diff --git a/application/utils.inc.php b/application/utils.inc.php index 766103a1e..0ce86f468 100644 --- a/application/utils.inc.php +++ b/application/utils.inc.php @@ -480,7 +480,7 @@ class utils // For URL case static::ENUM_SANITIZATION_FILTER_URL: - $retValue = filter_var($value, FILTER_SANITIZE_URL); + $retValue = filter_var($value, FILTER_VALIDATE_URL); break; default: diff --git a/pages/UI.php b/pages/UI.php index bde6df71f..591469b70 100644 --- a/pages/UI.php +++ b/pages/UI.php @@ -592,8 +592,8 @@ try if ($sQuery !== $sFullText) { $sQueryLabel = $sFullText; } - GlobalSearchHelper::AddQueryToHistory($sQuery, $sQueryIconUrl, $sQueryLabel); - $oP->SetBlockParam('ibo-global-search.sQuery', $sQuery); + GlobalSearchHelper::AddQueryToHistory(utils::EscapeHtml($sQuery), $sQueryIconUrl, $sQueryLabel); + $oP->SetBlockParam('ibo-global-search.sQuery', utils::EscapeHtml($sQuery)); // Check the needle length $iMinLenth = MetaModel::GetConfig()->Get('full_text_needle_min'); diff --git a/pages/ajax.searchform.php b/pages/ajax.searchform.php index 118f5094e..44c51c6cc 100644 --- a/pages/ajax.searchform.php +++ b/pages/ajax.searchform.php @@ -55,7 +55,7 @@ try if (array_key_exists('table_inner_id', $aListParams)) { - $sListId = $aListParams['table_inner_id']; + $sListId = utils::HtmlEntities($aListParams['table_inner_id']); } if (array_key_exists('json', $aListParams)) diff --git a/pages/preferences.php b/pages/preferences.php index 68288ada9..d30f9a5f4 100644 --- a/pages/preferences.php +++ b/pages/preferences.php @@ -811,7 +811,7 @@ try { foreach ($aShortcutClasses as $cShortcutPlugin) { foreach ($cShortcutPlugin::GetShortcutKeys() as $aShortcutKey) { $sKey = utils::ReadParam($aShortcutKey['id'], $aShortcutKey['key'], true, 'raw_data'); - $aShortcutPrefs[$aShortcutKey['id']] = strtolower($sKey); + $aShortcutPrefs[$aShortcutKey['id']] = strtolower(utils::HtmlEntities($sKey)); } } appUserPreferences::SetPref('keyboard_shortcuts', $aShortcutPrefs); diff --git a/tests/php-unit-tests/unitary-tests/application/utilsTest.php b/tests/php-unit-tests/unitary-tests/application/utilsTest.php index 5d302ea7f..17ee18478 100644 --- a/tests/php-unit-tests/unitary-tests/application/utilsTest.php +++ b/tests/php-unit-tests/unitary-tests/application/utilsTest.php @@ -830,7 +830,7 @@ class utilsTest extends ItopTestCase 'good element_identifier' => [utils::ENUM_SANITIZATION_FILTER_ELEMENT_IDENTIFIER, 'AD05nb', 'AD05nb'], 'bad element_identifier' => [utils::ENUM_SANITIZATION_FILTER_ELEMENT_IDENTIFIER, 'AD05nb+', 'AD05nb'], 'good url' => [utils::ENUM_SANITIZATION_FILTER_URL, 'https://www.w3schools.com', 'https://www.w3schools.com'], - 'bad url' => [utils::ENUM_SANITIZATION_FILTER_URL, 'https://www.w3schoo��ls.co�m', 'https://www.w3schools.com'], + 'bad url' => [utils::ENUM_SANITIZATION_FILTER_URL, 'https://www.w3schoo��ls.co�m', null], 'raw_data' => ['raw_data', '\s😃😃😃', '\s😃😃😃'], ]; }