From 63d6884e23081ad17f9eeb68da7478c4cb7de296 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Tue, 21 Aug 2012 17:56:20 +0200
Subject: [PATCH] Sanitizing the user input to prevent a reflected XSS. Thanks
 to Nico Golde (ngolde.de)

---
 apps/gallery/templates/index.php | 76 ++++++++++++++++----------------
 1 file changed, 38 insertions(+), 38 deletions(-)

diff --git a/apps/gallery/templates/index.php b/apps/gallery/templates/index.php
index e30052fafa3..a41bf3c47ba 100644
--- a/apps/gallery/templates/index.php
+++ b/apps/gallery/templates/index.php
@@ -14,7 +14,7 @@ div.visible { opacity: 0.8;}
 </style>
 <script type="text/javascript">
 
-var root = "<?php echo $root; ?>";
+var root = "<?php echo htmlentities($root); ?>";
 
 function explode(element) {
 	$('div', element).each(function(index, elem) {
@@ -83,56 +83,56 @@ $tl = new \OC\Pictures\TilesLine();
 $ts = new \OC\Pictures\TileStack(array(), '');
 $previous_element = @$images[0];
 
-$root_images = array();
-$second_level_images = array();
-
+$root_images = array();
+$second_level_images = array();
+
 $fallback_images = array(); // if the folder only cotains subfolders with images -> these are taken for the stack preview
 
 for($i = 0; $i < count($images); $i++) {
 	$prev_dir_arr = explode('/', $previous_element);
 	$dir_arr = explode('/', $images[$i]);
 
-	if(count($dir_arr) == 1) { // getting the images in this directory
-		$root_images[] = $root.$images[$i];
-	} else {
-		if(strcmp($prev_dir_arr[0], $dir_arr[0]) != 0) { // if we entered a new directory
-			if(count($second_level_images) == 0) { // if we don't have images in this directory
-				if(count($fallback_images) != 0) { // but have fallback_images
-					$tl->addTile(new \OC\Pictures\TileStack($fallback_images, $prev_dir_arr[0]));
-					$fallback_images = array();
-				}
-			} else { // if we collected images for this directory
-				$tl->addTile(new \OC\Pictures\TileStack($second_level_images, $prev_dir_arr[0]));
-				$fallback_images = array();
-				$second_level_images = array();
-			}
-		}
-		if (count($dir_arr) == 2) { // These are the pics in our current subdir
-			$second_level_images[] = $root.$images[$i];
-			$fallback_images = array();
-		} else { // These are images from the deeper directories
-			if(count($second_level_images) == 0) {
-				$fallback_images[] = $root.$images[$i];
-			}
-		}
-		// have us a little something to compare against
-		$previous_element = $images[$i];
+	if(count($dir_arr) == 1) { // getting the images in this directory
+		$root_images[] = $root.$images[$i];
+	} else {
+		if(strcmp($prev_dir_arr[0], $dir_arr[0]) != 0) { // if we entered a new directory
+			if(count($second_level_images) == 0) { // if we don't have images in this directory
+				if(count($fallback_images) != 0) { // but have fallback_images
+					$tl->addTile(new \OC\Pictures\TileStack($fallback_images, $prev_dir_arr[0]));
+					$fallback_images = array();
+				}
+			} else { // if we collected images for this directory
+				$tl->addTile(new \OC\Pictures\TileStack($second_level_images, $prev_dir_arr[0]));
+				$fallback_images = array();
+				$second_level_images = array();
+			}
+		}
+		if (count($dir_arr) == 2) { // These are the pics in our current subdir
+			$second_level_images[] = $root.$images[$i];
+			$fallback_images = array();
+		} else { // These are images from the deeper directories
+			if(count($second_level_images) == 0) {
+				$fallback_images[] = $root.$images[$i];
+			}
+		}
+		// have us a little something to compare against
+		$previous_element = $images[$i];
 	}
 }
 
-// if last element in the directory was a directory we don't want to miss it :)
-if(count($second_level_images)>0) {
-	$tl->addTile(new \OC\Pictures\TileStack($second_level_images, $prev_dir_arr[0]));
+// if last element in the directory was a directory we don't want to miss it :)
+if(count($second_level_images)>0) {
+	$tl->addTile(new \OC\Pictures\TileStack($second_level_images, $prev_dir_arr[0]));
 }
 
-// if last element in the directory was a directory with no second_level_images we also don't want to miss it ...
-if(count($fallback_images)>0) {
-	$tl->addTile(new \OC\Pictures\TileStack($fallback_images, $prev_dir_arr[0]));
+// if last element in the directory was a directory with no second_level_images we also don't want to miss it ...
+if(count($fallback_images)>0) {
+	$tl->addTile(new \OC\Pictures\TileStack($fallback_images, $prev_dir_arr[0]));
 }
 
-// and finally our images actually stored in the root folder
-for($i = 0; $i<count($root_images); $i++) {
-	$tl->addTile(new \OC\Pictures\TileSingle($root_images[$i]));
+// and finally our images actually stored in the root folder
+for($i = 0; $i<count($root_images); $i++) {
+	$tl->addTile(new \OC\Pictures\TileSingle($root_images[$i]));
 }
 
 echo $tl->get();