From 206d9bee4c086316abd1d39a000e9160b86e0db5 Mon Sep 17 00:00:00 2001 From: plegall Date: Tue, 14 May 2013 08:05:06 +0000 Subject: merge r22660 from branch 2.5 to trunk feature 2899: ability to allow HTML in EXIF/IPTC (disabled by default) git-svn-id: http://piwigo.org/svn/trunk@22661 68402e56-0260-453c-a942-63ccdbb3a9ee --- include/config_default.inc.php | 5 +++++ include/functions_metadata.inc.php | 28 ++++++++++++++++++++-------- 2 files changed, 25 insertions(+), 8 deletions(-) (limited to 'include') diff --git a/include/config_default.inc.php b/include/config_default.inc.php index 4372e61fe..9f812450b 100644 --- a/include/config_default.inc.php +++ b/include/config_default.inc.php @@ -374,6 +374,11 @@ $conf['use_exif_mapping'] = array( 'date_creation' => 'DateTimeOriginal' ); +// allow_html_in_metadata: in case the origin of the photo is unsecure (user +// upload), we remove HTML tags to avoid XSS (malicious execution of +// javascript) +$conf['allow_html_in_metadata'] = false; + // +-----------------------------------------------------------------------+ // | sessions | // +-----------------------------------------------------------------------+ diff --git a/include/functions_metadata.inc.php b/include/functions_metadata.inc.php index 4549ca7c6..97724abc1 100644 --- a/include/functions_metadata.inc.php +++ b/include/functions_metadata.inc.php @@ -30,6 +30,8 @@ */ function get_iptc_data($filename, $map) { + global $conf; + $result = array(); $imginfo = array(); @@ -60,10 +62,15 @@ function get_iptc_data($filename, $map) foreach (array_keys($map, $iptc_key) as $pwg_key) { - // in case the origin of the photo is unsecure (user upload), we - // remove HTML tags to avoid XSS (malicious execution of - // javascript) - $result[$pwg_key] = strip_tags($value); + $result[$pwg_key] = $value; + + if (!$conf['allow_html_in_metadata']) + { + // in case the origin of the photo is unsecure (user upload), we + // remove HTML tags to avoid XSS (malicious execution of + // javascript) + $result[$pwg_key] = strip_tags($result[$pwg_key]); + } } } } @@ -112,6 +119,8 @@ function clean_iptc_value($value) */ function get_exif_data($filename, $map) { + global $conf; + $result = array(); if (!function_exists('read_exif_data')) @@ -143,11 +152,14 @@ function get_exif_data($filename, $map) } } - foreach ($result as $key => $value) + if (!$conf['allow_html_in_metadata']) { - // in case the origin of the photo is unsecure (user upload), we remove - // HTML tags to avoid XSS (malicious execution of javascript) - $result[$key] = strip_tags($value); + foreach ($result as $key => $value) + { + // in case the origin of the photo is unsecure (user upload), we remove + // HTML tags to avoid XSS (malicious execution of javascript) + $result[$key] = strip_tags($value); + } } return $result; -- cgit v1.2.3