From 582ac12e94c46cbdb36fcd4f95cf9f3d4e0e924a Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Mon, 11 Nov 2024 12:38:53 +0100
Subject: [PATCH] (cp 7bb3994fc) issue #2237 clean user input on custom
 tag_list

---
 include/ws_functions/pwg.images.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/include/ws_functions/pwg.images.php b/include/ws_functions/pwg.images.php
index bb99351ec..a36584f5a 100644
--- a/include/ws_functions/pwg.images.php
+++ b/include/ws_functions/pwg.images.php
@@ -2641,6 +2641,12 @@ SELECT *
       return new PwgError(WS_ERR_INVALID_PARAM, 'Do not use tag_list and tag_ids at the same time.');
     }
 
+    // clean user input
+    foreach ($_REQUEST['tag_list'] as $idx => $tag_candidate)
+    {
+      $_REQUEST['tag_list'][$idx] = pwg_db_real_escape_string(strip_tags(stripslashes($tag_candidate)));
+    }
+
     $tag_list = get_tag_ids($_REQUEST['tag_list']);
     set_tags($tag_list, $params['image_id']);
   }