Project

General

Profile

« Previous | Next » 

Revision 716

Added by thorn over 16 years ago

XSS-prevention in search.php: changed blacklist to whitelist.

View differences:

trunk/wb/search/search.php
84 84
$search_path = "";
85 85
if(isset($_REQUEST['search_path'])) {
86 86
	$search_path = $wb->add_slashes($_REQUEST['search_path']);
87
	if(preg_match('/[\'"=()&+\\\\]/', $search_path))
87
	if(!preg_match('~^[-a-zA-Z0-9_,/ ]+$~', $search_path))
88 88
		$search_path = '';
89 89
	if($search_path != '') {
90 90
		$search_path_SQL = "AND ( ";

Also available in: Unified diff