Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

XSS: Escape the input on ajax searches. #247

Merged
merged 1 commit into from

2 participants

@jelmersnoeck

No description provided.

@dieterve dieterve merged commit 03e8f5b into forkcms:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 1, 2012
  1. XSS: Escape the input on ajax searches.

    jelmersnoeck authored
This page is out of date. Refresh to see the latest.
View
3  frontend/modules/search/ajax/autocomplete.php
@@ -23,7 +23,8 @@ public function execute()
parent::execute();
// get parameters
- $term = SpoonFilter::getPostValue('term', null, '');
+ $searchTerm = SpoonFilter::getPostValue('term', null, '');
+ $term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
$limit = (int) FrontendModel::getModuleSetting('search', 'autocomplete_num_items', 10);
// validate
View
3  frontend/modules/search/ajax/autosuggest.php
@@ -214,7 +214,8 @@ public function parse()
private function validateForm()
{
// set values
- $this->term = SpoonFilter::getPostValue('term', null, '');
+ $searchTerm = SpoonFilter::getPostValue('term', null, '');
+ $this->term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
$this->length = (int) SpoonFilter::getPostValue('length', null, 50);
// validate
View
3  frontend/modules/search/ajax/livesuggest.php
@@ -365,7 +365,8 @@ protected function parsePagination()
private function validateForm()
{
// set search term
- $this->term = SpoonFilter::getPostValue('term', null, '');
+ $searchTerm = SpoonFilter::getPostValue('term', null, '');
+ $this->term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
// validate
if($this->term == '') $this->output(self::BAD_REQUEST, null, 'term-parameter is missing.');
View
3  frontend/modules/search/ajax/save.php
@@ -22,7 +22,8 @@ public function execute()
parent::execute();
// get parameters
- $term = SpoonFilter::getPostValue('term', null, '');
+ $searchTerm = SpoonFilter::getPostValue('term', null, '');
+ $term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
// validate
if($term == '') $this->output(self::BAD_REQUEST, null, 'term-parameter is missing.');
Something went wrong with that request. Please try again.