From 93c020ac9b91843bbf74ce62f6f4712e31435fe1 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sun, 5 Mar 2006 11:28:10 +0100
Subject: SECURITY FIX - fix for a minor XSS vulnerability in image metadata
 handling

Image meta data (from EXIF/IPTC fields) was not escaped correctly in the
media select popup. This allowed to introduce malicious javascript code
through EXIF tags. Only the media manager was affected.

darcs-hash:20060305102810-7ad00-7d8c7c32b914ff9d9987da5c137d01e2153d569c.gz
---
 inc/template.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'inc')

diff --git a/inc/template.php b/inc/template.php
index 71d372d1f..223f35c00 100644
--- a/inc/template.php
+++ b/inc/template.php
@@ -712,8 +712,8 @@ function tpl_mediafilelist(){
     }
 
     if($item['isimg']){
-      $w = $item['meta']->getField('File.Width');
-      $h = $item['meta']->getField('File.Height');
+      $w = (int) $item['meta']->getField('File.Width');
+      $h = (int) $item['meta']->getField('File.Height');
 
       ptln('('.$w.'&#215;'.$h.' '.filesize_h($item['size']).')',6);
       ptln($del.'<br />',6);
@@ -742,15 +742,15 @@ function tpl_mediafilelist(){
 
       //read EXIF/IPTC data
       $t = $item['meta']->getField('IPTC.Headline');
-      if($t) print '<strong>'.$t.'</strong><br />';
+      if($t) print '<strong>'.htmlspecialchars($t).'</strong><br />';
 
       $t = $item['meta']->getField(array('IPTC.Caption','EXIF.UserComment',
                                          'EXIF.TIFFImageDescription',
                                          'EXIF.TIFFUserComment'));
-      if($t) print $t.'<br />';
+      if($t) print htmlspecialchars($t).'<br />';
 
       $t = $item['meta']->getField(array('IPTC.Keywords','IPTC.Category'));
-      if($t) print '<em>'.$t.'</em><br />';
+      if($t) print '<em>'.htmlspecialchars($t).'</em><br />';
 
       //add edit button
       if($AUTH >= AUTH_UPLOAD && $item['meta']->getField('File.Mime') == 'image/jpeg'){
-- 
cgit v1.2.3