Documents: Move form, add remove_xss

5 years ago · 78f74d31ea
parent f539afe55e
commit 78f74d31ea
2 changed files with 3 additions and 2 deletions
--- a/main/document/document.php
+++ b/main/document/document.php
@ -1090,7 +1090,7 @@ if ($isAllowedToEdit || $groupMemberWithUploadRights ||
                false,
                $curdirpath
            );
-            $moveForm .= '<legend>'.get_lang('Move').': '.$document_to_move['title'].'</legend>';
+            $moveForm .= '<legend>'.get_lang('Move').': '.Security::remove_XSS($document_to_move['title']).'</legend>';

            // filter if is my shared folder. TODO: move this code to build_move_to_selector function
            if (DocumentManager::is_my_shared_folder(api_get_user_id(), $curdirpath, $sessionId) &&
--- a/main/inc/lib/document.lib.php
+++ b/main/inc/lib/document.lib.php
@ -5049,7 +5049,7 @@ class DocumentManager

        if (is_array($folders)) {
            $escaped_folders = [];
-            foreach ($folders as $key => &$val) {
+            foreach ($folders as $key => $val) {
                $escaped_folders[$key] = Database::escape_string($val);
            }
            $folder_sql = implode("','", $escaped_folders);
@ -5097,6 +5097,7 @@ class DocumentManager
                    } else {
                        $label = ' &mdash; '.$folder_titles[$folder];
                    }
+                    $label = Security::remove_XSS($label);
                    $parent_select->addOption($label, $folder_id);
                    if ($selected != '') {
                        $parent_select->setSelected($folder_id);