From 14e58c1cadaf2ebed476f55626408443d408436d Mon Sep 17 00:00:00 2001
From: Roland Becker <roland@atrol.de>
Date: Sun, 25 Aug 2019 11:52:41 +0200
Subject: [PATCH] Fix XSS on project documentation

Vulnerability in deprecated project documentation functionality
($g_enable_project_documentation), allowing execution of arbitrary
code (if CSP settings permit it) after uploading an attachment with a
crafted filename.

Prevent the attack by sanitizing the filename before display.

Fixes #26078
---
 proj_doc_edit_page.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/proj_doc_edit_page.php b/proj_doc_edit_page.php
index 5367ad8bd..f9008d180 100644
--- a/proj_doc_edit_page.php
+++ b/proj_doc_edit_page.php
@@ -125,7 +125,7 @@ print_doc_menu();
 			$t_href = '<a href="file_download.php?file_id='.$v_id.'&amp;type=doc">';
 			echo $t_href;
 			print_file_icon( $v_filename );
-			echo '</a>&#160;' . $t_href . file_get_display_name( $v_filename ) . '</a>';
+			echo '</a>&#160;' . $t_href . string_html_specialchars( file_get_display_name( $v_filename ) ) . '</a>';
 		?>
 	</td>
 </tr>
-- 
2.23.0