Bugfix: XSS (reflected) in import previews

Reported by Faisal Fs <faisalfs10x@gmail.com>

app/admin/import-export/import-load-data.php

@@ -65,7 +65,7 @@
 	foreach ($cols as $val) {
 		$col++;
 		# map import columns to expected fields as per previous window
-		$fieldmap[$col] = $impfields[$val];
+		$fieldmap[$col] = escape_input(trim($impfields[$val]));
 		$hcol = $col;
 	}
 
@@ -81,7 +81,7 @@
 				$Result->show('danger', _("Extra column found on line ").$row._(" in CSV file. CSV delimiter used in value field?"), true);
 			} else {
 				# read each row into a dictionary with expected fields as keys
-				$record[$fieldmap[$col]] = trim($val);
+				$record[$fieldmap[$col]] = escape_input(trim($val));
 			}
 		}
 		$data[] = $record;
@@ -97,23 +97,20 @@
 
 	# map import columns to expected fields as per previous window
 	for($col=1;$col<=$xls->colcount($sheet);$col++) {
-		$fieldmap[$col] = $impfields[$Tools->convert_encoding_to_UTF8($xls->val($row,$col,$sheet))];
+		$fieldmap[$col] = $impfields[escape_input($Tools->convert_encoding_to_UTF8($xls->val($row,$col,$sheet)))];
 		$hcol = $col;
 	}
 
 	# read each remaining row into a dictionary with expected fields as keys
 	for($row=2;$row<=$xls->rowcount($sheet);$row++) {
 		$record = array();
 		for($col=1;$col<=$xls->colcount($sheet);$col++) {
-			$record++;
 			if ($col > $hcol) {
 					$Result->show('danger', _("Extra column found on line ").$row._(" in XLS file. Please check input file."), true);
 			} else {
-				$record[$fieldmap[$col]] = trim($Tools->convert_encoding_to_UTF8($xls->val($row,$col,$sheet)));
+				$record[$fieldmap[$col]] = escape_input(trim($Tools->convert_encoding_to_UTF8($xls->val($row,$col,$sheet))));
 			}
 		}
 		$data[] = $record;
 	}
 }
-
-?>

misc/CHANGELOG

@@ -7,6 +7,7 @@
     Security Fixes:
     ----------------------------
     + XXS (reflected) in ripe-arin-query;
+    + XSS (reflected) in import previews;
 
 == 1.4.6