From 917cab5a44dfde85cbe342dec35c564d0bcd9bc1 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Fri, 1 Mar 2024 11:24:50 +0100
Subject: [PATCH] fixes GHSA-7379-w44f-mfw4 and fixes GHSA-8g2g-6f2c-6h7j
 protect tag name from XSS

---
 admin/include/functions.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/admin/include/functions.php b/admin/include/functions.php
index 1657b24c6..b2e51c5a3 100644
--- a/admin/include/functions.php
+++ b/admin/include/functions.php
@@ -2365,6 +2365,9 @@ function get_extents($start='')
  */
 function create_tag($tag_name)
 {
+  // clean the tag, no html/js allowed in tag name
+  $tag_name = strip_tags($tag_name);
+
   // does the tag already exists?
   $query = '
 SELECT id