Revision 716
Added by thorn over 16 years ago
| trunk/wb/search/search.php | ||
|---|---|---|
| 84 | 84 |
$search_path = ""; |
| 85 | 85 |
if(isset($_REQUEST['search_path'])) {
|
| 86 | 86 |
$search_path = $wb->add_slashes($_REQUEST['search_path']); |
| 87 |
if(preg_match('/[\'"=()&+\\\\]/', $search_path))
|
|
| 87 |
if(!preg_match('~^[-a-zA-Z0-9_,/ ]+$~', $search_path))
|
|
| 88 | 88 |
$search_path = ''; |
| 89 | 89 |
if($search_path != '') {
|
| 90 | 90 |
$search_path_SQL = "AND ( "; |
Also available in: Unified diff
XSS-prevention in search.php: changed blacklist to whitelist.