From 23c61bbe39bf9d84575abe1f4f12bb8b279aaab9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Schplurtz=20le=20D=C3=A9boulonn=C3=A9?=
 <Schplurtz@laposte.net>
Date: Fri, 15 Dec 2017 04:19:38 +0100
Subject: [PATCH] protect strings that depend on uploaded file name

---
 inc/parser/xhtml.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
index b4ca85b67..28d757866 100644
--- a/inc/parser/xhtml.php
+++ b/inc/parser/xhtml.php
@@ -1838,9 +1838,9 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
 
         // output each track if any
         foreach( $tracks as $trackid => $info ) {
-            list( $kind, $srclang ) = $info;
-            $out .= "<track kind=$kind srclang=$srclang ";
-            $out .= "label=$srclang ";
+            list( $kind, $srclang ) = array_map( 'hsc', $info );
+            $out .= "<track kind=\"$kind\" srclang=\"$srclang\" ";
+            $out .= "label=\"$srclang\" ";
             $out .= 'src="'.ml($trackid, '', true).'">'.NL;
         }
 
-- 
GitLab