From b577028a89d7576b04967ec9a6b4a3d4085728c5 Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Mon, 22 Jun 2020 17:24:52 +0530
Subject: [PATCH] Fixes xss vulnerability with kcfinder

---
 kcfinder/core/uploader.php | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/kcfinder/core/uploader.php b/kcfinder/core/uploader.php
index f0aa69458..510033569 100644
--- a/kcfinder/core/uploader.php
+++ b/kcfinder/core/uploader.php
@@ -45,9 +45,20 @@ class uploader {
 
         // INPUT INIT
         $input = new input();
-        $this->get = &$input->get;
-        $this->post = &$input->post;
-        $this->cookie = &$input->cookie;
+        $inputGet = &$input->get ;
+        foreach ($inputGet as $key => $value) {
+            $this->get[$key] = vtlib_purify($value);
+        }
+         
+        $inputPost= &$input->post;
+        foreach ($inputPost as $key => $value) {
+            $this->post[$key] = vtlib_purify($value);
+        }
+         
+        $inputCookie= &$input->cookie;
+        foreach ($inputCookie as $key => $value) {
+            $this->cookie[$key] = vtlib_purify($value);
+        }
 
         // LINKING UPLOADED FILE
         if (count($_FILES))
-- 
GitLab