From 72fbbcd6794facea2cf06d9742359d190257b00f Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Tue, 6 Oct 2020 17:30:18 +0200 Subject: Security: fix multiple XSS vulnerabilities + fix search tags with special chars XSS vulnerabilities fixed in editlink, linklist, tag.cloud and tag.list. Also fixed tag search with special characters: urlencode function needs to be applied on raw data, before espaping, otherwise the rendered URL is wrong. --- application/Utils.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'application/Utils.php') diff --git a/application/Utils.php b/application/Utils.php index 9c9eaaa2..bcfda65c 100644 --- a/application/Utils.php +++ b/application/Utils.php @@ -95,14 +95,14 @@ function escape($input) return null; } - if (is_bool($input)) { + if (is_bool($input) || is_int($input) || is_float($input) || $input instanceof DateTimeInterface) { return $input; } if (is_array($input)) { $out = array(); foreach ($input as $key => $value) { - $out[$key] = escape($value); + $out[escape($key)] = escape($value); } return $out; } -- cgit v1.2.3