New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix user queries when they contain " #3037
Conversation
I believe we need something like |
ok, I'll try to fix that as well. I did not encounter that type of problem before. I'll keep you posted. |
I cannot see the unescaped chars you mentioned. I've tried with the string you mentioned and everything is properly urlencoded. |
a455bc5
to
e8f83c9
Compare
I've checked and it did not trigger any XSS. But it was not displayed properly either. I fixed it anyway. |
app/views/configure/queries.phtml
Outdated
@@ -52,7 +52,7 @@ | |||
|
|||
<ul> | |||
<?php if ($query->hasSearch()) { ?> | |||
<li class="item"><?= _t('conf.query.search', $query->getSearch()->getRawInput()) ?></li> | |||
<li class="item"><?= _t('conf.query.search', htmlspecialchars($query->getSearch()->getRawInput())) ?></li> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<li class="item"><?= _t('conf.query.search', htmlspecialchars($query->getSearch()->getRawInput())) ?></li> | |
<li class="item"><?= _t('conf.query.search', htmlspecialchars($query->getSearch()->getRawInput(), ENT_NOQUOTES, 'UTF-8')) ?></li> |
Explicit encoding
You need to disable our CSP protection to test XSS ;-) |
Before, the user queries were working filter-wise but they failed at being displayed properly in the configuration page. Thus they were stored without the search param. Now, the search is URL encoded to avoid that kind of behavior and keep the search param through out the user query's life.
e8f83c9
to
0b19379
Compare
Changes proposed in this pull request:
How to test the feature manually:
Pull request checklist:
Additional information can be found in the documentation.