From c54ae2c242e359c39b974904285fd3a3bd14d6ac Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Tue, 19 May 2015 13:58:36 +0200 Subject: [PATCH] Escape filenames to not break HTML views fixes #39 Signed-off-by: Jerome Jutteau --- f.php | 4 ++-- lib/functions.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/f.php b/f.php index 99a67df..75d77d7 100644 --- a/f.php +++ b/f.php @@ -191,9 +191,9 @@ if (!$password_challenged && !$do_download && !$do_preview) echo '" ' . 'method = "post" id = "submit_post">'; ?> ' . $link['file_name'] . '' . + echo '
' . htmlspecialchars($link['file_name']) . '
' . '' . ''; echo ''; -- 2.34.1
' . - t('You are about to download') . ' "' . $link['file_name'] . '" (' . jirafeau_human_size($link['file_size']) . ')' . + t('You are about to download') . ' "' . htmlspecialchars($link['file_name']) . '" (' . jirafeau_human_size($link['file_size']) . ')' . '
' . t('By using our services, you accept our'). ' ' . t('Term Of Service') . '' . diff --git a/lib/functions.php b/lib/functions.php index 1800231..0f42e21 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -614,7 +614,7 @@ jirafeau_admin_list ($name, $file_hash, $link_hash) continue; /* Filter. */ - if (!empty ($name) && !preg_match ("/$name/i", $l['file_name'])) + if (!empty ($name) && !preg_match ("/$name/i", htmlspecialchars($l['file_name']))) continue; if (!empty ($file_hash) && $file_hash != $l['md5']) continue; @@ -626,7 +626,7 @@ jirafeau_admin_list ($name, $file_hash, $link_hash) '
' . '' . '' . - '' . + '' . '
'; echo '		' . $l['mime_type'] . '