From 058f8a11687f979e597c6f32b1836535ba5b4b88 Mon Sep 17 00:00:00 2001
From: ahaber <haber@se-rwth.de>
Date: Tue, 29 Apr 2014 11:05:23 +0200
Subject: [PATCH] fixed XSS for non existing bib files

---
 bibtexbrowser.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/bibtexbrowser.php b/bibtexbrowser.php
index e4a1e95..edf2475 100755
--- a/bibtexbrowser.php
+++ b/bibtexbrowser.php
@@ -238,15 +238,15 @@ function _zetDB($bibtex_filenames) {
 
   // ---------------------------- HANDLING unexistent files
   foreach(explode(MULTIPLE_BIB_SEPARATOR, $bibtex_filenames) as $bib) {
-  
+    $saveBib = htmlEntities($bib, ENT_QUOTES);
     // get file extension to only allow .bib files
-    $ext = pathinfo($bib, PATHINFO_EXTENSION);
+    $ext = pathinfo($saveBib, PATHINFO_EXTENSION);
     // this is a security protection
-    if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($bib) || strcasecmp($ext, 'bib') != 0)) {
+    if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($saveBib) || strcasecmp($ext, 'bib') != 0)) {
 
      // to automate dectection of faulty links with tools such as webcheck
      header('HTTP/1.1 404 Not found');
-     die('<b>the bib file '.$bib.' does not exist !</b>');
+     die('<b>the bib file '.$saveBib.' does not exist !</b>');
     }
   } // end for each