0004183: [filters] HTML entities in search text

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@2767 f5dc347c-c33d-0410-90a0-b07cc1902cb9
mantisbt · Jul 27, 2004 · 5c25c1d · 5c25c1d
1 parent fae307b
commit 5c25c1d
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 3 deletions.
diff --git a/core/filter_api.php b/core/filter_api.php
@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: filter_api.php,v 1.51 2004-07-21 12:48:00 vboctor Exp $
+	# $Id: filter_api.php,v 1.52 2004-07-27 11:44:26 narcissus Exp $
 	# --------------------------------------------------------
 
 	$t_core_dir = dirname( __FILE__ ).DIRECTORY_SEPARATOR;
@@ -1306,7 +1306,7 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
 					collapse_icon( 'filter' );
 					echo lang_get( 'search' );
 				?>: 
-				<input type="text" size="16" name="search" value="<?php PRINT $t_filter['search']; ?>" />
+				<input type="text" size="16" name="search" value="<?php PRINT htmlspecialchars( $t_filter['search'] ); ?>" />
 
 				<input type="submit" name="filter" class="button" value="<?php PRINT lang_get( 'search' ) ?>" />
 			</td>

diff --git a/doc/ChangeLog b/doc/ChangeLog
@@ -13,6 +13,7 @@ Mantis ChangeLog
 - 0004121: [filters] Filters saved while "All Projects" is the active project (narcissus)
 - 0004125: [filters] In the advanced page, "any" should be selected by default for all search criteria (narcissus)
 - 0004150: [filters] Custom field names are not localised in filters (vboctor)
+- 0004183: [filters] HTML entities in search text (narcissus)
 - 0004122: [relationships] Upgrade script seems to swap the duplicate relationship (masc)
 - 0004083: [sponsorships] Users without email address must not be able to sponsor issues (thraxisp)
 - 0002861: [bugtracker] misleading 'copyright' at the pages' bottom (vboctor)

diff --git a/view_filters_page.php b/view_filters_page.php
@@ -483,7 +483,7 @@ function SwitchDateFields() {
 <tr>
 	<!-- Search field -->
 	<td colspan="<?php echo ( 1 * $t_custom_cols ); ?>">
-		<input type="text" size="16" name="search" value="<?php echo $t_filter['search']; ?>" />
+		<input type="text" size="16" name="search" value="<?php echo htmlspecialchars( $t_filter['search'] ); ?>" />
 	</td>
 
 	<td class="small-caption" colspan="<?php echo ( 5 * $t_custom_cols ); ?>"></td>