From 877844cbba0749367b8ba0e4e0bde34a1dc838f1 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Tue, 24 Nov 2020 08:23:23 +0100
Subject: [PATCH] fix security issue CVE-2020-28726 escape input form field
 value

---
 CHANGELOG                           | 2 ++
 views/bootstrap/class.Bootstrap.php | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 76af04a15..d4ff595e5 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -14,6 +14,8 @@
 - theme in configuration can override theme of user
 - saving the settings will no longer reenable an extention with no configuration
 - put a red/green bullet before the extension name in the settings
+- escape value of dropfolderfile in input form field created by
+  SeedDMS_Bootstrap_Style::getDropFolderChooserHtml() (CVE-2020-2872)
 
 --------------------------------------------------------------------------------
                      Changes in version 5.1.20
diff --git a/views/bootstrap/class.Bootstrap.php b/views/bootstrap/class.Bootstrap.php
index 9f0da2b88..07a9cc4d9 100644
--- a/views/bootstrap/class.Bootstrap.php
+++ b/views/bootstrap/class.Bootstrap.php
@@ -1669,7 +1669,7 @@ $(document).ready(function() {
 
 	function getDropFolderChooserHtml($formName, $dropfolderfile="", $showfolders=0) { /* {{{ */
 		$content =  "<div class=\"input-append\">\n";
-		$content .= "<input readonly type=\"text\" id=\"dropfolderfile".$formName."\" name=\"dropfolderfile".$formName."\" value=\"".$dropfolderfile."\">";
+		$content .= "<input readonly type=\"text\" id=\"dropfolderfile".$formName."\" name=\"dropfolderfile".$formName."\" value=\"".htmlspecialchars($dropfolderfile)."\">";
 		$content .= "<button type=\"button\" class=\"btn\" id=\"clearfilename".$formName."\"><i class=\"fa fa-remove\"></i></button>";
 		$content .= $this->getModalBoxLink(
 			array(