diff options
author | ArthurHoaro <arthur@hoa.ro> | 2020-10-06 17:30:18 +0200 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2020-10-06 17:30:18 +0200 |
commit | 72fbbcd6794facea2cf06d9742359d190257b00f (patch) | |
tree | a4d6f446ec861f9a7591edb31f322e2a846b2bac /application/front/controller/admin/ManageShaareController.php | |
parent | df25b28dcd3cde54d42c18a55a810daa82bf5727 (diff) | |
download | Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.gz Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.zst Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.zip |
Security: fix multiple XSS vulnerabilities + fix search tags with special chars
XSS vulnerabilities fixed in editlink, linklist, tag.cloud and tag.list.
Also fixed tag search with special characters: urlencode function needs to be applied on raw data, before espaping, otherwise the rendered URL is wrong.
Diffstat (limited to 'application/front/controller/admin/ManageShaareController.php')
-rw-r--r-- | application/front/controller/admin/ManageShaareController.php | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/application/front/controller/admin/ManageShaareController.php b/application/front/controller/admin/ManageShaareController.php index 59ba2de9..bb083486 100644 --- a/application/front/controller/admin/ManageShaareController.php +++ b/application/front/controller/admin/ManageShaareController.php | |||
@@ -78,13 +78,13 @@ class ManageShaareController extends ShaarliAdminController | |||
78 | $title = $this->container->conf->get('general.default_note_title', t('Note: ')); | 78 | $title = $this->container->conf->get('general.default_note_title', t('Note: ')); |
79 | } | 79 | } |
80 | 80 | ||
81 | $link = escape([ | 81 | $link = [ |
82 | 'title' => $title, | 82 | 'title' => $title, |
83 | 'url' => $url ?? '', | 83 | 'url' => $url ?? '', |
84 | 'description' => $description ?? '', | 84 | 'description' => $description ?? '', |
85 | 'tags' => $tags ?? '', | 85 | 'tags' => $tags ?? '', |
86 | 'private' => $private, | 86 | 'private' => $private, |
87 | ]); | 87 | ]; |
88 | } else { | 88 | } else { |
89 | $formatter = $this->container->formatterFactory->getFormatter('raw'); | 89 | $formatter = $this->container->formatterFactory->getFormatter('raw'); |
90 | $link = $formatter->format($bookmark); | 90 | $link = $formatter->format($bookmark); |
@@ -345,14 +345,14 @@ class ManageShaareController extends ShaarliAdminController | |||
345 | $tags[BookmarkMarkdownFormatter::NO_MD_TAG] = 1; | 345 | $tags[BookmarkMarkdownFormatter::NO_MD_TAG] = 1; |
346 | } | 346 | } |
347 | 347 | ||
348 | $data = [ | 348 | $data = escape([ |
349 | 'link' => $link, | 349 | 'link' => $link, |
350 | 'link_is_new' => $isNew, | 350 | 'link_is_new' => $isNew, |
351 | 'http_referer' => escape($this->container->environment['HTTP_REFERER'] ?? ''), | 351 | 'http_referer' => $this->container->environment['HTTP_REFERER'] ?? '', |
352 | 'source' => $request->getParam('source') ?? '', | 352 | 'source' => $request->getParam('source') ?? '', |
353 | 'tags' => $tags, | 353 | 'tags' => $tags, |
354 | 'default_private_links' => $this->container->conf->get('privacy.default_private_links', false), | 354 | 'default_private_links' => $this->container->conf->get('privacy.default_private_links', false), |
355 | ]; | 355 | ]); |
356 | 356 | ||
357 | $this->executePageHooks('render_editlink', $data, TemplatePage::EDIT_LINK); | 357 | $this->executePageHooks('render_editlink', $data, TemplatePage::EDIT_LINK); |
358 | 358 | ||