From 296276035262d3ce4687ab6f370c7a68cc460693 Mon Sep 17 00:00:00 2001
From: Garvin Hicking <blog@garv.in>
Date: Thu, 7 Feb 2013 12:37:06 +0100
Subject: [PATCH] better value escaping (please check)

---
 docs/NEWS                        |  4 +++-
 include/functions_images.inc.php | 14 +++++++-------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/docs/NEWS b/docs/NEWS
index 7ade35d4..347261e8 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -1,9 +1,11 @@
 # $Id$
 
-
 Version 1.7 ()
 ------------------------------------------------------------------------
 
+    * Media database: Escape more Cookie values to prevent storing
+      possible XSS (http://board.s9y.org/viewtopic.php?f=3&t=19142)
+      
     * Allow entryproperties plugin to define defaults for custom fields
     
     * Onyx, Net_URL classes: Remove PHP4 style constructor due to
diff --git a/include/functions_images.inc.php b/include/functions_images.inc.php
index 99c5819e..365e99ab 100644
--- a/include/functions_images.inc.php
+++ b/include/functions_images.inc.php
@@ -1443,28 +1443,28 @@ function serendipity_displayImageList($page = 0, $lineBreak = NULL, $manage = fa
 
     foreach($importParams AS $importParam) {
         if (isset($serendipity['GET'][$importParam])) {
-            $extraParems .= 'serendipity[' . $importParam . ']='. $serendipity['GET'][$importParam] .'&amp;';
+            $extraParems .= 'serendipity[' . $importParam . ']='. htmlspecialchars($serendipity['GET'][$importParam]) .'&amp;';
         }
     }
 
     foreach($sortParams AS $sortParam) {
         serendipity_restoreVar($serendipity['COOKIE']['sortorder_' . $sortParam], $serendipity['GET']['sortorder'][$sortParam]);
-        serendipity_JSsetCookie('sortorder_' . $sortParam, $serendipity['GET']['sortorder'][$sortParam]);
-        $extraParems .= 'serendipity[sortorder]['. $sortParam .']='. $serendipity['GET']['sortorder'][$sortParam] .'&amp;';
+        serendipity_JSsetCookie('sortorder_' . $sortParam, htmlspecialchars($serendipity['GET']['sortorder'][$sortParam]));
+        $extraParems .= 'serendipity[sortorder]['. $sortParam .']='. htmlspecialchars($serendipity['GET']['sortorder'][$sortParam]) .'&amp;';
     }
 
     foreach($filterParams AS $filterParam) {
         serendipity_restoreVar($serendipity['COOKIE'][$filterParam], $serendipity['GET'][$filterParam]);
-        serendipity_JSsetCookie($filterParam, $serendipity['GET'][$filterParam]);
+        serendipity_JSsetCookie($filterParam, htmlspecialchars($serendipity['GET'][$filterParam]));
         if (!empty($serendipity['GET'][$filterParam])) {
-            $extraParems .= 'serendipity[' . $filterParam . ']='. $serendipity['GET'][$filterParam] .'&amp;';
+            $extraParems .= 'serendipity[' . $filterParam . ']='. htmlspecialchars($serendipity['GET'][$filterParam]) .'&amp;';
         }
     }
 
     $serendipity['GET']['only_path']     = serendipity_uploadSecure($limit_path . $serendipity['GET']['only_path'], true);
-    $serendipity['GET']['only_filename'] = str_replace(array('*', '?'), array('%', '_'), $serendipity['GET']['only_filename']);
+    $serendipity['GET']['only_filename'] = htmlspecialchars(str_replace(array('*', '?'), array('%', '_'), $serendipity['GET']['only_filename']));
 
-    $perPage = (!empty($serendipity['GET']['sortorder']['perpage']) ? $serendipity['GET']['sortorder']['perpage'] : 8);
+    $perPage = (!empty($serendipity['GET']['sortorder']['perpage']) ? (int)$serendipity['GET']['sortorder']['perpage'] : 8);
     while ($perPage % $lineBreak !== 0) {
         $perPage++;
     }