Skip to content
Permalink
Browse files Browse the repository at this point in the history
XSS: Escape the input on ajax searches.
  • Loading branch information
jelmersnoeck committed Mar 1, 2012
1 parent f975b42 commit 641e27b
Show file tree
Hide file tree
Showing 4 changed files with 8 additions and 4 deletions.
3 changes: 2 additions & 1 deletion frontend/modules/search/ajax/autocomplete.php
Expand Up @@ -23,7 +23,8 @@ public function execute()
parent::execute();

// get parameters
$term = SpoonFilter::getPostValue('term', null, '');
$searchTerm = SpoonFilter::getPostValue('term', null, '');
$term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
$limit = (int) FrontendModel::getModuleSetting('search', 'autocomplete_num_items', 10);

// validate
Expand Down
3 changes: 2 additions & 1 deletion frontend/modules/search/ajax/autosuggest.php
Expand Up @@ -214,7 +214,8 @@ public function parse()
private function validateForm()
{
// set values
$this->term = SpoonFilter::getPostValue('term', null, '');
$searchTerm = SpoonFilter::getPostValue('term', null, '');
$this->term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
$this->length = (int) SpoonFilter::getPostValue('length', null, 50);

// validate
Expand Down
3 changes: 2 additions & 1 deletion frontend/modules/search/ajax/livesuggest.php
Expand Up @@ -365,7 +365,8 @@ protected function parsePagination()
private function validateForm()
{
// set search term
$this->term = SpoonFilter::getPostValue('term', null, '');
$searchTerm = SpoonFilter::getPostValue('term', null, '');
$this->term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);

// validate
if($this->term == '') $this->output(self::BAD_REQUEST, null, 'term-parameter is missing.');
Expand Down
3 changes: 2 additions & 1 deletion frontend/modules/search/ajax/save.php
Expand Up @@ -22,7 +22,8 @@ public function execute()
parent::execute();

// get parameters
$term = SpoonFilter::getPostValue('term', null, '');
$searchTerm = SpoonFilter::getPostValue('term', null, '');
$term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);

// validate
if($term == '') $this->output(self::BAD_REQUEST, null, 'term-parameter is missing.');
Expand Down

0 comments on commit 641e27b

Please sign in to comment.