Merged in csrf_fix (pull request #7)

Added function for escaping query strings and fixed several XSRF vulnerabilities.
author: Paweł Sroka <srokap@gmail.com> 2014-01-01 13:12:10 +0100
committer: Paweł Sroka <srokap@gmail.com> 2014-01-01 13:12:10 +0100
commit: 7006294fcbfab450289403b6519edb9d5d30ff35 (patch)
tree: 5dd58bccbe443795fd41aaa4afeafba6ed2a96d5 /mod
parent: 82b30f63043eba9c18999bd2a15301d62ead4a76 (diff)
parent: c1ea910e3b3b0bcc27a214383c9f6355a05dd495 (diff)
download: elgg-7006294fcbfab450289403b6519edb9d5d30ff35.tar.gz
elgg-7006294fcbfab450289403b6519edb9d5d30ff35.tar.bz2
3 files changed, 9 insertions, 12 deletions
diff --git a/mod/groups/lib/groups.php b/mod/groups/lib/groups.php
index f07ab5dc6..d5bec1862 100644
--- a/mod/groups/lib/groups.php
+++ b/mod/groups/lib/groups.php
@@ -73,7 +73,8 @@ function groups_search_page() {
 	elgg_push_breadcrumb(elgg_echo('search'));
 
 	$tag = get_input("tag");
-	$title = elgg_echo('groups:search:title', array($tag));
+	$display_query = _elgg_get_display_query($tag);
+	$title = elgg_echo('groups:search:title', array($display_query));
 
 	// groups plugin saves tags as "interests" - see groups_fields_setup() in start.php
 	$params = array(
diff --git a/mod/members/pages/members/search.php b/mod/members/pages/members/search.php
index 1f0444d67..5466a8246 100644
--- a/mod/members/pages/members/search.php
+++ b/mod/members/pages/members/search.php
@@ -7,7 +7,9 @@
 if ($vars['search_type'] == 'tag') {
 	$tag = get_input('tag');
 
-	$title = elgg_echo('members:title:searchtag', array($tag));
+	$display_query = _elgg_get_display_query($tag);
+
+	$title = elgg_echo('members:title:searchtag', array($display_query));
 
 	$options = array();
 	$options['query'] = $tag;
@@ -28,7 +30,9 @@ if ($vars['search_type'] == 'tag') {
 } else {
 	$name = sanitize_string(get_input('name'));
 
-	$title = elgg_echo('members:title:searchname', array($name));
+	$display_query = _elgg_get_display_query($name);
+
+	$title = elgg_echo('members:title:searchname', array($display_query));
 
 	$db_prefix = elgg_get_config('dbprefix');
 	$params = array(
diff --git a/mod/search/pages/search/index.php b/mod/search/pages/search/index.php
index ede09329b..9542e0751 100644
--- a/mod/search/pages/search/index.php
+++ b/mod/search/pages/search/index.php
@@ -17,15 +17,7 @@ $search_type = get_input('search_type', 'all');
 // XSS protection is more important that searching for HTML.
 $query = stripslashes(get_input('q', get_input('tag', '')));
 
-// @todo - create function for sanitization of strings for display in 1.8
-// encode <,>,&, quotes and characters above 127
-if (function_exists('mb_convert_encoding')) {
-	$display_query = mb_convert_encoding($query, 'HTML-ENTITIES', 'UTF-8');
-} else {
-	// if no mbstring extension, we just strip characters
-	$display_query = preg_replace("/[^\x01-\x7F]/", "", $query);
-}
-$display_query = htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false);
+$display_query = _elgg_get_display_query($query);
 
 // check that we have an actual query
 if (!$query) {
author	Paweł Sroka <srokap@gmail.com>	2014-01-01 13:12:10 +0100
committer	Paweł Sroka <srokap@gmail.com>	2014-01-01 13:12:10 +0100
commit	7006294fcbfab450289403b6519edb9d5d30ff35 (patch)
tree	5dd58bccbe443795fd41aaa4afeafba6ed2a96d5 /mod
parent	82b30f63043eba9c18999bd2a15301d62ead4a76 (diff)
parent	c1ea910e3b3b0bcc27a214383c9f6355a05dd495 (diff)
download	elgg-7006294fcbfab450289403b6519edb9d5d30ff35.tar.gz elgg-7006294fcbfab450289403b6519edb9d5d30ff35.tar.bz2