diff options
author | plegall <plg@piwigo.org> | 2012-12-13 09:33:10 +0000 |
---|---|---|
committer | plegall <plg@piwigo.org> | 2012-12-13 09:33:10 +0000 |
commit | 703465f7fcfb22e4a2e583618232091f918329bb (patch) | |
tree | 7c20e21175a550839c8dca71bdeff6623ef847f0 | |
parent | 3f838630b8c06ec77490cf3b802b3c114d7ae051 (diff) |
merge r19417 from branch 2.4 to trunk
bug 2805: avoid XSS from EXIF/IPTC
git-svn-id: http://piwigo.org/svn/trunk@19418 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to '')
-rw-r--r-- | include/functions_metadata.inc.php | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/include/functions_metadata.inc.php b/include/functions_metadata.inc.php index 5a8671d77..0c7b4de52 100644 --- a/include/functions_metadata.inc.php +++ b/include/functions_metadata.inc.php @@ -60,7 +60,10 @@ function get_iptc_data($filename, $map) foreach (array_keys($map, $iptc_key) as $pwg_key) { - $result[$pwg_key] = $value; + // in case the origin of the photo is unsecure (user upload), we + // remove HTML tags to avoid XSS (malicious execution of + // javascript) + $result[$pwg_key] = strip_tags($value); } } } @@ -140,6 +143,13 @@ function get_exif_data($filename, $map) } } + foreach ($result as $key => $value) + { + // in case the origin of the photo is unsecure (user upload), we remove + // HTML tags to avoid XSS (malicious execution of javascript) + $result[$key] = strip_tags($value); + } + return $result; } ?>
\ No newline at end of file |