Fix security issue reported by @chbi

Vulnerability introduced by 6ccd0b218f - release with Shaarli v0.9.1.
2017-10-07 11:27:44 +02:00 · 2017-10-07 11:27:44 +02:00 · d14555a3df
parent a59bbf50d7
commit d14555a3df
2 changed files with 3 additions and 3 deletions
--- a/index.php
+++ b/index.php
@ -840,7 +840,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history)
        }

        $data = array(
-            'search_tags' => implode(' ', $filteringTags),
+            'search_tags' => implode(' ', escape($filteringTags)),
            'tags' => $tagList,
        );
        $pluginManager->executeHooks('render_tagcloud', $data, array('loggedin' => isLoggedIn()));
@ -870,7 +870,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history)
        }

        $data = [
-            'search_tags' => implode(' ', $filteringTags),
+            'search_tags' => implode(' ', escape($filteringTags)),
            'tags' => $tags,
        ];
        $pluginManager->executeHooks('render_taglist', $data, ['loggedin' => isLoggedIn()]);
--- a/tpl/default/tag.cloud.html
+++ b/tpl/default/tag.cloud.html
@ -26,7 +26,7 @@
          <input type="hidden" name="do" value="tagcloud">
          <input type="text" name="searchtags" placeholder="{'Filter by tag'|t}"
                 {if="!empty($search_tags)"}
-                 value="{$search_tags}"
+                    value="{$search_tags}"
                 {/if}
          autocomplete="off" data-multiple data-autofirst data-minChars="1"
          data-list="{loop="$tags"}{$key}, {/loop}"