aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--mod/file/pages/file/search.php20
-rw-r--r--mod/messages/pages/messages/send.php2
2 files changed, 11 insertions, 11 deletions
diff --git a/mod/file/pages/file/search.php b/mod/file/pages/file/search.php
index cffe67e0c..2242d1d7e 100644
--- a/mod/file/pages/file/search.php
+++ b/mod/file/pages/file/search.php
@@ -5,7 +5,7 @@
* @package ElggFile
*/
-$page_owner_guid = get_input('page_owner', null);
+$page_owner_guid = (int)get_input('page_owner', 0);
if ($page_owner_guid) {
elgg_set_page_owner_guid($page_owner_guid);
}
@@ -15,10 +15,10 @@ group_gatekeeper();
// Get input
$md_type = 'simpletype';
-$tag = get_input('tag');
+// avoid reflected XSS attacks by only allowing alnum characters
+$file_type = preg_replace('[\W]', '', get_input('tag'));
$listtype = get_input('listtype');
-$friends = get_input('friends', false);
-
+$friends = (bool)get_input('friends', false);
// breadcrumbs
elgg_push_breadcrumb(elgg_echo('file'), "file/all");
@@ -32,8 +32,8 @@ if ($owner) {
if ($friends && $owner) {
elgg_push_breadcrumb(elgg_echo('friends'), "file/friends/$owner->username");
}
-if ($tag) {
- elgg_push_breadcrumb(elgg_echo("file:type:$tag"));
+if ($file_type) {
+ elgg_push_breadcrumb(elgg_echo("file:type:$file_type"));
} else {
elgg_push_breadcrumb(elgg_echo('all'));
}
@@ -41,10 +41,10 @@ if ($tag) {
// title
if (!$owner) {
// world files
- $title = elgg_echo('all') . ' ' . elgg_echo("file:type:$tag");
+ $title = elgg_echo('all') . ' ' . elgg_echo("file:type:$file_type");
} else {
$friend_string = $friends ? elgg_echo('file:title:friends') : '';
- $type_string = elgg_echo("file:type:$tag");
+ $type_string = elgg_echo("file:type:$file_type");
$title = elgg_echo('file:list:title', array($owner->name, $friend_string, $type_string));
}
@@ -76,9 +76,9 @@ $params = array(
'full_view' => false,
);
-if ($tag) {
+if ($file_type) {
$params['metadata_name'] = $md_type;
- $params['metadata_value'] = $tag;
+ $params['metadata_value'] = $file_type;
$content = elgg_list_entities_from_metadata($params);
} else {
$content = elgg_list_entities($params);
diff --git a/mod/messages/pages/messages/send.php b/mod/messages/pages/messages/send.php
index 02d430df7..1b821d185 100644
--- a/mod/messages/pages/messages/send.php
+++ b/mod/messages/pages/messages/send.php
@@ -14,7 +14,7 @@ $title = elgg_echo('messages:add');
elgg_push_breadcrumb($title);
-$params = messages_prepare_form_vars(get_input('send_to'));
+$params = messages_prepare_form_vars((int)get_input('send_to'));
$params['friends'] = $page_owner->getFriends();
$content = elgg_view_form('messages/send', array(), $params);