From c98f205e8a6265654072c7d3fea952552837b819 Mon Sep 17 00:00:00 2001
From: Adrian Lang <mail@adrianlang.de>
Date: Fri, 13 Jul 2012 12:07:51 +0200
Subject: [PATCH] Fix HTML injection in mediaFileList (Secunia advisory
 SA49196)

---
 inc/template.php | 2 +-
 lib/exe/ajax.php | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/inc/template.php b/inc/template.php
index 76d4d4bbe..040d99d32 100644
--- a/inc/template.php
+++ b/inc/template.php
@@ -1170,7 +1170,7 @@ function tpl_mediaFileList(){
     echo '<div class="panelHeader">'.NL;
     echo '<h3>';
     $tabTitle = ($NS) ? $NS : '['.$lang['mediaroot'].']';
-    printf($lang['media_' . $opened_tab], '<strong>'.$tabTitle.'</strong>');
+    printf($lang['media_' . $opened_tab], '<strong>'.hsc($tabTitle).'</strong>');
     echo '</h3>'.NL;
     if ($opened_tab === 'search' || $opened_tab === 'files') {
         media_tab_files_options();
diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php
index 3d1584244..945091f34 100644
--- a/lib/exe/ajax.php
+++ b/lib/exe/ajax.php
@@ -13,7 +13,6 @@ session_write_close();
 
 header('Content-Type: text/html; charset=utf-8');
 
-
 //call the requested function
 if(isset($_POST['call'])){
     $call = $_POST['call'];
@@ -204,7 +203,7 @@ function ajax_medialist(){
     global $conf;
     global $NS;
 
-    $NS = $_POST['ns'];
+    $NS = cleanID($_POST['ns']);
     if ($_POST['do'] == 'media') {
         tpl_mediaFileList();
     } else {
-- 
GitLab