diff options
author | Daniel Veillard <veillard@redhat.com> | 2015-07-03 20:58:33 +0800 |
---|---|---|
committer | Daniel Veillard <veillard@redhat.com> | 2015-07-03 20:58:33 +0800 |
commit | 73b2d73df8981e37a03dfdcf727d8bdafb019266 (patch) | |
tree | 9e7ec097eb4fc185d79cfa19078cadedeaa1eb66 | |
parent | 140c251e8e5653572edcca91b9d675f871735cb4 (diff) | |
download | android_external_libxml2-73b2d73df8981e37a03dfdcf727d8bdafb019266.tar.gz android_external_libxml2-73b2d73df8981e37a03dfdcf727d8bdafb019266.tar.bz2 android_external_libxml2-73b2d73df8981e37a03dfdcf727d8bdafb019266.zip |
Avoid XSS on the search of xmlsoft.org
query string need to be escaped before being displayed back
-rw-r--r-- | doc/search.php | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/doc/search.php b/doc/search.php index ce1a25fb..c94e87ec 100644 --- a/doc/search.php +++ b/doc/search.php @@ -102,13 +102,14 @@ A:link, A:visited, A:active { text-decoration: underline } $scope = ltrim ($scope); if ($scope == "") $scope = "any"; + $querystr = htmlspecialchars($query, ENT_QUOTES, 'UTF-8'); ?> <p> The search service indexes the libxml2 and libxslt APIs and documentation as well as the xml@gnome.org and xslt@gnome.org mailing-list archives. To use it simply provide a set of keywords: <p> <form action="<?php echo "$PHP_SELF", "?query=", rawurlencode($query) ?>" enctype="application/x-www-form-urlencoded" method="GET"> - <input name="query" type="TEXT" size="50" value="<?php echo $query?>"> + <input name="query" type="TEXT" size="50" value="<?php echo $querystr?>"> <select name="scope"> <option value="any">Search All</option> <option value="XML" <?php if ($scope == 'XML') print "selected"?>>XML resources</option> @@ -446,7 +447,7 @@ A:link, A:visited, A:active { text-decoration: underline } } mysql_close($link); $nb = count($results); - echo "<h3 align='center'>Found $nb results for query $query</h3>\n"; + echo "<h3 align='center'>Found $nb results for query $querystr</h3>\n"; usort($results, "resSort"); if ($nb > 0) { |