Delete files in media browser with '&' in the file name

Merge remote-tracking branch 'origin/pr/14054' into 2.x * origin/pr/14054: When files are uploaded, the ampersand is not encoded. Therefore when deleting, we cannot encode the ampersand, or the file name does not match the file on-disk
ily23 · Oct 16, 2018 · 6950364 · 6950364
2 parents 470e787 + 316b039
commit 6950364
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/core/docs/changelog.txt b/core/docs/changelog.txt
@@ -4,6 +4,7 @@ development release, and is only shown to give an idea of what's currently in th
 
 MODX Revolution 2.7.0-pl (TBD)
 ====================================
+- Delete files in media browser with '&' in the file name [#14054]
 - Prevent invalid relative media source path from revealing root path contents [#14038]
 - Prevent an infinite loop in sendErrorPage() [#14108]
 - Got rid of bower from theme build process [#14091]

diff --git a/core/model/modx/processors/browser/file/remove.class.php b/core/model/modx/processors/browser/file/remove.class.php
@@ -33,7 +33,7 @@ public function process() {
         if (empty($file)) {
             return $this->modx->error->failure($this->modx->lexicon('file_err_ns'));
         }
-        $file = preg_replace('/[\.]{2,}/', '', htmlspecialchars($file));
+        $file = preg_replace('/[\.]{2,}/', '', $file);
 
         $loaded = $this->getSource();
         if (!($this->source instanceof modMediaSource)) {