aboutsummaryrefslogtreecommitdiffstats
path: root/include/functions_metadata.inc.php
diff options
context:
space:
mode:
authorplegall <plg@piwigo.org>2012-12-13 09:27:24 +0000
committerplegall <plg@piwigo.org>2012-12-13 09:27:24 +0000
commitea3e07c3261231030ec555ffc6ac2cd2b82ec8f0 (patch)
treeb12d55f2fd4748f67d406c3c9652cce32cc83dae /include/functions_metadata.inc.php
parent4fab3d9922159d08fb681654cd4217f8278a32ff (diff)
bug 2805: avoid XSS from EXIF/IPTC
git-svn-id: http://piwigo.org/svn/branches/2.4@19417 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to '')
-rw-r--r--include/functions_metadata.inc.php12
1 files changed, 11 insertions, 1 deletions
diff --git a/include/functions_metadata.inc.php b/include/functions_metadata.inc.php
index 5a8671d77..0c7b4de52 100644
--- a/include/functions_metadata.inc.php
+++ b/include/functions_metadata.inc.php
@@ -60,7 +60,10 @@ function get_iptc_data($filename, $map)
foreach (array_keys($map, $iptc_key) as $pwg_key)
{
- $result[$pwg_key] = $value;
+ // in case the origin of the photo is unsecure (user upload), we
+ // remove HTML tags to avoid XSS (malicious execution of
+ // javascript)
+ $result[$pwg_key] = strip_tags($value);
}
}
}
@@ -140,6 +143,13 @@ function get_exif_data($filename, $map)
}
}
+ foreach ($result as $key => $value)
+ {
+ // in case the origin of the photo is unsecure (user upload), we remove
+ // HTML tags to avoid XSS (malicious execution of javascript)
+ $result[$key] = strip_tags($value);
+ }
+
return $result;
}
?> \ No newline at end of file