Fix XSS vulnerability in tag search

It affect the title tag of the bookmark list page. Fixes #2038
shaarli · Nov 22, 2023 · 5553783 · 5553783
1 parent ca07f26
commit 5553783
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/application/front/controller/visitor/BookmarkListController.php b/application/front/controller/visitor/BookmarkListController.php
@@ -81,6 +81,9 @@ public function index(Request $request, Response $response): Response
         $tagsSeparator = $this->container->conf->get('general.tags_separator', ' ');
         $searchTagsUrlEncoded = array_map('urlencode', tags_str2array($searchTags, $tagsSeparator));
         $searchTags = !empty($searchTags) ? trim($searchTags, $tagsSeparator) . $tagsSeparator : '';
+
+        $searchTags = !empty($searchTags) ? escape($searchTags) : '';
+        $searchTerm = !empty($searchTerm) ? escape($searchTerm) : '';
 
         // Fill all template fields.
         $data = array_merge(
@@ -91,8 +94,8 @@ public function index(Request $request, Response $response): Response
                 'page_current' => $page,
                 'page_max' => $searchResult->getLastPage(),
                 'result_count' => $searchResult->getTotalCount(),
-                'search_term' => escape($searchTerm),
-                'search_tags' => escape($searchTags),
+                'search_term' => $searchTerm,
+                'search_tags' => $searchTags,
                 'search_tags_url' => $searchTagsUrlEncoded,
                 'visibility' => $visibility,
                 'links' => $links,