Friday, September 25, 2009, 9:07:00 AM, Hans wrote: > In FmtPageList the query string from $_REQUEST['q'] is transformed > with htmlspecialchars(). > What are the risks if the search script reverses this for each query > argument with htmlspecialchars_decode(), in order to be able to > search for instance for terms including < and > characters?
Looking at pagelist.php and pmwiki.php I see now that htmlspecialchars() encoding is need for the search query, because $SearchResultsFmt contains $[SearchFor] which is translated to 'Results of search for <em>$Needle</em>:' so any unencoded HTML in $Needle would be executed. On the other hand any script output going through MarkupToHTML() will have htmlcharacters encoded, because MarkupToHTML() uses PVSE() on all text. So I see no reason not to decode the query string, as any output will pass through MarkupToHTML(). Hans _______________________________________________ pmwiki-devel mailing list pmwiki-devel@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-devel
