Index: trunk/CHANGELOG =================================================================== --- trunk/CHANGELOG (revision 653) +++ trunk/CHANGELOG (revision 654) @@ -11,6 +11,8 @@ ! = Update/Change ------------------------------------- 2.7.0 ------------------------------------- +01-Feb-2008 Thomas Hornik +# Fixed possible XSS-vulnerability in wb/search/search.php 31-Jan-2008 Thomas Hornik ! Adjusted clock-red icon to match wb colors # admin/pages: the parent dropdown-list in index.php and settings.php showed foreign private pages, too. Fixed. Index: trunk/wb/search/search.php =================================================================== --- trunk/wb/search/search.php (revision 653) +++ trunk/wb/search/search.php (revision 654) @@ -70,7 +70,7 @@ // Get the search type $match = 'all'; if(isset($_REQUEST['match'])) { - $match = $_REQUEST['match']; + $match = $wb->add_slashes(strip_tags($_REQUEST['match'])); } // Get the path to search into. Normally left blank @@ -83,7 +83,7 @@ $search_path_SQL = ""; $search_path = ""; if(isset($_REQUEST['search_path'])) { - $search_path = $_REQUEST['search_path']; + $search_path = $wb->add_slashes(strip_tags($_REQUEST['search_path'])); if($search_path != '') { $search_path_SQL = "AND ( "; $not = ""; @@ -121,14 +121,14 @@ if ($match!='exact') { $string=str_replace(',', '', $_REQUEST['string']); } else { - $string=$_REQUEST['string']; + $string=$_REQUEST['string']; // $string will be cleaned below } // redo possible magic quotes $string = $wb->strip_slashes($string); $string = htmlspecialchars($string); $search_display_string = $string; - // simulate mysql_real_escape_string() - $string = strtr($string, array("\x00"=>"\\\x00", "\n"=>"\\\n", "\r"=>"\\\r", '\\'=>'\\\\','\''=>'\\\'','"'=>"\\\"","\x1a"=>"\\\x1a")); + // do really addslashes() + $string = $wb->add_slashes($string); // remove some bad chars $string = preg_replace("/(^|\s+)([.])+(?=\s+|$)/", "", $string); // mySQL needs four backslashes to match one in LIKE comparisons)