From 72fbbcd6794facea2cf06d9742359d190257b00f Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Tue, 6 Oct 2020 17:30:18 +0200 Subject: Security: fix multiple XSS vulnerabilities + fix search tags with special chars XSS vulnerabilities fixed in editlink, linklist, tag.cloud and tag.list. Also fixed tag search with special characters: urlencode function needs to be applied on raw data, before espaping, otherwise the rendered URL is wrong. --- application/front/controller/admin/ManageShaareController.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'application/front/controller/admin/ManageShaareController.php') diff --git a/application/front/controller/admin/ManageShaareController.php b/application/front/controller/admin/ManageShaareController.php index 59ba2de9..bb083486 100644 --- a/application/front/controller/admin/ManageShaareController.php +++ b/application/front/controller/admin/ManageShaareController.php @@ -78,13 +78,13 @@ class ManageShaareController extends ShaarliAdminController $title = $this->container->conf->get('general.default_note_title', t('Note: ')); } - $link = escape([ + $link = [ 'title' => $title, 'url' => $url ?? '', 'description' => $description ?? '', 'tags' => $tags ?? '', 'private' => $private, - ]); + ]; } else { $formatter = $this->container->formatterFactory->getFormatter('raw'); $link = $formatter->format($bookmark); @@ -345,14 +345,14 @@ class ManageShaareController extends ShaarliAdminController $tags[BookmarkMarkdownFormatter::NO_MD_TAG] = 1; } - $data = [ + $data = escape([ 'link' => $link, 'link_is_new' => $isNew, - 'http_referer' => escape($this->container->environment['HTTP_REFERER'] ?? ''), + 'http_referer' => $this->container->environment['HTTP_REFERER'] ?? '', 'source' => $request->getParam('source') ?? '', 'tags' => $tags, 'default_private_links' => $this->container->conf->get('privacy.default_private_links', false), - ]; + ]); $this->executePageHooks('render_editlink', $data, TemplatePage::EDIT_LINK); -- cgit v1.2.3