Revision 716
Added by thorn almost 17 years ago
search.php | ||
---|---|---|
84 | 84 |
$search_path = ""; |
85 | 85 |
if(isset($_REQUEST['search_path'])) { |
86 | 86 |
$search_path = $wb->add_slashes($_REQUEST['search_path']); |
87 |
if(preg_match('/[\'"=()&+\\\\]/', $search_path))
|
|
87 |
if(!preg_match('~^[-a-zA-Z0-9_,/ ]+$~', $search_path))
|
|
88 | 88 |
$search_path = ''; |
89 | 89 |
if($search_path != '') { |
90 | 90 |
$search_path_SQL = "AND ( "; |
Also available in: Unified diff
XSS-prevention in search.php: changed blacklist to whitelist.