diff options
author | ArthurHoaro <arthur@hoa.ro> | 2020-10-06 17:30:18 +0200 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2020-10-06 17:30:18 +0200 |
commit | 72fbbcd6794facea2cf06d9742359d190257b00f (patch) | |
tree | a4d6f446ec861f9a7591edb31f322e2a846b2bac /application/front/controller/admin/ManageTagController.php | |
parent | df25b28dcd3cde54d42c18a55a810daa82bf5727 (diff) | |
download | Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.gz Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.zst Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.zip |
Security: fix multiple XSS vulnerabilities + fix search tags with special chars
XSS vulnerabilities fixed in editlink, linklist, tag.cloud and tag.list.
Also fixed tag search with special characters: urlencode function needs to be applied on raw data, before espaping, otherwise the rendered URL is wrong.
Diffstat (limited to 'application/front/controller/admin/ManageTagController.php')
-rw-r--r-- | application/front/controller/admin/ManageTagController.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/application/front/controller/admin/ManageTagController.php b/application/front/controller/admin/ManageTagController.php index 0380ef1f..2065c3e2 100644 --- a/application/front/controller/admin/ManageTagController.php +++ b/application/front/controller/admin/ManageTagController.php | |||
@@ -41,8 +41,8 @@ class ManageTagController extends ShaarliAdminController | |||
41 | 41 | ||
42 | $isDelete = null !== $request->getParam('deletetag') && null === $request->getParam('renametag'); | 42 | $isDelete = null !== $request->getParam('deletetag') && null === $request->getParam('renametag'); |
43 | 43 | ||
44 | $fromTag = escape(trim($request->getParam('fromtag') ?? '')); | 44 | $fromTag = trim($request->getParam('fromtag') ?? ''); |
45 | $toTag = escape(trim($request->getParam('totag') ?? '')); | 45 | $toTag = trim($request->getParam('totag') ?? ''); |
46 | 46 | ||
47 | if (0 === strlen($fromTag) || false === $isDelete && 0 === strlen($toTag)) { | 47 | if (0 === strlen($fromTag) || false === $isDelete && 0 === strlen($toTag)) { |
48 | $this->saveWarningMessage(t('Invalid tags provided.')); | 48 | $this->saveWarningMessage(t('Invalid tags provided.')); |