diff options
| author | ArthurHoaro <arthur@hoa.ro> | 2020-10-06 17:30:18 +0200 |
|---|---|---|
| committer | ArthurHoaro <arthur@hoa.ro> | 2020-10-06 17:30:18 +0200 |
| commit | 72fbbcd6794facea2cf06d9742359d190257b00f (patch) | |
| tree | a4d6f446ec861f9a7591edb31f322e2a846b2bac /application/Utils.php | |
| parent | df25b28dcd3cde54d42c18a55a810daa82bf5727 (diff) | |
| download | Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.gz Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.zst Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.zip | |
Security: fix multiple XSS vulnerabilities + fix search tags with special chars
XSS vulnerabilities fixed in editlink, linklist, tag.cloud and tag.list.
Also fixed tag search with special characters: urlencode function needs to be applied on raw data, before espaping, otherwise the rendered URL is wrong.
Diffstat (limited to 'application/Utils.php')
| -rw-r--r-- | application/Utils.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/application/Utils.php b/application/Utils.php index 9c9eaaa2..bcfda65c 100644 --- a/application/Utils.php +++ b/application/Utils.php | |||
| @@ -95,14 +95,14 @@ function escape($input) | |||
| 95 | return null; | 95 | return null; |
| 96 | } | 96 | } |
| 97 | 97 | ||
| 98 | if (is_bool($input)) { | 98 | if (is_bool($input) || is_int($input) || is_float($input) || $input instanceof DateTimeInterface) { |
| 99 | return $input; | 99 | return $input; |
| 100 | } | 100 | } |
| 101 | 101 | ||
| 102 | if (is_array($input)) { | 102 | if (is_array($input)) { |
| 103 | $out = array(); | 103 | $out = array(); |
| 104 | foreach ($input as $key => $value) { | 104 | foreach ($input as $key => $value) { |
| 105 | $out[$key] = escape($value); | 105 | $out[escape($key)] = escape($value); |
| 106 | } | 106 | } |
| 107 | return $out; | 107 | return $out; |
| 108 | } | 108 | } |