Security: fix multiple XSS vulnerabilities + fix search tags with special chars

XSS vulnerabilities fixed in editlink, linklist, tag.cloud and tag.list. Also fixed tag search with special characters: urlencode function needs to be applied on raw data, before espaping, otherwise the rendered URL is wrong.
author: ArthurHoaro <arthur@hoa.ro> 2020-10-06 17:30:18 +0200
committer: ArthurHoaro <arthur@hoa.ro> 2020-10-06 17:30:18 +0200
commit: 72fbbcd6794facea2cf06d9742359d190257b00f (patch)
tree: a4d6f446ec861f9a7591edb31f322e2a846b2bac /application/front/controller/admin/ManageTagController.php
parent: df25b28dcd3cde54d42c18a55a810daa82bf5727 (diff)
download: Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.gz
Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.zst
Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/application/front/controller/admin/ManageTagController.php b/application/front/controller/admin/ManageTagController.php
index 0380ef1f..2065c3e2 100644
--- a/application/front/controller/admin/ManageTagController.php
+++ b/application/front/controller/admin/ManageTagController.php
@@ -41,8 +41,8 @@ class ManageTagController extends ShaarliAdminController
        $isDelete = null !== $request->getParam('deletetag') && null === $request->getParam('renametag');
-        $fromTag = escape(trim($request->getParam('fromtag') ?? ''));
+        $fromTag = trim($request->getParam('fromtag') ?? '');
-        $toTag = escape(trim($request->getParam('totag') ?? ''));
+        $toTag = trim($request->getParam('totag') ?? '');
        if (0 === strlen($fromTag) || false === $isDelete && 0 === strlen($toTag)) {
            $this->saveWarningMessage(t('Invalid tags provided.'));
author	ArthurHoaro <arthur@hoa.ro>	2020-10-06 17:30:18 +0200
committer	ArthurHoaro <arthur@hoa.ro>	2020-10-06 17:30:18 +0200
commit	72fbbcd6794facea2cf06d9742359d190257b00f (patch)
tree	a4d6f446ec861f9a7591edb31f322e2a846b2bac /application/front/controller/admin/ManageTagController.php
parent	df25b28dcd3cde54d42c18a55a810daa82bf5727 (diff)
download	Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.gz Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.zst Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.zip

diff --git a/application/front/controller/admin/ManageTagController.php b/application/front/controller/admin/ManageTagController.php index 0380ef1f..2065c3e2 100644 --- a/application/front/controller/admin/ManageTagController.php +++ b/application/front/controller/admin/ManageTagController.php
@@ -41,8 +41,8 @@ class ManageTagController extends ShaarliAdminController
41		41
42	$isDelete = null !== $request->getParam('deletetag') && null === $request->getParam('renametag');	42	$isDelete = null !== $request->getParam('deletetag') && null === $request->getParam('renametag');
43		43
44	$fromTag = escape(trim($request->getParam('fromtag') ?? ''));	44	$fromTag = trim($request->getParam('fromtag') ?? '');
45	$toTag = escape(trim($request->getParam('totag') ?? ''));	45	$toTag = trim($request->getParam('totag') ?? '');
46		46
47	if (0 === strlen($fromTag) \|\| false === $isDelete && 0 === strlen($toTag)) {	47	if (0 === strlen($fromTag) \|\| false === $isDelete && 0 === strlen($toTag)) {
48	$this->saveWarningMessage(t('Invalid tags provided.'));	48	$this->saveWarningMessage(t('Invalid tags provided.'));