"MDL-14820, escape filename, merged from mOODLE_119_STABLE"

diff --git a/files/index.php b/files/index.php
index 3ff0190c7b4772a3e21cad915a69a03d19a0ffcf..8e3ec42920cd5cfe2edef63d4eb17bca3d0bd238 100644 (file)
--- a/files/index.php
+++ b/files/index.php
@@ -667,7 +667,7 @@ function printfilelist($filelist) {
 
     foreach ($filelist as $file) {
         if (is_dir($basedir.'/'.$file)) {
-            echo "<img src=\"$CFG->pixpath/f/folder.gif\" class=\"icon\" alt=\"$strfolder\" /> $file<br />";
+            echo '<img src="'. $CFG->pixpath .'/f/folder.gif" class="icon" alt="'. $strfolder .'" /> '. htmlspecialchars($file) .'<br />';
             $subfilelist = array();
             $currdir = opendir($basedir.'/'.$file);
             while (false !== ($subfile = readdir($currdir))) {
@@ -679,7 +679,7 @@ function printfilelist($filelist) {
 
         } else {
             $icon = mimeinfo("icon", $file);
-            echo "<img src=\"$CFG->pixpath/f/$icon\"  class=\"icon\" alt=\"$strfile\" /> $file<br />";
+            echo '<img src="'. $CFG->pixpath .'/f/'. $icon .'" class="icon" alt="'. $strfile .'" /> '. htmlspecialchars($file) .'<br />';
         }
     }
 }