diff options
author | ArthurHoaro <arthur@hoa.ro> | 2020-10-06 17:30:18 +0200 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2020-10-06 17:30:18 +0200 |
commit | 72fbbcd6794facea2cf06d9742359d190257b00f (patch) | |
tree | a4d6f446ec861f9a7591edb31f322e2a846b2bac /application/front/controller/visitor/BookmarkListController.php | |
parent | df25b28dcd3cde54d42c18a55a810daa82bf5727 (diff) | |
download | Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.gz Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.zst Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.zip |
Security: fix multiple XSS vulnerabilities + fix search tags with special chars
XSS vulnerabilities fixed in editlink, linklist, tag.cloud and tag.list.
Also fixed tag search with special characters: urlencode function needs to be applied on raw data, before espaping, otherwise the rendered URL is wrong.
Diffstat (limited to 'application/front/controller/visitor/BookmarkListController.php')
-rw-r--r-- | application/front/controller/visitor/BookmarkListController.php | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/application/front/controller/visitor/BookmarkListController.php b/application/front/controller/visitor/BookmarkListController.php index 2988bee6..18368751 100644 --- a/application/front/controller/visitor/BookmarkListController.php +++ b/application/front/controller/visitor/BookmarkListController.php | |||
@@ -34,7 +34,7 @@ class BookmarkListController extends ShaarliVisitorController | |||
34 | $formatter = $this->container->formatterFactory->getFormatter(); | 34 | $formatter = $this->container->formatterFactory->getFormatter(); |
35 | $formatter->addContextData('base_path', $this->container->basePath); | 35 | $formatter->addContextData('base_path', $this->container->basePath); |
36 | 36 | ||
37 | $searchTags = escape(normalize_spaces($request->getParam('searchtags') ?? '')); | 37 | $searchTags = normalize_spaces($request->getParam('searchtags') ?? ''); |
38 | $searchTerm = escape(normalize_spaces($request->getParam('searchterm') ?? ''));; | 38 | $searchTerm = escape(normalize_spaces($request->getParam('searchterm') ?? ''));; |
39 | 39 | ||
40 | // Filter bookmarks according search parameters. | 40 | // Filter bookmarks according search parameters. |
@@ -104,8 +104,9 @@ class BookmarkListController extends ShaarliVisitorController | |||
104 | 'page_current' => $page, | 104 | 'page_current' => $page, |
105 | 'page_max' => $pageCount, | 105 | 'page_max' => $pageCount, |
106 | 'result_count' => count($linksToDisplay), | 106 | 'result_count' => count($linksToDisplay), |
107 | 'search_term' => $searchTerm, | 107 | 'search_term' => escape($searchTerm), |
108 | 'search_tags' => $searchTags, | 108 | 'search_tags' => escape($searchTags), |
109 | 'search_tags_url' => array_map('urlencode', explode(' ', $searchTags)), | ||
109 | 'visibility' => $visibility, | 110 | 'visibility' => $visibility, |
110 | 'links' => $linkDisp, | 111 | 'links' => $linkDisp, |
111 | ] | 112 | ] |