Refs #3179 pulled fix for search query encoding into trunk from 1.7 branch

git-svn-id: http://code.elgg.org/elgg/trunk@8919 36083f99-b078-4883-b0ff-0f9b5a30f544

diff --git a/mod/search/pages/search/index.php b/mod/search/pages/search/index.php
index 4da6f95ef1c2a4eff5581b8a3bd68913723f43b6..c4e8d2219b1e5cc32b09a61d7ef5e80e0778a9a7 100644 (file)
--- a/mod/search/pages/search/index.php
+++ b/mod/search/pages/search/index.php
@@ -13,9 +13,27 @@ $autofeed = true;
 $search_type = get_input('search_type', 'all');
 
 // @todo there is a bug in get_input that makes variables have slashes sometimes.
+// @todo is there an example query to demonstrate ^
 // XSS protection is more important that searching for HTML.
 $query = stripslashes(get_input('q', get_input('tag', '')));
 
+// @todo - create function for sanitization of strings for display in 1.8
+// encode <,>,&, quotes and characters above 127
+$display_query = mb_convert_encoding($query, 'HTML-ENTITIES', 'UTF-8');
+$display_query = htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false);
+
+// check that we have an actual query
+if (!$query) {
+       $title = sprintf(elgg_echo('search:results'), "\"$display_query\"");
+       
+       $body  = elgg_view_title(elgg_echo('search:search_error'));
+       $body .= elgg_echo('search:no_query');
+       $layout = elgg_view_layout('one_sidebar', array('content' => $body));
+       echo elgg_view_page($title, $layout);
+
+       return;
+}
+
 // get limit and offset.  override if on search dashboard, where only 2
 // of each most recent entity types will be shown.
 $limit = ($search_type == 'all') ? 2 : get_input('limit', 10);
@@ -135,17 +153,6 @@ foreach ($custom_types as $type) {
        elgg_register_menu_item('page', $menu_item);
 }
 
-
-// check that we have an actual query
-if (!$query) {
-       $body  = elgg_view_title(elgg_echo('search:search_error'));
-       $body .= elgg_echo('search:no_query');
-       $layout = elgg_view_layout('one_sidebar', array('content' => $body));
-       echo elgg_view_page($title, $layout);
-
-       return;
-}
-
 // start the actual search
 $results_html = '';
 
@@ -251,8 +258,8 @@ if ($search_type != 'entities' || $search_type == 'all') {
 }
 
 // highlight search terms
-$searched_words = search_remove_ignored_words($query, 'array');
-$highlighted_query = search_highlight_words($searched_words, $query);
+$searched_words = search_remove_ignored_words($display_query, 'array');
+$highlighted_query = search_highlight_words($searched_words, $display_query);
 
 $body = elgg_view_title(elgg_echo('search:results', array("\"$highlighted_query\"")));
 
@@ -268,6 +275,6 @@ if (!$results_html) {
 $layout_view = search_get_search_view($params, 'layout');
 $layout = elgg_view($layout_view, array('params' => $params, 'body' => $body));
 
-$title = elgg_echo('search:results', array("\"{$params['query']}\""));
+$title = elgg_echo('search:results', array("\"$display_query\""));
 
 echo elgg_view_page($title, $layout);

diff --git a/mod/search/views/default/search/search_box.php b/mod/search/views/default/search/search_box.php
index 7561a3767f05214931ae7666a97d332cdc866adb..ff59109379d85af664b5c95b6aedf70b075cb36e 100644 (file)
--- a/mod/search/views/default/search/search_box.php
+++ b/mod/search/views/default/search/search_box.php
@@ -15,8 +15,15 @@ if (array_key_exists('value', $vars)) {
        $value = elgg_echo('search');
 }
 
+// @todo - why the strip slashes?
 $value = stripslashes($value);
 
+// @todo - create function for sanitization of strings for display in 1.8
+// encode <,>,&, quotes and characters above 127
+$display_query = mb_convert_encoding($value, 'HTML-ENTITIES', 'UTF-8');
+$display_query = htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false);
+
+
 ?>
 
 <form class="elgg-search" action="<?php echo elgg_get_site_url(); ?>search" method="get">