diff options
| author | Paweł Sroka <srokap@gmail.com> | 2013-09-12 05:59:18 +0200 |
|---|---|---|
| committer | Paweł Sroka <srokap@gmail.com> | 2013-09-12 05:59:18 +0200 |
| commit | c1ea910e3b3b0bcc27a214383c9f6355a05dd495 (patch) | |
| tree | 3c22e2c1015e775c3993329f16e9296dc2b57c1a /mod/search | |
| parent | 96fd62420124d8b22e9a368532240a5c5066d628 (diff) | |
| download | elgg-c1ea910e3b3b0bcc27a214383c9f6355a05dd495.tar.gz elgg-c1ea910e3b3b0bcc27a214383c9f6355a05dd495.tar.bz2 | |
Added function for escaping query strings and fixed several XSRF vulnerabilities.
Diffstat (limited to 'mod/search')
| -rw-r--r-- | mod/search/pages/search/index.php | 10 |
1 files changed, 1 insertions, 9 deletions
diff --git a/mod/search/pages/search/index.php b/mod/search/pages/search/index.php index ede09329b..9542e0751 100644 --- a/mod/search/pages/search/index.php +++ b/mod/search/pages/search/index.php @@ -17,15 +17,7 @@ $search_type = get_input('search_type', 'all'); // XSS protection is more important that searching for HTML. $query = stripslashes(get_input('q', get_input('tag', ''))); -// @todo - create function for sanitization of strings for display in 1.8 -// encode <,>,&, quotes and characters above 127 -if (function_exists('mb_convert_encoding')) { - $display_query = mb_convert_encoding($query, 'HTML-ENTITIES', 'UTF-8'); -} else { - // if no mbstring extension, we just strip characters - $display_query = preg_replace("/[^\x01-\x7F]/", "", $query); -} -$display_query = htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false); +$display_query = _elgg_get_display_query($query); // check that we have an actual query if (!$query) { |