From 6121771c5fa26ecde705c091424f20aae44cb2b8 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 31 Jan 2019 10:16:49 +0100
Subject: [PATCH] FIX XSS

---
 htdocs/document.php  | 2 +-
 htdocs/viewimage.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/document.php b/htdocs/document.php
index ff6c6f6e635..1df59c07a16 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -74,7 +74,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
 
 $encoding = '';
 $action=GETPOST('action','alpha');
-$original_file=GETPOST('file','alpha');		// Do not use urldecode here ($_GET are already decoded by PHP).
+$original_file=GETPOST('file','alphanohtml');		// Do not use urldecode here ($_GET are already decoded by PHP).
 $hashp=GETPOST('hashp','aZ09');
 $modulepart=GETPOST('modulepart','alpha');
 $urlsource=GETPOST('urlsource','alpha');
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index ea29fe0d8bd..2385a558307 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -84,7 +84,7 @@ require 'main.inc.php';	// Load $user and permissions
 require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
 
 $action=GETPOST('action','alpha');
-$original_file=GETPOST('file','alpha');		// Do not use urldecode here ($_GET are already decoded by PHP).
+$original_file=GETPOST('file','alphanohtml');		// Do not use urldecode here ($_GET are already decoded by PHP).
 $hashp=GETPOST('hashp','aZ09');
 $modulepart=GETPOST('modulepart','alpha');
 $urlsource=GETPOST('urlsource','alpha');