docs: Properly quote self uri in search.php

This removes the classical XSS vulnerability of using unquoted PHP_SELF. Reported-by: N John Lightsey <john@nixnuts.net> Signed-off-by: N Martin Kletzander <mkletzan@redhat.com>

docs: Properly quote self uri in search.php
This removes the classical XSS vulnerability of using unquoted PHP_SELF. Reported-by: N John Lightsey <john@nixnuts.net> Signed-off-by: N Martin Kletzander <mkletzan@redhat.com>
f27dd534 · Martin Kletzander · ccac4465 · f27dd534
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

docs/search.php.code.in docs/search.php.code.in +1 -1

未找到文件。
--- a/docs/search.php.code.in
+++ b/docs/search.php.code.in
@@ -12,7 +12,7 @@
    $querystr = htmlspecialchars($query, ENT_QUOTES, 'UTF-8');
 ?>

-<form action="<?php echo $_SERVER['PHP_SELF'], "?query=", rawurlencode($query) ?>"
+<form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8'), "?query=", rawurlencode($query) ?>"
      enctype="application/x-www-form-urlencoded" method="get">
  <input name="query" type="text" size="50" value="<?php echo $querystr ?>"/>
  <select name="scope">