XSS: Escape the input on ajax searches.

frontend/modules/search/ajax/autocomplete.php

@@ -23,7 +23,8 @@ public function execute()
 		parent::execute();
 
 		// get parameters
-		$term = SpoonFilter::getPostValue('term', null, '');
+		$searchTerm = SpoonFilter::getPostValue('term', null, '');
+		$term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
 		$limit = (int) FrontendModel::getModuleSetting('search', 'autocomplete_num_items', 10);
 
 		// validate

frontend/modules/search/ajax/autosuggest.php

@@ -214,7 +214,8 @@ public function parse()
 	private function validateForm()
 	{
 		// set values
-		$this->term = SpoonFilter::getPostValue('term', null, '');
+		$searchTerm = SpoonFilter::getPostValue('term', null, '');
+		$this->term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
 		$this->length = (int) SpoonFilter::getPostValue('length', null, 50);
 
 		// validate

frontend/modules/search/ajax/livesuggest.php

@@ -365,7 +365,8 @@ protected function parsePagination()
 	private function validateForm()
 	{
 		// set search term
-		$this->term = SpoonFilter::getPostValue('term', null, '');
+		$searchTerm = SpoonFilter::getPostValue('term', null, '');
+		$this->term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
 
 		// validate
 		if($this->term == '') $this->output(self::BAD_REQUEST, null, 'term-parameter is missing.');

frontend/modules/search/ajax/save.php

@@ -22,7 +22,8 @@ public function execute()
 		parent::execute();
 
 		// get parameters
-		$term = SpoonFilter::getPostValue('term', null, '');
+		$searchTerm = SpoonFilter::getPostValue('term', null, '');
+		$term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
 
 		// validate
 		if($term == '') $this->output(self::BAD_REQUEST, null, 'term-parameter is missing.');