Security: fix multiple XSS vulnerabilities + fix search tags with special chars

XSS vulnerabilities fixed in editlink, linklist, tag.cloud and tag.list. Also fixed tag search with special characters: urlencode function needs to be applied on raw data, before espaping, otherwise the rendered URL is wrong.
author: ArthurHoaro <arthur@hoa.ro> 2020-10-06 17:30:18 +0200
committer: ArthurHoaro <arthur@hoa.ro> 2020-10-06 17:30:18 +0200
commit: 72fbbcd6794facea2cf06d9742359d190257b00f (patch)
tree: a4d6f446ec861f9a7591edb31f322e2a846b2bac /application/front/controller/admin/ManageShaareController.php
parent: df25b28dcd3cde54d42c18a55a810daa82bf5727 (diff)
download: Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.gz
Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.zst
Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.zip
1 files changed, 5 insertions, 5 deletions
diff --git a/application/front/controller/admin/ManageShaareController.php b/application/front/controller/admin/ManageShaareController.php
index 59ba2de9..bb083486 100644
--- a/application/front/controller/admin/ManageShaareController.php
+++ b/application/front/controller/admin/ManageShaareController.php
@@ -78,13 +78,13 @@ class ManageShaareController extends ShaarliAdminController
                $title = $this->container->conf->get('general.default_note_title', t('Note: '));
            }
-            $link = escape([
+            $link = [
                'title' => $title,
                'url' => $url ?? '',
                'description' => $description ?? '',
                'tags' => $tags ?? '',
                'private' => $private,
-            ]);
+            ];
        } else {
            $formatter = $this->container->formatterFactory->getFormatter('raw');
            $link = $formatter->format($bookmark);
@@ -345,14 +345,14 @@ class ManageShaareController extends ShaarliAdminController
            $tags[BookmarkMarkdownFormatter::NO_MD_TAG] = 1;
        }
-        $data = [
+        $data = escape([
            'link' => $link,
            'link_is_new' => $isNew,
-            'http_referer' => escape($this->container->environment['HTTP_REFERER'] ?? ''),
+            'http_referer' => $this->container->environment['HTTP_REFERER'] ?? '',
            'source' => $request->getParam('source') ?? '',
            'tags' => $tags,
            'default_private_links' => $this->container->conf->get('privacy.default_private_links', false),
-        ];
+        ]);
        $this->executePageHooks('render_editlink', $data, TemplatePage::EDIT_LINK);
author	ArthurHoaro <arthur@hoa.ro>	2020-10-06 17:30:18 +0200
committer	ArthurHoaro <arthur@hoa.ro>	2020-10-06 17:30:18 +0200
commit	72fbbcd6794facea2cf06d9742359d190257b00f (patch)
tree	a4d6f446ec861f9a7591edb31f322e2a846b2bac /application/front/controller/admin/ManageShaareController.php
parent	df25b28dcd3cde54d42c18a55a810daa82bf5727 (diff)
download	Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.gz Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.zst Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.zip

diff --git a/application/front/controller/admin/ManageShaareController.php b/application/front/controller/admin/ManageShaareController.php index 59ba2de9..bb083486 100644 --- a/application/front/controller/admin/ManageShaareController.php +++ b/application/front/controller/admin/ManageShaareController.php
@@ -78,13 +78,13 @@ class ManageShaareController extends ShaarliAdminController
78	$title = $this->container->conf->get('general.default_note_title', t('Note: '));	78	$title = $this->container->conf->get('general.default_note_title', t('Note: '));
79	}	79	}
80		80
81	$link = escape([	81	$link = [
82	'title' => $title,	82	'title' => $title,
83	'url' => $url ?? '',	83	'url' => $url ?? '',
84	'description' => $description ?? '',	84	'description' => $description ?? '',
85	'tags' => $tags ?? '',	85	'tags' => $tags ?? '',
86	'private' => $private,	86	'private' => $private,
87	]);	87	];
88	} else {	88	} else {
89	$formatter = $this->container->formatterFactory->getFormatter('raw');	89	$formatter = $this->container->formatterFactory->getFormatter('raw');
90	$link = $formatter->format($bookmark);	90	$link = $formatter->format($bookmark);
@@ -345,14 +345,14 @@ class ManageShaareController extends ShaarliAdminController
345	$tags[BookmarkMarkdownFormatter::NO_MD_TAG] = 1;	345	$tags[BookmarkMarkdownFormatter::NO_MD_TAG] = 1;
346	}	346	}
347		347
348	$data = [	348	$data = escape([
349	'link' => $link,	349	'link' => $link,
350	'link_is_new' => $isNew,	350	'link_is_new' => $isNew,
351	'http_referer' => escape($this->container->environment['HTTP_REFERER'] ?? ''),	351	'http_referer' => $this->container->environment['HTTP_REFERER'] ?? '',
352	'source' => $request->getParam('source') ?? '',	352	'source' => $request->getParam('source') ?? '',
353	'tags' => $tags,	353	'tags' => $tags,
354	'default_private_links' => $this->container->conf->get('privacy.default_private_links', false),	354	'default_private_links' => $this->container->conf->get('privacy.default_private_links', false),
355	];	355	]);
356		356
357	$this->executePageHooks('render_editlink', $data, TemplatePage::EDIT_LINK);	357	$this->executePageHooks('render_editlink', $data, TemplatePage::EDIT_LINK);
358		358