From e2a665e13b7de82a71c9bbb77575d15131b722be Mon Sep 17 00:00:00 2001
From: Garvin Hicking <blog@garv.in>
Date: Mon, 28 Nov 2016 15:34:10 +0100
Subject: [PATCH] Sync changes

---
 docs/NEWS                             | 5 ++++-
 include/admin/images.inc.php          | 2 +-
 serendipity_config.inc.php            | 2 +-
 templates/2k11/admin/category.inc.tpl | 4 ++--
 4 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/docs/NEWS b/docs/NEWS
index c42e415b..0c4a813d 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -1,9 +1,12 @@
-Version 2.1 ()
+Version 2.1 (November 28th, 2016)
 ------------------------------------------------------------------------
 
     * [Security] Enhanced media upload check to also check redirects
       for local files, thanks to Xu Yue (again!)
 
+    * [Security] Prevent XSS in adding category and directory names, 
+      thanks to Edric Teo @smarterbitbybit.
+
 Version 2.1-beta2 (September 26th, 2016)
 ------------------------------------------------------------------------
     * Improved backend accessibility by hiding iconfont icons for
diff --git a/include/admin/images.inc.php b/include/admin/images.inc.php
index 085455e4..d4802e09 100644
--- a/include/admin/images.inc.php
+++ b/include/admin/images.inc.php
@@ -550,7 +550,7 @@ switch ($serendipity['GET']['adminAction']) {
 
         /* TODO: check if directory already exist */
         if (is_dir($nd) || @mkdir($nd)) {
-            $data['print_DIRECTORY_CREATED'] = sprintf(DIRECTORY_CREATED, $serendipity['POST']['name']);
+            $data['print_DIRECTORY_CREATED'] = sprintf(DIRECTORY_CREATED, $new_dir);
             @umask(0000);
             @chmod($serendipity['serendipityPath'] . $serendipity['uploadPath'] . $new_dir, 0777);
 
diff --git a/serendipity_config.inc.php b/serendipity_config.inc.php
index 4e4d7950..978c31f8 100644
--- a/serendipity_config.inc.php
+++ b/serendipity_config.inc.php
@@ -47,7 +47,7 @@ if (defined('USE_MEMSNAP')) {
 }
 
 // The version string
-$serendipity['version'] = '2.1-beta2';
+$serendipity['version'] = '2.1-beta3';
 
 
 // Setting this to 'false' will enable debugging output. All alpha/beta/cvs snapshot versions will emit debug information by default. To increase the debug level (to enable Smarty debugging), set this flag to 'debug'.
diff --git a/templates/2k11/admin/category.inc.tpl b/templates/2k11/admin/category.inc.tpl
index 4948adac..2f5ab23b 100644
--- a/templates/2k11/admin/category.inc.tpl
+++ b/templates/2k11/admin/category.inc.tpl
@@ -54,7 +54,7 @@
             <div id="category_basics" class="clearfix">
                 <div class="form_field">
                     <label for="category_name">{$CONST.NAME}</label>
-                    <input id="category_name" pattern="{if $new}^(?!({foreach $categories as $cat}{$cat.category_name}|{/foreach})$).*{else}^(?!({foreach $categories as $cat}{if $this_cat.category_name != $cat.category_name}{$cat.category_name}{/if}|{/foreach})$).*{/if}" name="serendipity[cat][name]" type="text" value="{$this_cat.category_name|default:""|escape}" title="Categoryname">
+                    <input id="category_name" pattern="{if $new}^(?!({foreach $categories as $cat}{$cat.category_name|escape}|{/foreach})$).*{else}^(?!({foreach $categories as $cat}{if $this_cat.category_name != $cat.category_name}{$cat.category_name|escape}{/if}|{/foreach})$).*{/if}" name="serendipity[cat][name]" type="text" value="{$this_cat.category_name|default:""|escape}" title="{$CONST.CATEGORY}">
                 </div>
 
                 <div class="form_field">
@@ -74,7 +74,7 @@
                         <option value="0"{if $cid == 0} selected{/if}>{$CONST.NO_CATEGORY}</option>
                     {foreach $categories as $cat}
                         {if $cat.categoryid == $cid}{continue}{/if}
-                        <option value="{$cat.categoryid}"{if $this_cat.parentid == $cat.categoryid} selected{/if}>{for $i=1 to $cat.depth}&nbsp{/for} {$cat.category_name}</option>
+                        <option value="{$cat.categoryid}"{if $this_cat.parentid == $cat.categoryid} selected{/if}>{for $i=1 to $cat.depth}&nbsp{/for} {$cat.category_name|escape}</option>
                     {/foreach}
                     </select>
                 </div>