From 21b263a88550d1da199a13d215ea1477d603b75a Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Fri, 17 Jun 2016 00:12:43 +0200
Subject: Harden XSS escaping

This could lead to XSS if the html attribute values weren't quoted with
double quotes. By default htmlentities only encodes double quotes and
not single quotes. If the quotes are ever changed this could lead to
exploitable XSS.

Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
 application/views/file/fragments/thumbnail.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'application/views/file/fragments')

diff --git a/application/views/file/fragments/thumbnail.php b/application/views/file/fragments/thumbnail.php
index 7cbebe7fe..7fad5575f 100644
--- a/application/views/file/fragments/thumbnail.php
+++ b/application/views/file/fragments/thumbnail.php
@@ -12,8 +12,8 @@ if (substr($base_url, -1) !== "/") {
 			<?php if (strpos($item["mimetype"], "image/") === 0) {?>rel="gallery" class="colorbox"<?php } ?>
 			data-orientation="<?php echo $item["orientation"]; ?>"
 			href="<?php echo $base_url.$item["id"]."/"; ?>"
-			title="<?php echo htmlentities($item["filename"]); ?>"
-			data-content="<?php echo htmlentities($item["tooltip"]); ?>"
+			title="<?php echo htmlentities($item["filename"], ENT_QUOTES); ?>"
+			data-content="<?php echo htmlentities($item["tooltip"], ENT_QUOTES); ?>"
 			data-id="<?php echo $item["id"]; ?>"><!--
 			--><img	class="thumb lazyload"
 				data-original="<?php echo $base_url."file/thumbnail/".$item["id"]; ?>"
-- 
cgit v1.2.3-24-g4f1b