aboutsummaryrefslogtreecommitdiff
path: root/mod/search
diff options
context:
space:
mode:
authorcash <cash@36083f99-b078-4883-b0ff-0f9b5a30f544>2011-04-02 19:45:39 +0000
committercash <cash@36083f99-b078-4883-b0ff-0f9b5a30f544>2011-04-02 19:45:39 +0000
commita867d66e7701e24a57ca55841594b35bbebdc366 (patch)
tree5b22f00a7401af03f763d91d8616b421cd3fe372 /mod/search
parent0b7110504e6e7557b025ff274ca942d1562f13ee (diff)
downloadelgg-a867d66e7701e24a57ca55841594b35bbebdc366.tar.gz
elgg-a867d66e7701e24a57ca55841594b35bbebdc366.tar.bz2
Refs #3179 pulled fix for search query encoding into trunk from 1.7 branch
git-svn-id: http://code.elgg.org/elgg/trunk@8919 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'mod/search')
-rw-r--r--mod/search/pages/search/index.php35
-rw-r--r--mod/search/views/default/search/search_box.php7
2 files changed, 28 insertions, 14 deletions
diff --git a/mod/search/pages/search/index.php b/mod/search/pages/search/index.php
index 4da6f95ef..c4e8d2219 100644
--- a/mod/search/pages/search/index.php
+++ b/mod/search/pages/search/index.php
@@ -13,9 +13,27 @@ $autofeed = true;
$search_type = get_input('search_type', 'all');
// @todo there is a bug in get_input that makes variables have slashes sometimes.
+// @todo is there an example query to demonstrate ^
// XSS protection is more important that searching for HTML.
$query = stripslashes(get_input('q', get_input('tag', '')));
+// @todo - create function for sanitization of strings for display in 1.8
+// encode <,>,&, quotes and characters above 127
+$display_query = mb_convert_encoding($query, 'HTML-ENTITIES', 'UTF-8');
+$display_query = htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false);
+
+// check that we have an actual query
+if (!$query) {
+ $title = sprintf(elgg_echo('search:results'), "\"$display_query\"");
+
+ $body = elgg_view_title(elgg_echo('search:search_error'));
+ $body .= elgg_echo('search:no_query');
+ $layout = elgg_view_layout('one_sidebar', array('content' => $body));
+ echo elgg_view_page($title, $layout);
+
+ return;
+}
+
// get limit and offset. override if on search dashboard, where only 2
// of each most recent entity types will be shown.
$limit = ($search_type == 'all') ? 2 : get_input('limit', 10);
@@ -135,17 +153,6 @@ foreach ($custom_types as $type) {
elgg_register_menu_item('page', $menu_item);
}
-
-// check that we have an actual query
-if (!$query) {
- $body = elgg_view_title(elgg_echo('search:search_error'));
- $body .= elgg_echo('search:no_query');
- $layout = elgg_view_layout('one_sidebar', array('content' => $body));
- echo elgg_view_page($title, $layout);
-
- return;
-}
-
// start the actual search
$results_html = '';
@@ -251,8 +258,8 @@ if ($search_type != 'entities' || $search_type == 'all') {
}
// highlight search terms
-$searched_words = search_remove_ignored_words($query, 'array');
-$highlighted_query = search_highlight_words($searched_words, $query);
+$searched_words = search_remove_ignored_words($display_query, 'array');
+$highlighted_query = search_highlight_words($searched_words, $display_query);
$body = elgg_view_title(elgg_echo('search:results', array("\"$highlighted_query\"")));
@@ -268,6 +275,6 @@ if (!$results_html) {
$layout_view = search_get_search_view($params, 'layout');
$layout = elgg_view($layout_view, array('params' => $params, 'body' => $body));
-$title = elgg_echo('search:results', array("\"{$params['query']}\""));
+$title = elgg_echo('search:results', array("\"$display_query\""));
echo elgg_view_page($title, $layout);
diff --git a/mod/search/views/default/search/search_box.php b/mod/search/views/default/search/search_box.php
index 7561a3767..ff5910937 100644
--- a/mod/search/views/default/search/search_box.php
+++ b/mod/search/views/default/search/search_box.php
@@ -15,8 +15,15 @@ if (array_key_exists('value', $vars)) {
$value = elgg_echo('search');
}
+// @todo - why the strip slashes?
$value = stripslashes($value);
+// @todo - create function for sanitization of strings for display in 1.8
+// encode <,>,&, quotes and characters above 127
+$display_query = mb_convert_encoding($value, 'HTML-ENTITIES', 'UTF-8');
+$display_query = htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false);
+
+
?>
<form class="elgg-search" action="<?php echo elgg_get_site_url(); ?>search" method="get">