From: Jerome Jutteau Date: Tue, 19 May 2015 11:58:36 +0000 (+0200) Subject: Escape filenames to not break HTML views X-Git-Tag: 1.1~75^2 X-Git-Url: https://git.p6c8.net/jirafeau.git/commitdiff_plain/c54ae2c242e359c39b974904285fd3a3bd14d6ac?hp=9093d4ec5187ecd2638bae1f2f9decce6b501642 Escape filenames to not break HTML views fixes #39 Signed-off-by: Jerome Jutteau --- diff --git a/f.php b/f.php index 99a67df..75d77d7 100644 --- a/f.php +++ b/f.php @@ -191,9 +191,9 @@ if (!$password_challenged && !$do_download && !$do_preview) echo '" ' . 'method = "post" id = "submit_post">'; ?> ' . $link['file_name'] . '' . + echo '
' . htmlspecialchars($link['file_name']) . '
' . '' . ''; echo '';
' . - t('You are about to download') . ' "' . $link['file_name'] . '" (' . jirafeau_human_size($link['file_size']) . ')' . + t('You are about to download') . ' "' . htmlspecialchars($link['file_name']) . '" (' . jirafeau_human_size($link['file_size']) . ')' . '
' . t('By using our services, you accept our'). ' ' . t('Term Of Service') . '' . diff --git a/lib/functions.php b/lib/functions.php index 1800231..0f42e21 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -614,7 +614,7 @@ jirafeau_admin_list ($name, $file_hash, $link_hash) continue; /* Filter. */ - if (!empty ($name) && !preg_match ("/$name/i", $l['file_name'])) + if (!empty ($name) && !preg_match ("/$name/i", htmlspecialchars($l['file_name']))) continue; if (!empty ($file_hash) && $file_hash != $l['md5']) continue; @@ -626,7 +626,7 @@ jirafeau_admin_list ($name, $file_hash, $link_hash) '
' . '' . '' . - '' . + '' . '
'; echo '
' . $l['mime_type'] . '