mirror_php/Jirafeau
1
0
Fork 0
mirror of https://gitlab.com/mojo42/Jirafeau.git synced 2025-01-17 21:08:20 +01:00
Code Issues Projects Releases Wiki Activity

Escape filenames to not break HTML views

Browse Source 
fixes #39

Signed-off-by: Jerome Jutteau <mojo@couak.net>
This commit is contained in:
Jerome Jutteau 2015-05-19 13:58:36 +02:00
parent 9093d4ec51
commit c54ae2c242
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
f.php
View File

@ -191,9 +191,9 @@ if (!$password_challenged && !$do_download && !$do_preview)
echo '" ' .
'method = "post" id = "submit_post">'; ?>
<input type = "hidden" name = "jirafeau" value = "<?php echo JIRAFEAU_VERSION ?>"/><?php
echo '<fieldset><legend>' . $link['file_name'] . '</legend><table>' .
echo '<fieldset><legend>' . htmlspecialchars($link['file_name']) . '</legend><table>' .
'<tr><td>' .
t('You are about to download') . ' "' . $link['file_name'] . '" (' . jirafeau_human_size($link['file_size']) . ')' .
t('You are about to download') . ' "' . htmlspecialchars($link['file_name']) . '" (' . jirafeau_human_size($link['file_size']) . ')' .
'</td></tr>' .
'<tr><td>' .
t('By using our services, you accept our'). ' <a href="' . $cfg['web_root'] . '/tos.php' . '">' . t('Term Of Service') . '</a>' .

4
lib/functions.php
View File

@ -614,7 +614,7 @@ jirafeau_admin_list ($name, $file_hash, $link_hash)
continue;
/* Filter. */
if (!empty ($name) && !preg_match ("/$name/i", $l['file_name']))
if (!empty ($name) && !preg_match ("/$name/i", htmlspecialchars($l['file_name'])))
continue;
if (!empty ($file_hash) && $file_hash != $l['md5'])
continue;
@ -626,7 +626,7 @@ jirafeau_admin_list ($name, $file_hash, $link_hash)
'<form action = "admin.php" method = "post">' .
'<input type = "hidden" name = "action" value = "download"/>' .
'<input type = "hidden" name = "link" value = "' . $node . '"/>' .
'<input type = "submit" value = "' . $l['file_name'] . '" />' .
'<input type = "submit" value = "' . htmlspecialchars($l['file_name']) . '" />' .
'</form>';
echo '</td>';
echo '<td>' . $l['mime_type'] . '</td>';