From 1e23ed84d3a80f00b827de8aed546464674bb427 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Tue, 24 Mar 2020 14:07:49 +0100
Subject: [PATCH] fixes #1168 prevent XSS on pwg.images.setInfo

---
 include/ws_functions/pwg.images.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/include/ws_functions/pwg.images.php b/include/ws_functions/pwg.images.php
index 6a8685437..09f3bbf0d 100644
--- a/include/ws_functions/pwg.images.php
+++ b/include/ws_functions/pwg.images.php
@@ -1674,7 +1674,12 @@ SELECT *
         );
     }
 
-    $update['file'] = $params['file'];
+    // prevent XSS, remove HTML tags
+    $update['file'] = strip_tags($params['file']);
+    if (empty($update['file']))
+    {
+      unset($update['file']);
+    }
   }
 
   if (count(array_keys($update)) > 0)