From 4e8782ebc622a4b9644f09998054b15bd49eef8f Mon Sep 17 00:00:00 2001
From: Dmitri Popov <dmpop@linux.com>
Date: Wed, 13 Oct 2021 16:09:59 +0200
Subject: [PATCH] Fix xss (#31)

Fix XSS on index through "d" param and "photo" param

Co-authored-by: JoMar <contact@jomar.fr>
---
 index.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/index.php b/index.php
index c18e07d..d2baf6f 100644
--- a/index.php
+++ b/index.php
@@ -99,8 +99,8 @@ function read_gps_location($file)
 			echo ("<h1 style='margin-top: 2em;'><mark>Directory doesn't exist</mark></h1>
 			<div style='display: flex; justify-content: center; line-height: 1.5;'>
 			<ul>
-			<li>Create <u>$photo_dir</u> and <u>" . $photo_dir . "tims</u> directories.</li>
-			<li>Add photos to the <u>$photo_dir</u> directory.</li>
+			<li>Create <u>" . htmlentities($photo_dir) . "</u> and <u>" . htmlentities($photo_dir) . "tims</u> directories.</li>
+			<li>Add photos to the <u>" . htmlentities($photo_dir) . "</u> directory.</li>
 			<li>Refresh this page.</li>
 			</ul></div>");
 			exit;
@@ -357,7 +357,7 @@ function show_pagination($current_page, $last_page, $sub_photo_dir)
 			$info = "<span style='word-spacing:.1em'>" . $photo_info . "</span>";
 			$Parsedown = new Parsedown();
 			// Show photo, EXIF data, description, and info
-			echo '<div class="center"><a href="' . $file . '" download><img style="max-width: 100%; border-radius: 15px;" src="' . $tim . '" alt=""></a><p class="caption">' . $comment . ' ' . $Parsedown->text($description) . '</p><hr style="width: 3em;"><p class="caption">' . $info . '</p>';
+			echo '<div class="center"><a href="' . htmlentities($file) . '" download><img style="max-width: 100%; border-radius: 15px;" src="' . htmlentities($tim) . '" alt=""></a><p class="caption">' . $comment . ' ' . $Parsedown->text($description) . '</p><hr style="width: 3em;"><p class="caption">' . $info . '</p>';
 		}
 
 		// Show links