Changeset 22661


Ignore:
Timestamp:
May 14, 2013, 10:05:06 AM (11 years ago)
Author:
plg
Message:

merge r22660 from branch 2.5 to trunk

feature 2899: ability to allow HTML in EXIF/IPTC (disabled by default)

Location:
trunk/include
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/include/config_default.inc.php

    r20516 r22661  
    374374  'date_creation' => 'DateTimeOriginal'
    375375  );
     376
     377// allow_html_in_metadata: in case the origin of the photo is unsecure (user
     378// upload), we remove HTML tags to avoid XSS (malicious execution of
     379// javascript)
     380$conf['allow_html_in_metadata'] = false;
    376381
    377382// +-----------------------------------------------------------------------+
  • trunk/include/functions_metadata.inc.php

    r19703 r22661  
    3131function get_iptc_data($filename, $map)
    3232{
     33  global $conf;
     34 
    3335  $result = array();
    3436
     
    6163          foreach (array_keys($map, $iptc_key) as $pwg_key)
    6264          {
    63             // in case the origin of the photo is unsecure (user upload), we
    64             // remove HTML tags to avoid XSS (malicious execution of
    65             // javascript)
    66             $result[$pwg_key] = strip_tags($value);
     65            $result[$pwg_key] = $value;
     66
     67            if (!$conf['allow_html_in_metadata'])
     68            {
     69              // in case the origin of the photo is unsecure (user upload), we
     70              // remove HTML tags to avoid XSS (malicious execution of
     71              // javascript)
     72              $result[$pwg_key] = strip_tags($result[$pwg_key]);
     73            }
    6774          }
    6875        }
     
    113120function get_exif_data($filename, $map)
    114121{
     122  global $conf;
     123 
    115124  $result = array();
    116125
     
    144153  }
    145154
    146   foreach ($result as $key => $value)
     155  if (!$conf['allow_html_in_metadata'])
    147156  {
    148     // in case the origin of the photo is unsecure (user upload), we remove
    149     // HTML tags to avoid XSS (malicious execution of javascript)
    150     $result[$key] = strip_tags($value);
     157    foreach ($result as $key => $value)
     158    {
     159      // in case the origin of the photo is unsecure (user upload), we remove
     160      // HTML tags to avoid XSS (malicious execution of javascript)
     161      $result[$key] = strip_tags($value);
     162    }
    151163  }
    152164
Note: See TracChangeset for help on using the changeset viewer.