foto: escape html (ampersands) in album links

[minimedit.git] / foto / index.php

diff --git a/foto/index.php b/foto/index.php
index 7df1d5c26daa1c27ed9efda43531f6997fe96d4e..49e5483d24d4d23ecaa8b0b3dbc078d8a49cd759 100644 (file)
--- a/foto/index.php
+++ b/foto/index.php
@@ -6,7 +6,7 @@ $nav[0] = "Foto's"; # override of root 'foto'
 $title = array_pop($nav);
 $Page->title = ($nav ? implode(' ', $nav) . ': ' : '') . $title;
 
-if (!$User) {
+if ($Page->api) {
        $img = "$rootdir/index.jpg";
        if (file_exists($img)) {
                # cover image of current album
@@ -72,22 +72,22 @@ if ($imgs = glob("$rootdir/*", GLOB_ONLYDIR)) {
        natsort($imgs);
        print '<ul class="gallery cat">'."\n";
        foreach ($imgs as $path) {
-               $parts = pathinfo($path);
-               $album = $parts['filename'];
+               $album = htmlspecialchars(pathinfo($path, PATHINFO_FILENAME));
                $cover = "$path/index.jpg";
                if (!file_exists($cover)) $cover = 'foto/index.jpg';
                if (is_link($cover)) {
                        $cover = preg_replace('{^(?:\.\./)*(?=data/)}', 'thumb/100/', readlink($cover));
                }
 
-               $html = '<img src="/'.$cover.'" />';
+               $html = sprintf('<img src="/%s" />', htmlspecialchars($cover));
                $html .= "<figcaption>$album</figcaption>";
                if (!$User->login and file_exists("$path/.private")) {
                        $html = '<s title="bewoners">'.$html.'</s>';
                }
                $html = "<figure>$html</figure>";
 
-               printf('<li id="%s"><a href="%s">%s</a>'."\n", $album, "/$path", $html);
+               printf('<li id="%s">', $album);
+               printf('<a href="/%s">%s</a>'."\n", htmlspecialchars($path), $html);
        }
        print "</ul>\n\n";
 }