Sanitizing the user input to prevent a reflected XSS. Thanks to Nico Golde (ngolde.de)

diff --git a/apps/gallery/templates/index.php b/apps/gallery/templates/index.php
index e30052fafa3017e3a94b1d5fdceddace5f29dbc2..a41bf3c47ba75273e478ca8ec8bef36a24f6bdf9 100644 (file)
--- a/apps/gallery/templates/index.php
+++ b/apps/gallery/templates/index.php
@@ -14,7 +14,7 @@ div.visible { opacity: 0.8;}
 </style>
 <script type="text/javascript">
 
-var root = "<?php echo $root; ?>";
+var root = "<?php echo htmlentities($root); ?>";
 
 function explode(element) {
        $('div', element).each(function(index, elem) {
@@ -83,56 +83,56 @@ $tl = new \OC\Pictures\TilesLine();
 $ts = new \OC\Pictures\TileStack(array(), '');
 $previous_element = @$images[0];
 
-$root_images = array();\r
-$second_level_images = array();\r
-\r
+$root_images = array();
+$second_level_images = array();
+
 $fallback_images = array(); // if the folder only cotains subfolders with images -> these are taken for the stack preview
 
 for($i = 0; $i < count($images); $i++) {
        $prev_dir_arr = explode('/', $previous_element);
        $dir_arr = explode('/', $images[$i]);
 
-       if(count($dir_arr) == 1) { // getting the images in this directory\r
-               $root_images[] = $root.$images[$i];\r
-       } else {\r
-               if(strcmp($prev_dir_arr[0], $dir_arr[0]) != 0) { // if we entered a new directory\r
-                       if(count($second_level_images) == 0) { // if we don't have images in this directory\r
-                               if(count($fallback_images) != 0) { // but have fallback_images\r
-                                       $tl->addTile(new \OC\Pictures\TileStack($fallback_images, $prev_dir_arr[0]));\r
-                                       $fallback_images = array();\r
-                               }\r
-                       } else { // if we collected images for this directory\r
-                               $tl->addTile(new \OC\Pictures\TileStack($second_level_images, $prev_dir_arr[0]));\r
-                               $fallback_images = array();\r
-                               $second_level_images = array();\r
-                       }\r
-               }\r
-               if (count($dir_arr) == 2) { // These are the pics in our current subdir\r
-                       $second_level_images[] = $root.$images[$i];\r
-                       $fallback_images = array();\r
-               } else { // These are images from the deeper directories\r
-                       if(count($second_level_images) == 0) {\r
-                               $fallback_images[] = $root.$images[$i];\r
-                       }\r
-               }\r
-               // have us a little something to compare against\r
-               $previous_element = $images[$i];\r
+       if(count($dir_arr) == 1) { // getting the images in this directory
+               $root_images[] = $root.$images[$i];
+       } else {
+               if(strcmp($prev_dir_arr[0], $dir_arr[0]) != 0) { // if we entered a new directory
+                       if(count($second_level_images) == 0) { // if we don't have images in this directory
+                               if(count($fallback_images) != 0) { // but have fallback_images
+                                       $tl->addTile(new \OC\Pictures\TileStack($fallback_images, $prev_dir_arr[0]));
+                                       $fallback_images = array();
+                               }
+                       } else { // if we collected images for this directory
+                               $tl->addTile(new \OC\Pictures\TileStack($second_level_images, $prev_dir_arr[0]));
+                               $fallback_images = array();
+                               $second_level_images = array();
+                       }
+               }
+               if (count($dir_arr) == 2) { // These are the pics in our current subdir
+                       $second_level_images[] = $root.$images[$i];
+                       $fallback_images = array();
+               } else { // These are images from the deeper directories
+                       if(count($second_level_images) == 0) {
+                               $fallback_images[] = $root.$images[$i];
+                       }
+               }
+               // have us a little something to compare against
+               $previous_element = $images[$i];
        }
 }
 
-// if last element in the directory was a directory we don't want to miss it :)\r
-if(count($second_level_images)>0) {\r
-       $tl->addTile(new \OC\Pictures\TileStack($second_level_images, $prev_dir_arr[0]));\r
+// if last element in the directory was a directory we don't want to miss it :)
+if(count($second_level_images)>0) {
+       $tl->addTile(new \OC\Pictures\TileStack($second_level_images, $prev_dir_arr[0]));
 }
 
-// if last element in the directory was a directory with no second_level_images we also don't want to miss it ...\r
-if(count($fallback_images)>0) {\r
-       $tl->addTile(new \OC\Pictures\TileStack($fallback_images, $prev_dir_arr[0]));\r
+// if last element in the directory was a directory with no second_level_images we also don't want to miss it ...
+if(count($fallback_images)>0) {
+       $tl->addTile(new \OC\Pictures\TileStack($fallback_images, $prev_dir_arr[0]));
 }
 
-// and finally our images actually stored in the root folder\r
-for($i = 0; $i<count($root_images); $i++) {\r
-       $tl->addTile(new \OC\Pictures\TileSingle($root_images[$i]));\r
+// and finally our images actually stored in the root folder
+for($i = 0; $i<count($root_images); $i++) {
+       $tl->addTile(new \OC\Pictures\TileSingle($root_images[$i]));
 }
 
 echo $tl->get();