diff options
author | plegall <plg@piwigo.org> | 2013-05-14 08:05:06 +0000 |
---|---|---|
committer | plegall <plg@piwigo.org> | 2013-05-14 08:05:06 +0000 |
commit | 206d9bee4c086316abd1d39a000e9160b86e0db5 (patch) | |
tree | c6614ef2bc5de1bc3c761ef11f2024896e8bd7a8 | |
parent | 348ab67a887a85ccd139000096e1efe699ee8149 (diff) |
merge r22660 from branch 2.5 to trunk
feature 2899: ability to allow HTML in EXIF/IPTC (disabled by default)
git-svn-id: http://piwigo.org/svn/trunk@22661 68402e56-0260-453c-a942-63ccdbb3a9ee
-rw-r--r-- | include/config_default.inc.php | 5 | ||||
-rw-r--r-- | include/functions_metadata.inc.php | 28 |
2 files changed, 25 insertions, 8 deletions
diff --git a/include/config_default.inc.php b/include/config_default.inc.php index 4372e61fe..9f812450b 100644 --- a/include/config_default.inc.php +++ b/include/config_default.inc.php @@ -374,6 +374,11 @@ $conf['use_exif_mapping'] = array( 'date_creation' => 'DateTimeOriginal' ); +// allow_html_in_metadata: in case the origin of the photo is unsecure (user +// upload), we remove HTML tags to avoid XSS (malicious execution of +// javascript) +$conf['allow_html_in_metadata'] = false; + // +-----------------------------------------------------------------------+ // | sessions | // +-----------------------------------------------------------------------+ diff --git a/include/functions_metadata.inc.php b/include/functions_metadata.inc.php index 4549ca7c6..97724abc1 100644 --- a/include/functions_metadata.inc.php +++ b/include/functions_metadata.inc.php @@ -30,6 +30,8 @@ */ function get_iptc_data($filename, $map) { + global $conf; + $result = array(); $imginfo = array(); @@ -60,10 +62,15 @@ function get_iptc_data($filename, $map) foreach (array_keys($map, $iptc_key) as $pwg_key) { - // in case the origin of the photo is unsecure (user upload), we - // remove HTML tags to avoid XSS (malicious execution of - // javascript) - $result[$pwg_key] = strip_tags($value); + $result[$pwg_key] = $value; + + if (!$conf['allow_html_in_metadata']) + { + // in case the origin of the photo is unsecure (user upload), we + // remove HTML tags to avoid XSS (malicious execution of + // javascript) + $result[$pwg_key] = strip_tags($result[$pwg_key]); + } } } } @@ -112,6 +119,8 @@ function clean_iptc_value($value) */ function get_exif_data($filename, $map) { + global $conf; + $result = array(); if (!function_exists('read_exif_data')) @@ -143,11 +152,14 @@ function get_exif_data($filename, $map) } } - foreach ($result as $key => $value) + if (!$conf['allow_html_in_metadata']) { - // in case the origin of the photo is unsecure (user upload), we remove - // HTML tags to avoid XSS (malicious execution of javascript) - $result[$key] = strip_tags($value); + foreach ($result as $key => $value) + { + // in case the origin of the photo is unsecure (user upload), we remove + // HTML tags to avoid XSS (malicious execution of javascript) + $result[$key] = strip_tags($value); + } } return $result; |