Raised by https://www.xssposed.org/incidents/69566/
Need to escape the user provided query before displaying it back
I pushed immediately as this was made public,
Daniel
diff --git a/docs/search.php.code.in b/docs/search.php.code.in
index df25cd6..84f8759 100644
--- a/docs/search.php.code.in
+++ b/docs/search.php.code.in
@@ -13,7 +13,7 @@
<form action="<?php echo $_SERVER['PHP_SELF'], "?query=", rawurlencode($query)
?>"
enctype="application/x-www-form-urlencoded" method="get">
- <input name="query" type="text" size="50" value="<?php echo $query?>"/>
+ <input name="query" type="text" size="50" value="<?php echo
htmlspecialchars($query, ENT_QUOTES, 'UTF-8')?>"/>
<select name="scope">
<option value="any">Search All</option>
<option value="API" <?php if ($scope == 'API') print
"selected='selected'"?>>Only the APIs</option>
--
Daniel Veillard | Open Source and Standards, Red Hat
[email protected] | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | virtualization library http://libvirt.org/
--
libvir-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/libvir-list
