From 9f3c651ccd3f0f43a9d8d61cff4b71e3e29069d7 Mon Sep 17 00:00:00 2001
From: Brett Profitt <brett.profitt@gmail.com>
Date: Sun, 4 Sep 2011 17:43:56 -0700
Subject: Refs #3661. Merged XSS fixes in search to master.

---
 mod/search/search_hooks.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'mod/search/search_hooks.php')

diff --git a/mod/search/search_hooks.php b/mod/search/search_hooks.php
index 428d6f700..b302272fb 100644
--- a/mod/search/search_hooks.php
+++ b/mod/search/search_hooks.php
@@ -202,6 +202,10 @@ function search_tags_hook($hook, $type, $value, $params) {
 		$search_tag_names = $valid_tag_names;
 	}
 
+	if (!$search_tag_names) {
+		return array('entities' => array(), 'count' => $count);
+	}
+
 	// don't use elgg_get_entities_from_metadata() here because of
 	// performance issues.  since we don't care what matches at this point
 	// use an IN clause to grab everything that matches at once and sort
@@ -337,7 +341,7 @@ function search_comments_hook($hook, $type, $value, $params) {
 
 	$container_and = '';
 	if ($params['container_guid'] && $params['container_guid'] !== ELGG_ENTITIES_ANY_VALUE) {
-		$container_and = 'AND e.container_guid = ' . sanitise_string($params['container_guid']);
+		$container_and = 'AND e.container_guid = ' . sanitise_int($params['container_guid']);
 	}
 
 	$e_access = get_access_sql_suffix('e');
-- 
cgit v1.2.3