FIX #yogosha4426

2020-09-16 14:51:46 +02:00 · 2020-09-16 14:51:46 +02:00 · d0c02f3714
commit d0c02f3714
parent d7aa376c3c
3 changed files with 3 additions and 4 deletions
--- a/htdocs/core/class/html.formfile.class.php
+++ b/htdocs/core/class/html.formfile.class.php
@ -1207,7 +1207,7 @@ class FormFile
 						$editline = 1;
 					} else {
 						$filenametoshow = preg_replace('/\.noexe$/', '', $file['name']);
-						print dol_trunc($filenametoshow, 200);
+						print dol_escape_htmltag(dol_trunc($filenametoshow, 200));
 						print '</a>';
 					}
 					// Preview link
--- a/htdocs/ecm/file_card.php
+++ b/htdocs/ecm/file_card.php
@ -1,5 +1,5 @@
 <?php
-/* Copyright (C) 2008-2017 Laurent Destailleur  <eldy@users.sourceforge.net>
+/* Copyright (C) 2008-2020 Laurent Destailleur  <eldy@users.sourceforge.net>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -126,7 +126,7 @@ if ($action == 'update')
    $error = 0;

    $oldlabel = GETPOST('urlfile', 'alpha');
-    $newlabel = GETPOST('label', 'alpha');
+    $newlabel = dol_sanitizeFileName(GETPOST('label', 'alpha'));
 	$shareenabled = GETPOST('shareenabled', 'alpha');

    //$db->begin();
--- a/htdocs/ecm/index.php
+++ b/htdocs/ecm/index.php
@ -127,7 +127,6 @@ if ($action == 'confirm_deletefile')

 		$upload_dir = $conf->ecm->dir_output.($relativepath ? '/'.$relativepath : '');
 		$file = $upload_dir."/".GETPOST('urlfile', 'alpha');
-
 		$ret = dol_delete_file($file); // This include also the delete from file index in database.
 		if ($ret)
 		{