issue: Format File Name

This formats the filename before using it in an error to avoid chance of XSS.

issue: Format File Name
This formats the filename before using it in an error to avoid chance of XSS.
bd427cdf · JediKev · 88f97b55 · bd427cdf · bd427cdf
Commit bd427cdf authored 5 years ago by JediKev
--- a/include/api.tickets.php
+++ b/include/api.tickets.php
@@ -93,7 +93,7 @@ class TicketApiController extends ApiController {
                catch (FileUploadError $ex) {
                    $name = $file['name'];
                    $file = array();
-                    $file['error'] = $name . ': ' . $ex->getMessage();
+                    $file['error'] = Format::htmlchars($name) . ': ' . $ex->getMessage();
                }
            }
            unset($file);

--- a/include/class.mailfetch.php
+++ b/include/class.mailfetch.php
@@ -847,7 +847,7 @@ class MailFetcher {
                catch (FileUploadError $ex) {
                    $name = $file['name'];
                    $file = array();
-                    $file['error'] = $name . ': ' . $ex->getMessage();
+                    $file['error'] = Format::htmlchars($name) . ': ' . $ex->getMessage();
                }

                $vars['attachments'][] = $file;