aboutsummaryrefslogtreecommitdiffhomepage
path: root/application/front/controller/admin/ManageShaareController.php
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2020-10-06 17:30:18 +0200
committerArthurHoaro <arthur@hoa.ro>2020-10-06 17:30:18 +0200
commit72fbbcd6794facea2cf06d9742359d190257b00f (patch)
treea4d6f446ec861f9a7591edb31f322e2a846b2bac /application/front/controller/admin/ManageShaareController.php
parentdf25b28dcd3cde54d42c18a55a810daa82bf5727 (diff)
downloadShaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.gz
Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.zst
Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.zip
Security: fix multiple XSS vulnerabilities + fix search tags with special chars
XSS vulnerabilities fixed in editlink, linklist, tag.cloud and tag.list. Also fixed tag search with special characters: urlencode function needs to be applied on raw data, before espaping, otherwise the rendered URL is wrong.
Diffstat (limited to 'application/front/controller/admin/ManageShaareController.php')
-rw-r--r--application/front/controller/admin/ManageShaareController.php10
1 files changed, 5 insertions, 5 deletions
diff --git a/application/front/controller/admin/ManageShaareController.php b/application/front/controller/admin/ManageShaareController.php
index 59ba2de9..bb083486 100644
--- a/application/front/controller/admin/ManageShaareController.php
+++ b/application/front/controller/admin/ManageShaareController.php
@@ -78,13 +78,13 @@ class ManageShaareController extends ShaarliAdminController
78 $title = $this->container->conf->get('general.default_note_title', t('Note: ')); 78 $title = $this->container->conf->get('general.default_note_title', t('Note: '));
79 } 79 }
80 80
81 $link = escape([ 81 $link = [
82 'title' => $title, 82 'title' => $title,
83 'url' => $url ?? '', 83 'url' => $url ?? '',
84 'description' => $description ?? '', 84 'description' => $description ?? '',
85 'tags' => $tags ?? '', 85 'tags' => $tags ?? '',
86 'private' => $private, 86 'private' => $private,
87 ]); 87 ];
88 } else { 88 } else {
89 $formatter = $this->container->formatterFactory->getFormatter('raw'); 89 $formatter = $this->container->formatterFactory->getFormatter('raw');
90 $link = $formatter->format($bookmark); 90 $link = $formatter->format($bookmark);
@@ -345,14 +345,14 @@ class ManageShaareController extends ShaarliAdminController
345 $tags[BookmarkMarkdownFormatter::NO_MD_TAG] = 1; 345 $tags[BookmarkMarkdownFormatter::NO_MD_TAG] = 1;
346 } 346 }
347 347
348 $data = [ 348 $data = escape([
349 'link' => $link, 349 'link' => $link,
350 'link_is_new' => $isNew, 350 'link_is_new' => $isNew,
351 'http_referer' => escape($this->container->environment['HTTP_REFERER'] ?? ''), 351 'http_referer' => $this->container->environment['HTTP_REFERER'] ?? '',
352 'source' => $request->getParam('source') ?? '', 352 'source' => $request->getParam('source') ?? '',
353 'tags' => $tags, 353 'tags' => $tags,
354 'default_private_links' => $this->container->conf->get('privacy.default_private_links', false), 354 'default_private_links' => $this->container->conf->get('privacy.default_private_links', false),
355 ]; 355 ]);
356 356
357 $this->executePageHooks('render_editlink', $data, TemplatePage::EDIT_LINK); 357 $this->executePageHooks('render_editlink', $data, TemplatePage::EDIT_LINK);
358 358