From 4cb8921d9c61e2c3e1f5b5e4d61de830dcb85685 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Jacquet?=
 <francoisjacquet@users.noreply.github.com>
Date: Sat, 23 Apr 2022 15:34:47 +0200
Subject: [PATCH] Fix reflected XSS via mime-type

---
 CHANGES.md                          | 1 +
 ProgramFunctions/FileUpload.fnc.php | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGES.md b/CHANGES.md
index 24ac364a3..4cb143465 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -4,6 +4,7 @@
 Changes in 8.9.4
 ----------------
 - Fix SQL injection sanitize all `$_REQUEST` keys in Warehouse.php, thanks to @nhienit2010
+- Fix reflected XSS via mime-type in FileUpload.fnc.php, thanks to @nhienit2010
 
 Changes in 8.9.3
 ----------------
diff --git a/ProgramFunctions/FileUpload.fnc.php b/ProgramFunctions/FileUpload.fnc.php
index f6c8af125..05ed2f65a 100644
--- a/ProgramFunctions/FileUpload.fnc.php
+++ b/ProgramFunctions/FileUpload.fnc.php
@@ -49,7 +49,8 @@ function FileUpload( $input, $path, $ext_white_list, $size_limit, &$error, $fina
 	{
 		$error[] = sprintf(
 			_( 'Wrong file type: %s (%s required)' ),
-			$_FILES[ $input ]['type'],
+			// Fix reflected XSS via mime-type.
+			strip_tags( $_FILES[ $input ]['type'] ),
 			implode( ', ', $ext_white_list )
 		);
 	}