Knah-Tsaeb/MyShaarli
Knah-Tsaeb/MyShaarli
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Fix XSS vulnerability in tag search (#2039)

Browse source 
It affect the title tag of the bookmark list page.
Fixes shaarli/Shaarli#2038
This commit is contained in:
ArthurHoaro 2023-11-22 10:29:30 -05:00 committed by GitHub
parent ca07f265f1
commit 326870f216
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
application/front/controller/visitor/BookmarkListController.php
View file

@ -82,6 +82,9 @@ public function index(Request $request, Response $response): Response
$searchTagsUrlEncoded = array_map('urlencode', tags_str2array($searchTags, $tagsSeparator)); $searchTagsUrlEncoded = array_map('urlencode', tags_str2array($searchTags, $tagsSeparator));
$searchTags = !empty($searchTags) ? trim($searchTags, $tagsSeparator) . $tagsSeparator : ''; $searchTags = !empty($searchTags) ? trim($searchTags, $tagsSeparator) . $tagsSeparator : '';
$searchTags = !empty($searchTags) ? escape($searchTags) : '';
$searchTerm = !empty($searchTerm) ? escape($searchTerm) : '';
// Fill all template fields. // Fill all template fields.
$data = array_merge( $data = array_merge(
$this->initializeTemplateVars(), $this->initializeTemplateVars(),
@ -91,8 +94,8 @@ public function index(Request $request, Response $response): Response
'page_current' => $page, 'page_current' => $page,
'page_max' => $searchResult->getLastPage(), 'page_max' => $searchResult->getLastPage(),
'result_count' => $searchResult->getTotalCount(), 'result_count' => $searchResult->getTotalCount(),
'search_term' => escape($searchTerm), 'search_term' => $searchTerm,
'search_tags' => escape($searchTags), 'search_tags' => $searchTags,
'search_tags_url' => $searchTagsUrlEncoded, 'search_tags_url' => $searchTagsUrlEncoded,
'visibility' => $visibility, 'visibility' => $visibility,
'links' => $links, 'links' => $links,