fixes #1168 prevent XSS on pwg.images.setInfo

Piwigo · Mar 24, 2020 · 078cd73 · 078cd73
1 parent b3027b1
commit 078cd73
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/include/ws_functions/pwg.images.php b/include/ws_functions/pwg.images.php
@@ -1674,7 +1674,12 @@ function ws_images_setInfo($params, $service)
         );
     }
 
-    $update['file'] = $params['file'];
+    // prevent XSS, remove HTML tags
+    $update['file'] = strip_tags($params['file']);
+    if (empty($update['file']))
+    {
+      unset($update['file']);
+    }
   }
 
   if (count(array_keys($update)) > 0)