From 254c391ddfb1be68a5b9e210b18e723e75b5d053 Mon Sep 17 00:00:00 2001
From: Alexandre SPANGARO <aspangaro.dolibarr@gmail.com>
Date: Wed, 16 Sep 2020 21:31:46 +0200
Subject: [PATCH] FIX Yogosha report 4433 (backport)

---
 htdocs/document.php  | 2 +-
 htdocs/viewimage.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/document.php b/htdocs/document.php
index 2b37792d69a..42795ad0909 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -221,7 +221,7 @@ if (! $accessallowed)
 if (preg_match('/\.\./', $fullpath_original_file) || preg_match('/[<>|]/', $fullpath_original_file))
 {
 	dol_syslog("Refused to deliver file ".$fullpath_original_file);
-	print "ErrorFileNameInvalid: ".$original_file;
+	print "ErrorFileNameInvalid: ".dol_escape_htmltag($original_file);
 	exit;
 }
 
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index 07b69fff2e9..dd367857979 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -232,7 +232,7 @@ if (! $accessallowed)
 if (preg_match('/\.\./', $fullpath_original_file) || preg_match('/[<>|]/', $fullpath_original_file))
 {
 	dol_syslog("Refused to deliver file ".$fullpath_original_file);
-	print "ErrorFileNameInvalid: ".$original_file;
+	print "ErrorFileNameInvalid: ".dol_escape_htmltag($original_file);
 	exit;
 }