Filename could contain invalid characters that could be used for XSS #…

…1468

adm_program/system/classes/StringUtils.php

@@ -230,7 +230,7 @@ public static function strIsValidFileName($filename, $checkExtension = true)
             (!self::strValidCharacters($filename, 'file') && $checkExtension) ||
             (!self::strValidCharacters($filename, 'folder') && !$checkExtension)
         ) {
-            throw new AdmException('SYS_FILENAME_INVALID', array(self::strStripTags($filename)));
+            throw new AdmException('SYS_FILENAME_INVALID', array(SecurityUtils::encodeHTML(self::strStripTags($filename))));
         }
 
         if ($checkExtension) {

adm_program/system/classes/UploadHandlerDownload.php

@@ -93,6 +93,8 @@ protected function handle_file_upload($uploadedFile, $name, $size, $type, $error
                     );
                 }
             } catch (AdmException $e) {
+                // remove XSS from filename before the name will be shown in the error message
+                $file->name = SecurityUtils::encodeHTML(StringUtils::strStripTags($file->name));
                 $file->error = $e->getText();
 
                 try {

adm_program/system/classes/UploadHandlerPhoto.php

@@ -143,6 +143,8 @@ protected function handle_file_upload($uploadedFile, $name, $size, $type, $error
                     throw new AdmException('PHO_PHOTO_PROCESSING_ERROR');
                 }
             } catch (AdmException $e) {
+                // remove XSS from filename before the name will be shown in the error message
+                $file->name = SecurityUtils::encodeHTML(StringUtils::strStripTags($file->name));
                 $file->error = $e->getText();
 
                 try {