aboutsummaryrefslogtreecommitdiffhomepage
path: root/application/formatter
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2020-10-06 17:30:18 +0200
committerArthurHoaro <arthur@hoa.ro>2020-10-06 17:30:18 +0200
commit72fbbcd6794facea2cf06d9742359d190257b00f (patch)
treea4d6f446ec861f9a7591edb31f322e2a846b2bac /application/formatter
parentdf25b28dcd3cde54d42c18a55a810daa82bf5727 (diff)
downloadShaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.gz
Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.zst
Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.zip
Security: fix multiple XSS vulnerabilities + fix search tags with special chars
XSS vulnerabilities fixed in editlink, linklist, tag.cloud and tag.list. Also fixed tag search with special characters: urlencode function needs to be applied on raw data, before espaping, otherwise the rendered URL is wrong.
Diffstat (limited to 'application/formatter')
-rw-r--r--application/formatter/BookmarkFormatter.php26
1 files changed, 26 insertions, 0 deletions
diff --git a/application/formatter/BookmarkFormatter.php b/application/formatter/BookmarkFormatter.php
index 22ba7aae..0042dafe 100644
--- a/application/formatter/BookmarkFormatter.php
+++ b/application/formatter/BookmarkFormatter.php
@@ -58,7 +58,9 @@ abstract class BookmarkFormatter
58 $out['title'] = $this->formatTitle($bookmark); 58 $out['title'] = $this->formatTitle($bookmark);
59 $out['description'] = $this->formatDescription($bookmark); 59 $out['description'] = $this->formatDescription($bookmark);
60 $out['thumbnail'] = $this->formatThumbnail($bookmark); 60 $out['thumbnail'] = $this->formatThumbnail($bookmark);
61 $out['urlencoded_taglist'] = $this->formatUrlEncodedTagList($bookmark);
61 $out['taglist'] = $this->formatTagList($bookmark); 62 $out['taglist'] = $this->formatTagList($bookmark);
63 $out['urlencoded_tags'] = $this->formatUrlEncodedTagString($bookmark);
62 $out['tags'] = $this->formatTagString($bookmark); 64 $out['tags'] = $this->formatTagString($bookmark);
63 $out['sticky'] = $bookmark->isSticky(); 65 $out['sticky'] = $bookmark->isSticky();
64 $out['private'] = $bookmark->isPrivate(); 66 $out['private'] = $bookmark->isPrivate();
@@ -182,6 +184,18 @@ abstract class BookmarkFormatter
182 } 184 }
183 185
184 /** 186 /**
187 * Format Url Encoded Tags
188 *
189 * @param Bookmark $bookmark instance
190 *
191 * @return array formatted Tags
192 */
193 protected function formatUrlEncodedTagList($bookmark)
194 {
195 return array_map('urlencode', $this->filterTagList($bookmark->getTags()));
196 }
197
198 /**
185 * Format TagString 199 * Format TagString
186 * 200 *
187 * @param Bookmark $bookmark instance 201 * @param Bookmark $bookmark instance
@@ -194,6 +208,18 @@ abstract class BookmarkFormatter
194 } 208 }
195 209
196 /** 210 /**
211 * Format TagString
212 *
213 * @param Bookmark $bookmark instance
214 *
215 * @return string formatted TagString
216 */
217 protected function formatUrlEncodedTagString($bookmark)
218 {
219 return implode(' ', $this->formatUrlEncodedTagList($bookmark));
220 }
221
222 /**
197 * Format Class 223 * Format Class
198 * Used to add specific CSS class for a link 224 * Used to add specific CSS class for a link
199 * 225 *