aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaweł Sroka <srokap@gmail.com>2013-09-12 05:59:18 +0200
committerPaweł Sroka <srokap@gmail.com>2013-09-12 05:59:18 +0200
commitc1ea910e3b3b0bcc27a214383c9f6355a05dd495 (patch)
tree3c22e2c1015e775c3993329f16e9296dc2b57c1a
parent96fd62420124d8b22e9a368532240a5c5066d628 (diff)
downloadelgg-c1ea910e3b3b0bcc27a214383c9f6355a05dd495.tar.gz
elgg-c1ea910e3b3b0bcc27a214383c9f6355a05dd495.tar.bz2
Added function for escaping query strings and fixed several XSRF vulnerabilities.
-rw-r--r--engine/lib/output.php19
-rw-r--r--mod/groups/lib/groups.php3
-rw-r--r--mod/members/pages/members/search.php8
-rw-r--r--mod/search/pages/search/index.php10
4 files changed, 28 insertions, 12 deletions
diff --git a/engine/lib/output.php b/engine/lib/output.php
index 6172a5c8d..de4f911fb 100644
--- a/engine/lib/output.php
+++ b/engine/lib/output.php
@@ -421,6 +421,25 @@ function _elgg_html_decode($string) {
}
/**
+ * Prepares query string for output to prevent CSRF attacks.
+ *
+ * @param string $string
+ * @return string
+ *
+ * @access private
+ */
+function _elgg_get_display_query($string) {
+ //encode <,>,&, quotes and characters above 127
+ if (function_exists('mb_convert_encoding')) {
+ $display_query = mb_convert_encoding($string, 'HTML-ENTITIES', 'UTF-8');
+ } else {
+ // if no mbstring extension, we just strip characters
+ $display_query = preg_replace("/[^\x01-\x7F]/", "", $string);
+ }
+ return htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false);
+}
+
+/**
* Unit tests for Output
*
* @param string $hook unit_test
diff --git a/mod/groups/lib/groups.php b/mod/groups/lib/groups.php
index 77d7c09cc..aa8766e06 100644
--- a/mod/groups/lib/groups.php
+++ b/mod/groups/lib/groups.php
@@ -73,7 +73,8 @@ function groups_search_page() {
elgg_push_breadcrumb(elgg_echo('search'));
$tag = get_input("tag");
- $title = elgg_echo('groups:search:title', array($tag));
+ $display_query = _elgg_get_display_query($tag);
+ $title = elgg_echo('groups:search:title', array($display_query));
// groups plugin saves tags as "interests" - see groups_fields_setup() in start.php
$params = array(
diff --git a/mod/members/pages/members/search.php b/mod/members/pages/members/search.php
index 1f0444d67..5466a8246 100644
--- a/mod/members/pages/members/search.php
+++ b/mod/members/pages/members/search.php
@@ -7,7 +7,9 @@
if ($vars['search_type'] == 'tag') {
$tag = get_input('tag');
- $title = elgg_echo('members:title:searchtag', array($tag));
+ $display_query = _elgg_get_display_query($tag);
+
+ $title = elgg_echo('members:title:searchtag', array($display_query));
$options = array();
$options['query'] = $tag;
@@ -28,7 +30,9 @@ if ($vars['search_type'] == 'tag') {
} else {
$name = sanitize_string(get_input('name'));
- $title = elgg_echo('members:title:searchname', array($name));
+ $display_query = _elgg_get_display_query($name);
+
+ $title = elgg_echo('members:title:searchname', array($display_query));
$db_prefix = elgg_get_config('dbprefix');
$params = array(
diff --git a/mod/search/pages/search/index.php b/mod/search/pages/search/index.php
index ede09329b..9542e0751 100644
--- a/mod/search/pages/search/index.php
+++ b/mod/search/pages/search/index.php
@@ -17,15 +17,7 @@ $search_type = get_input('search_type', 'all');
// XSS protection is more important that searching for HTML.
$query = stripslashes(get_input('q', get_input('tag', '')));
-// @todo - create function for sanitization of strings for display in 1.8
-// encode <,>,&, quotes and characters above 127
-if (function_exists('mb_convert_encoding')) {
- $display_query = mb_convert_encoding($query, 'HTML-ENTITIES', 'UTF-8');
-} else {
- // if no mbstring extension, we just strip characters
- $display_query = preg_replace("/[^\x01-\x7F]/", "", $query);
-}
-$display_query = htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false);
+$display_query = _elgg_get_display_query($query);
// check that we have an actual query
if (!$query) {