diff options
author | ArthurHoaro <arthur@hoa.ro> | 2020-10-06 17:30:18 +0200 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2020-10-06 17:30:18 +0200 |
commit | 72fbbcd6794facea2cf06d9742359d190257b00f (patch) | |
tree | a4d6f446ec861f9a7591edb31f322e2a846b2bac /application/formatter | |
parent | df25b28dcd3cde54d42c18a55a810daa82bf5727 (diff) | |
download | Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.gz Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.zst Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.zip |
Security: fix multiple XSS vulnerabilities + fix search tags with special chars
XSS vulnerabilities fixed in editlink, linklist, tag.cloud and tag.list.
Also fixed tag search with special characters: urlencode function needs to be applied on raw data, before espaping, otherwise the rendered URL is wrong.
Diffstat (limited to 'application/formatter')
-rw-r--r-- | application/formatter/BookmarkFormatter.php | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/application/formatter/BookmarkFormatter.php b/application/formatter/BookmarkFormatter.php index 22ba7aae..0042dafe 100644 --- a/application/formatter/BookmarkFormatter.php +++ b/application/formatter/BookmarkFormatter.php | |||
@@ -58,7 +58,9 @@ abstract class BookmarkFormatter | |||
58 | $out['title'] = $this->formatTitle($bookmark); | 58 | $out['title'] = $this->formatTitle($bookmark); |
59 | $out['description'] = $this->formatDescription($bookmark); | 59 | $out['description'] = $this->formatDescription($bookmark); |
60 | $out['thumbnail'] = $this->formatThumbnail($bookmark); | 60 | $out['thumbnail'] = $this->formatThumbnail($bookmark); |
61 | $out['urlencoded_taglist'] = $this->formatUrlEncodedTagList($bookmark); | ||
61 | $out['taglist'] = $this->formatTagList($bookmark); | 62 | $out['taglist'] = $this->formatTagList($bookmark); |
63 | $out['urlencoded_tags'] = $this->formatUrlEncodedTagString($bookmark); | ||
62 | $out['tags'] = $this->formatTagString($bookmark); | 64 | $out['tags'] = $this->formatTagString($bookmark); |
63 | $out['sticky'] = $bookmark->isSticky(); | 65 | $out['sticky'] = $bookmark->isSticky(); |
64 | $out['private'] = $bookmark->isPrivate(); | 66 | $out['private'] = $bookmark->isPrivate(); |
@@ -182,6 +184,18 @@ abstract class BookmarkFormatter | |||
182 | } | 184 | } |
183 | 185 | ||
184 | /** | 186 | /** |
187 | * Format Url Encoded Tags | ||
188 | * | ||
189 | * @param Bookmark $bookmark instance | ||
190 | * | ||
191 | * @return array formatted Tags | ||
192 | */ | ||
193 | protected function formatUrlEncodedTagList($bookmark) | ||
194 | { | ||
195 | return array_map('urlencode', $this->filterTagList($bookmark->getTags())); | ||
196 | } | ||
197 | |||
198 | /** | ||
185 | * Format TagString | 199 | * Format TagString |
186 | * | 200 | * |
187 | * @param Bookmark $bookmark instance | 201 | * @param Bookmark $bookmark instance |
@@ -194,6 +208,18 @@ abstract class BookmarkFormatter | |||
194 | } | 208 | } |
195 | 209 | ||
196 | /** | 210 | /** |
211 | * Format TagString | ||
212 | * | ||
213 | * @param Bookmark $bookmark instance | ||
214 | * | ||
215 | * @return string formatted TagString | ||
216 | */ | ||
217 | protected function formatUrlEncodedTagString($bookmark) | ||
218 | { | ||
219 | return implode(' ', $this->formatUrlEncodedTagList($bookmark)); | ||
220 | } | ||
221 | |||
222 | /** | ||
197 | * Format Class | 223 | * Format Class |
198 | * Used to add specific CSS class for a link | 224 | * Used to add specific CSS class for a link |
199 | * | 225 | * |