External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-08 12:41:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

better patch for the XSS search issue

Browse Source 
Since the query string could be output when displaying the results too
This commit is contained in:
Daniel Veillard 2015-07-03 21:04:24 +08:00
parent d51876bc8e
commit cf739b3568
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/search.php.code.in
View File

@ -9,11 +9,12 @@
$scope = ltrim ($scope); $scope = ltrim ($scope);
if ($scope == "") if ($scope == "")
$scope = "any"; $scope = "any";
$querystr = htmlspecialchars($query, ENT_QUOTES, 'UTF-8');
?> ?>
<form action="<?php echo $_SERVER['PHP_SELF'], "?query=", rawurlencode($query) ?>" <form action="<?php echo $_SERVER['PHP_SELF'], "?query=", rawurlencode($query) ?>"
enctype="application/x-www-form-urlencoded" method="get"> enctype="application/x-www-form-urlencoded" method="get">
<input name="query" type="text" size="50" value="<?php echo htmlspecialchars($query, ENT_QUOTES, 'UTF-8')?>"/> <input name="query" type="text" size="50" value="<?php echo $querystr ?>"/>
<select name="scope"> <select name="scope">
<option value="any">Search All</option> <option value="any">Search All</option>
<option value="API" <?php if ($scope == 'API') print "selected='selected'"?>>Only the APIs</option> <option value="API" <?php if ($scope == 'API') print "selected='selected'"?>>Only the APIs</option>
@ -200,7 +201,7 @@
} }
mysql_close($link); mysql_close($link);
$nb = count($results); $nb = count($results);
echo "<h3 align='center'>Found $nb results for query $query</h3>\n"; echo "<h3 align='center'>Found $nb results for query $querystr</h3>\n";
usort($results, "resSort"); usort($results, "resSort");
if ($nb > 0) { if ($nb > 0) {