adam/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-06-02 04:15:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

feature 2899: ability to allow HTML in EXIF/IPTC (disabled by default)

Browse Source 
git-svn-id: http://piwigo.org/svn/branches/2.5@22660 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
plegall
2013-05-14 08:04:33 +00:00
parent 509117aeb9
commit 68c0ce6511
2 changed files with 25 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
include/config_default.inc.php
+5
View File
@@ -374,6 +374,11 @@ $conf['use_exif_mapping'] = array(
'date_creation' => 'DateTimeOriginal'
);
// allow_html_in_metadata: in case the origin of the photo is unsecure (user
// upload), we remove HTML tags to avoid XSS (malicious execution of
// javascript)
$conf['allow_html_in_metadata'] = false;
// +-----------------------------------------------------------------------+
// | sessions |
// +-----------------------------------------------------------------------+
include/functions_metadata.inc.php
+20 -8
View File
@@ -30,6 +30,8 @@
*/
function get_iptc_data($filename, $map)
{
global $conf;
$result = array();
$imginfo = array();
@@ -60,10 +62,15 @@ function get_iptc_data($filename, $map)
foreach (array_keys($map, $iptc_key) as $pwg_key)
{
// in case the origin of the photo is unsecure (user upload), we
// remove HTML tags to avoid XSS (malicious execution of
// javascript)
$result[$pwg_key] = strip_tags($value);
$result[$pwg_key] = $value;
if (!$conf['allow_html_in_metadata'])
{
// in case the origin of the photo is unsecure (user upload), we
// remove HTML tags to avoid XSS (malicious execution of
// javascript)
$result[$pwg_key] = strip_tags($result[$pwg_key]);
}
}
}
}
@@ -112,6 +119,8 @@ function clean_iptc_value($value)
*/
function get_exif_data($filename, $map)
{
global $conf;
$result = array();
if (!function_exists('read_exif_data'))
@@ -143,11 +152,14 @@ function get_exif_data($filename, $map)
}
}
foreach ($result as $key => $value)
if (!$conf['allow_html_in_metadata'])
{
// in case the origin of the photo is unsecure (user upload), we remove
// HTML tags to avoid XSS (malicious execution of javascript)
$result[$key] = strip_tags($value);
foreach ($result as $key => $value)
{
// in case the origin of the photo is unsecure (user upload), we remove
// HTML tags to avoid XSS (malicious execution of javascript)
$result[$key] = strip_tags($value);
}
}
return $result;