diff options
-rw-r--r-- | mod/file/pages/file/search.php | 20 | ||||
-rw-r--r-- | mod/messages/pages/messages/send.php | 2 |
2 files changed, 11 insertions, 11 deletions
diff --git a/mod/file/pages/file/search.php b/mod/file/pages/file/search.php index cffe67e0c..2242d1d7e 100644 --- a/mod/file/pages/file/search.php +++ b/mod/file/pages/file/search.php @@ -5,7 +5,7 @@ * @package ElggFile */ -$page_owner_guid = get_input('page_owner', null); +$page_owner_guid = (int)get_input('page_owner', 0); if ($page_owner_guid) { elgg_set_page_owner_guid($page_owner_guid); } @@ -15,10 +15,10 @@ group_gatekeeper(); // Get input $md_type = 'simpletype'; -$tag = get_input('tag'); +// avoid reflected XSS attacks by only allowing alnum characters +$file_type = preg_replace('[\W]', '', get_input('tag')); $listtype = get_input('listtype'); -$friends = get_input('friends', false); - +$friends = (bool)get_input('friends', false); // breadcrumbs elgg_push_breadcrumb(elgg_echo('file'), "file/all"); @@ -32,8 +32,8 @@ if ($owner) { if ($friends && $owner) { elgg_push_breadcrumb(elgg_echo('friends'), "file/friends/$owner->username"); } -if ($tag) { - elgg_push_breadcrumb(elgg_echo("file:type:$tag")); +if ($file_type) { + elgg_push_breadcrumb(elgg_echo("file:type:$file_type")); } else { elgg_push_breadcrumb(elgg_echo('all')); } @@ -41,10 +41,10 @@ if ($tag) { // title if (!$owner) { // world files - $title = elgg_echo('all') . ' ' . elgg_echo("file:type:$tag"); + $title = elgg_echo('all') . ' ' . elgg_echo("file:type:$file_type"); } else { $friend_string = $friends ? elgg_echo('file:title:friends') : ''; - $type_string = elgg_echo("file:type:$tag"); + $type_string = elgg_echo("file:type:$file_type"); $title = elgg_echo('file:list:title', array($owner->name, $friend_string, $type_string)); } @@ -76,9 +76,9 @@ $params = array( 'full_view' => false, ); -if ($tag) { +if ($file_type) { $params['metadata_name'] = $md_type; - $params['metadata_value'] = $tag; + $params['metadata_value'] = $file_type; $content = elgg_list_entities_from_metadata($params); } else { $content = elgg_list_entities($params); diff --git a/mod/messages/pages/messages/send.php b/mod/messages/pages/messages/send.php index 02d430df7..1b821d185 100644 --- a/mod/messages/pages/messages/send.php +++ b/mod/messages/pages/messages/send.php @@ -14,7 +14,7 @@ $title = elgg_echo('messages:add'); elgg_push_breadcrumb($title); -$params = messages_prepare_form_vars(get_input('send_to')); +$params = messages_prepare_form_vars((int)get_input('send_to')); $params['friends'] = $page_owner->getFriends(); $content = elgg_view_form('messages/send', array(), $params); |