From fc7f5c77fb4dbe2b6ba00203b9be2ea91d22b05e Mon Sep 17 00:00:00 2001
From: ahaber <haber@se-rwth.de>
Date: Mon, 5 May 2014 12:15:05 +0200
Subject: [PATCH] Fixes a potential cross site scripting (XSS) issue

---
 bibtexbrowser.php | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/bibtexbrowser.php b/bibtexbrowser.php
index e4a1e95..2110055 100755
--- a/bibtexbrowser.php
+++ b/bibtexbrowser.php
@@ -243,10 +243,11 @@ function _zetDB($bibtex_filenames) {
     $ext = pathinfo($bib, PATHINFO_EXTENSION);
     // this is a security protection
     if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($bib) || strcasecmp($ext, 'bib') != 0)) {
-
-     // to automate dectection of faulty links with tools such as webcheck
-     header('HTTP/1.1 404 Not found');
-     die('<b>the bib file '.$bib.' does not exist !</b>');
+      // to automate dectection of faulty links with tools such as webcheck
+      header('HTTP/1.1 404 Not found');
+      // escape $bib to prevent XSS
+      $escapedBib = htmlEntities($bib, ENT_QUOTES);
+      die('<b>the bib file '.$escapedBib.' does not exist !</b>');
     }
   } // end for each