+  global $conf;
+  
   $result = array();
 
   if (!function_exists('read_exif_data'))
@@ -143,11 +152,14 @@ function get_exif_data($filename, $map)
     }
   }
 
-  foreach ($result as $key => $value)
+  if (!$conf['allow_html_in_metadata'])
   {
-    // in case the origin of the photo is unsecure (user upload), we remove
-    // HTML tags to avoid XSS (malicious execution of javascript)
-    $result[$key] = strip_tags($value);
+    foreach ($result as $key => $value)
+    {
+      // in case the origin of the photo is unsecure (user upload), we remove
+      // HTML tags to avoid XSS (malicious execution of javascript)
+      $result[$key] = strip_tags($value);
+    }
   }
 
   return $result;
-- 
cgit v1.2.3