SECURITY FIX - fix for a minor XSS vulnerability in image metadata handling

Image meta data (from EXIF/IPTC fields) was not escaped correctly in the
media select popup. This allowed to introduce malicious javascript code
through EXIF tags. Only the media manager was affected.

darcs-hash:20060305102810-7ad00-7d8c7c32b914ff9d9987da5c137d01e2153d569c.gz

1 files changed, 5 insertions, 5 deletions

diff --git a/inc/template.php b/inc/template.php
index 71d372d1f..223f35c00 100644
--- a/inc/template.php
+++ b/inc/template.php
@@ -712,8 +712,8 @@ function tpl_mediafilelist(){
     }
 
     if($item['isimg']){
-      $w = $item['meta']->getField('File.Width');
-      $h = $item['meta']->getField('File.Height');
+      $w = (int) $item['meta']->getField('File.Width');
+      $h = (int) $item['meta']->getField('File.Height');
 
       ptln('('.$w.'×'.$h.' '.filesize_h($item['size']).')',6);
       ptln($del.'<br />',6);
@@ -742,15 +742,15 @@ function tpl_mediafilelist(){
 
       //read EXIF/IPTC data
       $t = $item['meta']->getField('IPTC.Headline');
-      if($t) print '<strong>'.$t.'</strong><br />';
+      if($t) print '<strong>'.htmlspecialchars($t).'</strong><br />';
 
       $t = $item['meta']->getField(array('IPTC.Caption','EXIF.UserComment',
                                          'EXIF.TIFFImageDescription',
                                          'EXIF.TIFFUserComment'));
-      if($t) print $t.'<br />';
+      if($t) print htmlspecialchars($t).'<br />';
 
       $t = $item['meta']->getField(array('IPTC.Keywords','IPTC.Category'));
-      if($t) print '<em>'.$t.'</em><br />';
+      if($t) print '<em>'.htmlspecialchars($t).'</em><br />';
 
       //add edit button
       if($AUTH >= AUTH_UPLOAD && $item['meta']->getField('File.Mime') == 'image/jpeg'){