Skip to content
Permalink
Browse files Browse the repository at this point in the history
Don't directly inject $_GET parameters in html.
The Search module created a canonical tag containing a directly injected
$_GET parameter. This commit makes sure we encode specialcharacters
making XSS impossible. Fixes #1018
  • Loading branch information
woutersioen committed Dec 26, 2014
1 parent f8e721b commit 4a78147
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/Frontend/Modules/Search/Actions/Index.php
Expand Up @@ -246,7 +246,7 @@ private function loadForm()
// since we know the term just here we should set the canonical url here
$canonicalUrl = SITE_URL . FrontendNavigation::getURLForBlock('Search');
if (isset($_GET['q']) && $_GET['q'] != '') {
$canonicalUrl .= '?q=' . $_GET['q'];
$canonicalUrl .= '?q=' . \SpoonFilter::htmlspecialchars($_GET['q']);
}
$this->header->setCanonicalUrl($canonicalUrl);
}
Expand Down

0 comments on commit 4a78147

Please sign in to comment.