/ - Diff - WB 2.08.x - Tracking

« Previous | Next »

Revision 713

fixed possible(?) XSS-attack in search.php.

     $search_path_SQL = "";
     $search_path = "";
     if(isset($_REQUEST['search_path'])) {
     	$search_path = $wb->add_slashes(strip_tags($_REQUEST['search_path']));
     	$search_path = $wb->add_slashes($_REQUEST['search_path']);
     	if(preg_match('/[\'"=()&+\\\\]/', $search_path))
     		$search_path = '';
     	if($search_path != '') {
     		$search_path_SQL = "AND ( ";
     		$not = "";

Also available in: Unified diff