From bc9526f323c19550053d3e76e4a42f4d759e1524 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Mon, 10 Nov 2025 16:04:51 +0100
Subject: [PATCH] fixes #2433 protect picture_modify.php from HTML just like
 pwg.images.setInfo

... and a extra check on input parameters
---
 admin/picture_modify.php                        | 17 +++++++----------
 .../themes/default/template/picture_modify.tpl  |  2 +-
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/admin/picture_modify.php b/admin/picture_modify.php
index 6468ecaf8..edf8845e7 100644
--- a/admin/picture_modify.php
+++ b/admin/picture_modify.php
@@ -19,6 +19,8 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 check_status(ACCESS_ADMINISTRATOR);
 
 check_input_parameter('image_id', $_GET, false, PATTERN_ID);
+check_input_parameter('level', $_POST, false, '/^\d+$/');
+check_input_parameter('date_creation', $_POST, false, '/^\d\d\d\d-\d\d-\d\d( \d\d:\d\d:\d\d)?$/');
 
 // retrieving direct information about picture. This may have been already
 // done on admin/photo.php but this page can also be accessed without
@@ -80,17 +82,12 @@ if (isset($_POST['submit']))
 
   $data = array();
   $data['id'] = $_GET['image_id'];
-  $data['name'] = $_POST['name'];
-  $data['author'] = $_POST['author'];
   $data['level'] = $_POST['level'];
 
-  if ($conf['allow_html_descriptions'])
+  $to_sanitize_fields = array('name', 'author', 'comment');
+  foreach ($to_sanitize_fields as $field)
   {
-    $data['comment'] = @$_POST['description'];
-  }
-  else
-  {
-    $data['comment'] = strip_tags(@$_POST['description']);
+    $data[$field] = $conf['allow_html_descriptions'] ? @$_POST[$field] : strip_tags(@$_POST[$field]);
   }
 
   if (!empty($_POST['date_creation']))
@@ -249,8 +246,8 @@ $template->assign(
     'DATE_CREATION' => $row['date_creation'],
 
     'DESCRIPTION' =>
-      htmlspecialchars( isset($_POST['description']) ?
-        stripslashes($_POST['description']) : (empty($row['comment']) ? '' : $row['comment'])),
+      htmlspecialchars( isset($_POST['comment']) ?
+        stripslashes($_POST['comment']) : (empty($row['comment']) ? '' : $row['comment'])),
 
     'F_ACTION' =>
         get_root_url().'admin.php'
diff --git a/admin/themes/default/template/picture_modify.tpl b/admin/themes/default/template/picture_modify.tpl
index 814d7d7b5..edadecdc4 100644
--- a/admin/themes/default/template/picture_modify.tpl
+++ b/admin/themes/default/template/picture_modify.tpl
@@ -205,7 +205,7 @@ const str_assoc_album_ab = '{'Associate to album'|translate|escape:javascript}';
     <p>
       <strong>{'Description'|@translate}</strong>
       <br>
-      <textarea name="description" id="description" class="description">{$DESCRIPTION}</textarea>
+      <textarea name="comment" id="description" class="description">{$DESCRIPTION}</textarea>
     </p>
 
     <p>