From 9b3cbb341707edd45adc5a600d509e63c0b3fa4a Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Mon, 25 Mar 2024 16:20:50 +0100
Subject: [PATCH] escape several strings to prevent xss attacks

---
 views/bootstrap/class.Search.php | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/views/bootstrap/class.Search.php b/views/bootstrap/class.Search.php
index c22b4bbc2..2e9e29a97 100644
--- a/views/bootstrap/class.Search.php
+++ b/views/bootstrap/class.Search.php
@@ -979,7 +979,7 @@ $(document).ready(function() {
 										$option = array($v, getReadableDate($v));
 										break;
 									default:
-										$option = array($v, $v);
+										$option = array(htmlspecialchars($v), htmlspecialchars($v));
 									}
 									if(isset($attributes[$facetname]) && is_array($attributes[$facetname]) && in_array($v, $attributes[$facetname]))
 										$option[] = true;
@@ -1092,9 +1092,9 @@ $(document).ready(function() {
 									if($oldvalue) {
 										unset($allparams['attributes'][$facetname]);
 										$newrequest = Symfony\Component\HttpFoundation\Request::create($request->getBaseUrl(), 'GET', $allparams);
-										$menuitems[] = array('label'=>'<i class="fa fa-remove"></i> '.$dispname.' = '.implode(', ', $oldvalue), 'link'=>$newrequest->getRequestUri(), 'attributes'=>[['title', 'Click to remove']], '_badge'=>'x');
+										$menuitems[] = array('label'=>'<i class="fa fa-remove"></i> '.$dispname.' = '.htmlspecialchars(implode(', ', $oldvalue)), 'link'=>$newrequest->getRequestUri(), 'attributes'=>[['title', 'Click to remove']], '_badge'=>'x');
 										foreach($oldvalue as $ov)
-											echo '<input type="hidden" name="attributes['.$facetname.'][]" value="'.$ov.'" />';
+											echo '<input type="hidden" name="attributes['.$facetname.'][]" value="'.htmlspecialchars($ov).'" />';
 									}
 								}
 							}
@@ -1150,9 +1150,9 @@ $(document).ready(function() {
 							if($oldvalue) {
 								unset($allparams[$facetname]);
 								$newrequest = Symfony\Component\HttpFoundation\Request::create($request->getBaseUrl(), 'GET', $allparams);
-								$menuitems[] = array('label'=>'<i class="fa fa-remove"></i> '.getMLText($facetname).' = '.implode(', ', $oldtransval), 'link'=>$newrequest->getRequestUri(), 'attributes'=>[['title', 'Click to remove']], '_badge'=>'x');
+								$menuitems[] = array('label'=>'<i class="fa fa-remove"></i> '.getMLText($facetname).' = '.htmlspecialchars(implode(', ', $oldtransval)), 'link'=>$newrequest->getRequestUri(), 'attributes'=>[['title', 'Click to remove']], '_badge'=>'x');
 								foreach($oldvalue as $ok=>$ov)
-									echo '<input type="hidden" name="'.$facetname.'['.$ok.']" value="'.$ov.'" />';
+									echo '<input type="hidden" name="'.$facetname.'['.$ok.']" value="'.htmlspecialchars($ov).'" />';
 							}
 						}
 					}
@@ -1476,7 +1476,7 @@ $(document).ready(function() {
 								$attrstr .= $arr;
 							} else {
 								$attrdef = $lcattribute->getAttributeDefinition();
-								$attrstr .= "<tr><td>".htmlspecialchars($attrdef->getName())."</td><td>".htmlspecialchars(implode(', ', $lcattribute->getValueAsArray()))."</td></tr>\n";
+								$attrstr .= "<tr><td>".htmlspecialchars($attrdef->getName())."</td><td>".htmlspecialchars($lcattribute->getValueAsString())."</td></tr>\n";
 								// TODO: better use printAttribute()
 								// $this->printAttribute($lcattribute);
 							}
@@ -1529,7 +1529,7 @@ $(document).ready(function() {
 						$attrstr .= "<tr><th>".getMLText('name')."</th><th>".getMLText('attribute_value')."</th></tr>";
 						foreach($folderattributes as $folderattribute) {
 							$attrdef = $folderattribute->getAttributeDefinition();
-							$attrstr .= "<tr><td>".htmlspecialchars($attrdef->getName())."</td><td>".htmlspecialchars(implode(', ', $folderattribute->getValueAsArray()))."</td></tr>\n";
+							$attrstr .= "<tr><td>".htmlspecialchars($attrdef->getName())."</td><td>".htmlspecialchars($folderattribute->getValueAsString())."</td></tr>\n";
 						}
 						$attrstr .= "</table>";
 					}