Skip to content

Commit

Permalink
Fix reflected XSS vulnerability
Browse files Browse the repository at this point in the history
  • Loading branch information
Dmitri Popov committed Oct 15, 2023
1 parent 0c835bd commit 3096393
Showing 1 changed file with 10 additions and 10 deletions.
20 changes: 10 additions & 10 deletions index.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,8 +97,8 @@ function read_gps_location($file)
$GPSLongitudeRef == 'w' ? $lon *= -1 : '';

return array(
'lat' => $lat,
'lon' => $lon
'lat' => htmlentities($lat),
'lon' => htmlentities($lon)
);
}
}
Expand Down Expand Up @@ -364,25 +364,25 @@ function show_pagination($current_page, $last_page, $and_d, $sub_photo_dir)
$gps = read_gps_location($file);

// Get aperture, exposure, iso, and datetime from EXIF
$aperture = (is_null($exif['COMPUTED']['ApertureFNumber']) ? null : $exif['COMPUTED']['ApertureFNumber']);
$exposure = (is_null($exif['EXIF']['ExposureTime']) ? null : $exif['EXIF']['ExposureTime']);
$aperture = htmlentities((is_null($exif['COMPUTED']['ApertureFNumber']) ? null : $exif['COMPUTED']['ApertureFNumber']));
$exposure = htmlentities((is_null($exif['EXIF']['ExposureTime']) ? null : $exif['EXIF']['ExposureTime']));
// Normalize exposure
// https://stackoverflow.com/questions/3049998/parsing-exifs-exposuretime-using-php
if (!is_null($exposure)) {
$parts = explode("/", $exposure);
if (($parts[1] % $parts[0]) == 0 || $parts[1] == 1000000) {
$exposure = ' • 1/' . round($parts[1] / $parts[0], 0);
$exposure = htmlentities(' • 1/' . round($parts[1] / $parts[0], 0));
} else {
if ($parts[1] == 1) {
$exposure = ' • ' . $parts[0];
$exposure = htmlentities(' • ' . $parts[0]);
} else {
$exposure = ' • ' . $parts[0] . '/' . $parts[1];
$exposure = htmlentities(' • ' . $parts[0] . '/' . $parts[1]);
}
}
}
$iso = (is_null($exif['EXIF']['ISOSpeedRatings']) ? null : " • " . $exif['EXIF']['ISOSpeedRatings']);
$datetime = $exif['EXIF']['DateTimeOriginal'] ?? null;
$comment = $exif['COMMENT']['0'] ?? null;
$iso = htmlentities((is_null($exif['EXIF']['ISOSpeedRatings']) ? null : " • " . $exif['EXIF']['ISOSpeedRatings']));
$datetime = htmlentities($exif['EXIF']['DateTimeOriginal']) ?? null;
$comment = htmlentities($exif['COMMENT']['0']) ?? null;

// Concatenate $exif_info
if (!is_null($aperture) || !is_null($exposure) || !is_null($iso) || !is_null($datetime)) {
Expand Down

0 comments on commit 3096393

Please sign in to comment.