From 0aedf55ec60834df0a7df23eca49a56d8c7cc7ec Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Fri, 27 Oct 2023 12:51:21 +0200 Subject: [PATCH] prevent xss attach --- views/bootstrap/class.Search.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/views/bootstrap/class.Search.php b/views/bootstrap/class.Search.php index 5557fd9d5..6aac1bb1a 100644 --- a/views/bootstrap/class.Search.php +++ b/views/bootstrap/class.Search.php @@ -878,7 +878,7 @@ $(document).ready(function() { foreach($values as $v=>$c) { $uu = $dms->getUserByLogin($v); if($uu) { - $option = array($uu->getId(), $v); + $option = array($uu->getId(), htmlspecialchars($v)); if(isset(${$facetname}) && in_array($uu->getId(), ${$facetname})) $option[] = true; else @@ -891,7 +891,7 @@ $(document).ready(function() { foreach($values as $v=>$c) { $cat = $dms->getDocumentCategoryByName($v); if($cat) { - $option = array($cat->getId(), $v); + $option = array($cat->getId(), htmlspecialchars($v)); if(isset(${$facetname}) && in_array($cat->getId(), ${$facetname})) $option[] = true; else @@ -914,7 +914,7 @@ $(document).ready(function() { /* Do not even create a list of options, because it isn't used */ } else { foreach($values as $v=>$c) { - $option = array($v, $v); + $option = array($v, htmlspecialchars($v)); if(isset(${$facetname}) && in_array($v, ${$facetname})) $option[] = true; else @@ -1122,7 +1122,7 @@ $(document).ready(function() { else $fu = $dms->getUserByLogin($v); if($fu) - $oldtransval[] = $fu->getLogin(); + $oldtransval[] = htmlspecialchars($fu->getLogin()); } break; case 'status': @@ -1290,7 +1290,7 @@ $(document).ready(function() { case 'owner': foreach($values as $v=>$c) { if($fu = $dms->getUserByLogin($v)) - $menuitems[] = array('label'=>$fu->getLogin(), 'link'=>$newrequest->getRequestUri().'&'.$facetname.'[]='.$fu->getId(), 'badge'=>$c); + $menuitems[] = array('label'=>htmlspecialchars($fu->getLogin()), 'link'=>$newrequest->getRequestUri().'&'.$facetname.'[]='.$fu->getId(), 'badge'=>$c); } break; default: