Added function for escaping query strings and fixed several XSRF vulnerabilities.

diff --git a/engine/lib/output.php b/engine/lib/output.php
index 6172a5c8d6c1d7387280bfc41ca79f3ce7229c72..de4f911fbec9ff89711094c1ec96ae9282816fc5 100644 (file)
--- a/engine/lib/output.php
+++ b/engine/lib/output.php
@@ -420,6 +420,25 @@ function _elgg_html_decode($string) {
        return $string;
 }
 
+/**
+ * Prepares query string for output to prevent CSRF attacks.
+ * 
+ * @param string $string
+ * @return string
+ *
+ * @access private
+ */
+function _elgg_get_display_query($string) {
+       //encode <,>,&, quotes and characters above 127
+       if (function_exists('mb_convert_encoding')) {\r
+               $display_query = mb_convert_encoding($string, 'HTML-ENTITIES', 'UTF-8');\r
+       } else {\r
+               // if no mbstring extension, we just strip characters\r
+               $display_query = preg_replace("/[^\x01-\x7F]/", "", $string);\r
+       }\r
+       return htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false);
+}
+
 /**
  * Unit tests for Output
  *

diff --git a/mod/groups/lib/groups.php b/mod/groups/lib/groups.php
index 77d7c09cca3f7b2a90afe4bdaaafec37a359913e..aa8766e06134d0bf1033e16b0eca1659e4157b7d 100644 (file)
--- a/mod/groups/lib/groups.php
+++ b/mod/groups/lib/groups.php
@@ -73,7 +73,8 @@ function groups_search_page() {
        elgg_push_breadcrumb(elgg_echo('search'));
 
        $tag = get_input("tag");
-       $title = elgg_echo('groups:search:title', array($tag));
+       $display_query = _elgg_get_display_query($tag);
+       $title = elgg_echo('groups:search:title', array($display_query));
 
        // groups plugin saves tags as "interests" - see groups_fields_setup() in start.php
        $params = array(

diff --git a/mod/members/pages/members/search.php b/mod/members/pages/members/search.php
index 1f0444d671c5ca75e893da08e49245d0b76f77e4..5466a8246d9cb3eb8e244df9830cef6af3df4bc1 100644 (file)
--- a/mod/members/pages/members/search.php
+++ b/mod/members/pages/members/search.php
@@ -7,7 +7,9 @@
 if ($vars['search_type'] == 'tag') {
        $tag = get_input('tag');
 
-       $title = elgg_echo('members:title:searchtag', array($tag));
+       $display_query = _elgg_get_display_query($tag);\r
+
+       $title = elgg_echo('members:title:searchtag', array($display_query));
 
        $options = array();
        $options['query'] = $tag;
@@ -28,7 +30,9 @@ if ($vars['search_type'] == 'tag') {
 } else {
        $name = sanitize_string(get_input('name'));
 
-       $title = elgg_echo('members:title:searchname', array($name));
+       $display_query = _elgg_get_display_query($name);
+
+       $title = elgg_echo('members:title:searchname', array($display_query));
 
        $db_prefix = elgg_get_config('dbprefix');
        $params = array(

diff --git a/mod/search/pages/search/index.php b/mod/search/pages/search/index.php
index ede09329bc3d861a85b0f7205d60f19cbcdf8d30..9542e075176eb11c0a6b3a95af4764981d2642a1 100644 (file)
--- a/mod/search/pages/search/index.php
+++ b/mod/search/pages/search/index.php
@@ -17,15 +17,7 @@ $search_type = get_input('search_type', 'all');
 // XSS protection is more important that searching for HTML.
 $query = stripslashes(get_input('q', get_input('tag', '')));
 
-// @todo - create function for sanitization of strings for display in 1.8
-// encode <,>,&, quotes and characters above 127
-if (function_exists('mb_convert_encoding')) {
-       $display_query = mb_convert_encoding($query, 'HTML-ENTITIES', 'UTF-8');
-} else {
-       // if no mbstring extension, we just strip characters
-       $display_query = preg_replace("/[^\x01-\x7F]/", "", $query);
-}
-$display_query = htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false);
+$display_query = _elgg_get_display_query($query);
 
 // check that we have an actual query
 if (!$query) {