From 1fd633ed21234016f5e9f515cfbc27d003924f97 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 16 Sep 2020 16:34:19 +0200
Subject: [PATCH] FIX #yogosha4433

---
 htdocs/document.php  | 2 +-
 htdocs/viewimage.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/document.php b/htdocs/document.php
index 4a323bd89b3..3808dd755fd 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -219,7 +219,7 @@ if (!$accessallowed)
 if (preg_match('/\.\./', $fullpath_original_file) || preg_match('/[<>|]/', $fullpath_original_file))
 {
 	dol_syslog("Refused to deliver file ".$fullpath_original_file);
-	print "ErrorFileNameInvalid: ".$original_file;
+	print "ErrorFileNameInvalid: ".dol_escape_htmltag($original_file);
 	exit;
 }
 
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index c2856848dc5..0ddccc537d1 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -236,7 +236,7 @@ if (!$accessallowed)
 if (preg_match('/\.\./', $fullpath_original_file) || preg_match('/[<>|]/', $fullpath_original_file))
 {
 	dol_syslog("Refused to deliver file ".$fullpath_original_file);
-	print "ErrorFileNameInvalid: ".$original_file;
+	print "ErrorFileNameInvalid: ".dol_escape_htmltag($original_file);
 	exit;
 }