From 326870f216ba52d80488cb4ba3fadcf1247d7cf8 Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Wed, 22 Nov 2023 10:29:30 -0500
Subject: [PATCH] Fix XSS vulnerability in tag search (#2039)

It affect the title tag of the bookmark list page.
Fixes shaarli/Shaarli#2038
---
 .../front/controller/visitor/BookmarkListController.php    | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/application/front/controller/visitor/BookmarkListController.php b/application/front/controller/visitor/BookmarkListController.php
index 4aae2652..576a2738 100644
--- a/application/front/controller/visitor/BookmarkListController.php
+++ b/application/front/controller/visitor/BookmarkListController.php
@@ -82,6 +82,9 @@ class BookmarkListController extends ShaarliVisitorController
         $searchTagsUrlEncoded = array_map('urlencode', tags_str2array($searchTags, $tagsSeparator));
         $searchTags = !empty($searchTags) ? trim($searchTags, $tagsSeparator) . $tagsSeparator : '';
 
+        $searchTags = !empty($searchTags) ? escape($searchTags) : '';
+        $searchTerm = !empty($searchTerm) ? escape($searchTerm) : '';
+
         // Fill all template fields.
         $data = array_merge(
             $this->initializeTemplateVars(),
@@ -91,8 +94,8 @@ class BookmarkListController extends ShaarliVisitorController
                 'page_current' => $page,
                 'page_max' => $searchResult->getLastPage(),
                 'result_count' => $searchResult->getTotalCount(),
-                'search_term' => escape($searchTerm),
-                'search_tags' => escape($searchTags),
+                'search_term' => $searchTerm,
+                'search_tags' => $searchTags,
                 'search_tags_url' => $searchTagsUrlEncoded,
                 'visibility' => $visibility,
                 'links' => $links,