diff options
-rw-r--r-- | mod/search/pages/search/index.php | 35 | ||||
-rw-r--r-- | mod/search/views/default/search/search_box.php | 7 |
2 files changed, 28 insertions, 14 deletions
diff --git a/mod/search/pages/search/index.php b/mod/search/pages/search/index.php index 4da6f95ef..c4e8d2219 100644 --- a/mod/search/pages/search/index.php +++ b/mod/search/pages/search/index.php @@ -13,9 +13,27 @@ $autofeed = true; $search_type = get_input('search_type', 'all'); // @todo there is a bug in get_input that makes variables have slashes sometimes. +// @todo is there an example query to demonstrate ^ // XSS protection is more important that searching for HTML. $query = stripslashes(get_input('q', get_input('tag', ''))); +// @todo - create function for sanitization of strings for display in 1.8 +// encode <,>,&, quotes and characters above 127 +$display_query = mb_convert_encoding($query, 'HTML-ENTITIES', 'UTF-8'); +$display_query = htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false); + +// check that we have an actual query +if (!$query) { + $title = sprintf(elgg_echo('search:results'), "\"$display_query\""); + + $body = elgg_view_title(elgg_echo('search:search_error')); + $body .= elgg_echo('search:no_query'); + $layout = elgg_view_layout('one_sidebar', array('content' => $body)); + echo elgg_view_page($title, $layout); + + return; +} + // get limit and offset. override if on search dashboard, where only 2 // of each most recent entity types will be shown. $limit = ($search_type == 'all') ? 2 : get_input('limit', 10); @@ -135,17 +153,6 @@ foreach ($custom_types as $type) { elgg_register_menu_item('page', $menu_item); } - -// check that we have an actual query -if (!$query) { - $body = elgg_view_title(elgg_echo('search:search_error')); - $body .= elgg_echo('search:no_query'); - $layout = elgg_view_layout('one_sidebar', array('content' => $body)); - echo elgg_view_page($title, $layout); - - return; -} - // start the actual search $results_html = ''; @@ -251,8 +258,8 @@ if ($search_type != 'entities' || $search_type == 'all') { } // highlight search terms -$searched_words = search_remove_ignored_words($query, 'array'); -$highlighted_query = search_highlight_words($searched_words, $query); +$searched_words = search_remove_ignored_words($display_query, 'array'); +$highlighted_query = search_highlight_words($searched_words, $display_query); $body = elgg_view_title(elgg_echo('search:results', array("\"$highlighted_query\""))); @@ -268,6 +275,6 @@ if (!$results_html) { $layout_view = search_get_search_view($params, 'layout'); $layout = elgg_view($layout_view, array('params' => $params, 'body' => $body)); -$title = elgg_echo('search:results', array("\"{$params['query']}\"")); +$title = elgg_echo('search:results', array("\"$display_query\"")); echo elgg_view_page($title, $layout); diff --git a/mod/search/views/default/search/search_box.php b/mod/search/views/default/search/search_box.php index 7561a3767..ff5910937 100644 --- a/mod/search/views/default/search/search_box.php +++ b/mod/search/views/default/search/search_box.php @@ -15,8 +15,15 @@ if (array_key_exists('value', $vars)) { $value = elgg_echo('search'); } +// @todo - why the strip slashes? $value = stripslashes($value); +// @todo - create function for sanitization of strings for display in 1.8 +// encode <,>,&, quotes and characters above 127 +$display_query = mb_convert_encoding($value, 'HTML-ENTITIES', 'UTF-8'); +$display_query = htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false); + + ?> <form class="elgg-search" action="<?php echo elgg_get_site_url(); ?>search" method="get"> |