Changeset 19417


Ignore:
Timestamp:
Dec 13, 2012, 10:27:24 AM (8 years ago)
Author:
plg
Message:

bug 2805: avoid XSS from EXIF/IPTC

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.4/include/functions_metadata.inc.php

    r17749 r19417  
    6161          foreach (array_keys($map, $iptc_key) as $pwg_key)
    6262          {
    63             $result[$pwg_key] = $value;
     63            // in case the origin of the photo is unsecure (user upload), we
     64            // remove HTML tags to avoid XSS (malicious execution of
     65            // javascript)
     66            $result[$pwg_key] = strip_tags($value);
    6467          }
    6568        }
     
    141144  }
    142145
     146  foreach ($result as $key => $value)
     147  {
     148    // in case the origin of the photo is unsecure (user upload), we remove
     149    // HTML tags to avoid XSS (malicious execution of javascript)
     150    $result[$key] = strip_tags($value);
     151  }
     152
    143153  return $result;
    144154}
Note: See TracChangeset for help on using the changeset viewer.