Sanitize input before outputing it

XSS is a nasty hack, we always need to sanitize user input. Fixes #152
symphonycms · Oct 27, 2016 · dfa7703 · dfa7703
1 parent fa71743
commit dfa7703
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/lib/image.php b/lib/image.php
@@ -186,7 +186,7 @@ function __errorHandler($errno=NULL, $errstr, $errfile=NULL, $errline=NULL, $err
 					$param->background,
 					$param->file,
 					(bool)$param->external,
-					$_GET['param']
+					General::sanitize($_GET['param'])
 				), E_NOTICE, true
 			);
 		}
@@ -325,8 +325,9 @@ function __errorHandler($errno=NULL, $errstr, $errfile=NULL, $errline=NULL, $err
 		) {
 			// Guess not, return 404.
 			Page::renderStatusCode(Page::HTTP_STATUS_NOT_FOUND);
-			trigger_error(sprintf('Image <code>%s</code> could not be found.', str_replace(DOCROOT, '', $original_file)), E_USER_ERROR);
-			echo sprintf('Image <code>%s</code> could not be found.', str_replace(DOCROOT, '', $original_file));
+			$safeOriginalFile = General::sanitize(str_replace(DOCROOT, '', $original_file));
+			trigger_error(sprintf('Image <code>%s</code> could not be found.', $safeOriginalFile, E_USER_ERROR));
+			echo sprintf('Image <code>%s</code> could not be found.', $safeOriginalFile);
 			exit;
 		}
 		$meta = Image::getMetaInformation($image_path);