iarv/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-03-28 17:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

fixes #2433 protect picture_modify.php from HTML just like pwg.images.setInfo

Browse Source 
... and a extra check on input parameters
This commit is contained in:
plegall
2025-11-10 16:04:51 +01:00
parent be85e9381a
commit bc9526f323
2 changed files with 8 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
admin/picture_modify.php
View File

@@ -19,6 +19,8 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
check_status(ACCESS_ADMINISTRATOR);
check_input_parameter('image_id', $_GET, false, PATTERN_ID);
check_input_parameter('level', $_POST, false, '/^\d+$/');
check_input_parameter('date_creation', $_POST, false, '/^\d\d\d\d-\d\d-\d\d( \d\d:\d\d:\d\d)?$/');
// retrieving direct information about picture. This may have been already
// done on admin/photo.php but this page can also be accessed without
@@ -80,17 +82,12 @@ if (isset($_POST['submit']))
$data = array();
$data['id'] = $_GET['image_id'];
$data['name'] = $_POST['name'];
$data['author'] = $_POST['author'];
$data['level'] = $_POST['level'];
if ($conf['allow_html_descriptions'])
$to_sanitize_fields = array('name', 'author', 'comment');
foreach ($to_sanitize_fields as $field)
{
$data['comment'] = @$_POST['description'];
}
else
{
$data['comment'] = strip_tags(@$_POST['description']);
$data[$field] = $conf['allow_html_descriptions'] ? @$_POST[$field] : strip_tags(@$_POST[$field]);
}
if (!empty($_POST['date_creation']))
@@ -249,8 +246,8 @@ $template->assign(
'DATE_CREATION' => $row['date_creation'],
'DESCRIPTION' =>
htmlspecialchars( isset($_POST['description']) ?
stripslashes($_POST['description']) : (empty($row['comment']) ? '' : $row['comment'])),
htmlspecialchars( isset($_POST['comment']) ?
stripslashes($_POST['comment']) : (empty($row['comment']) ? '' : $row['comment'])),
'F_ACTION' =>
get_root_url().'admin.php'

2
admin/themes/default/template/picture_modify.tpl
View File

@@ -205,7 +205,7 @@ const str_assoc_album_ab = '{'Associate to album'|translate|escape:javascript}';
<p>
<strong>{'Description'|@translate}</strong>
<br>
<textarea name="description" id="description" class="description">{$DESCRIPTION}</textarea>
<textarea name="comment" id="description" class="description">{$DESCRIPTION}</textarea>
</p>
<p>