Minz: missing URL key/param encoding

Caused searches such as "intitle:&" to fail after paging, and
possible XSS vulnerabilities.
Discovered during https://github.com/FreshRSS/FreshRSS/issues/754

3 files changed, 19 insertions, 21 deletions

diff --git a/app/layout/header.phtml b/app/layout/header.phtml
index 2b968252b..41a63a565 100644
--- a/app/layout/header.phtml
+++ b/app/layout/header.phtml
@@ -25,8 +25,7 @@ if (FreshRSS_Auth::accessNeedsAction()) {
 		<?php if (FreshRSS_Auth::hasAccess() || FreshRSS_Context::$system_conf->allow_anonymous) { ?>
 		<form action="<?php echo _url('index', 'index'); ?>" method="get">
 			<div class="stick">
-				<?php $search = Minz_Request::param('search', ''); ?>
-				<input type="search" name="search" id="search" class="extend" value="<?php echo $search; ?>" placeholder="<?php echo _t('gen.menu.search'); ?>" />
+				<input type="search" name="search" id="search" class="extend" value="<?php echo FreshRSS_Context::$search; ?>" placeholder="<?php echo _t('gen.menu.search'); ?>" />
 
 				<?php $get = Minz_Request::param('get', ''); ?>
 				<?php if ($get != '') { ?>
diff --git a/app/layout/nav_menu.phtml b/app/layout/nav_menu.phtml
index d35a0b5fb..3a755b560 100644
--- a/app/layout/nav_menu.phtml
+++ b/app/layout/nav_menu.phtml
@@ -156,8 +156,7 @@
 
 	<div class="item search">
 		<form action="<?php echo _url('index', 'index'); ?>" method="get">
-			<?php $search = Minz_Request::param('search', ''); ?>
-			<input type="search" name="search" class="extend" value="<?php echo $search; ?>" placeholder="<?php echo _t('index.menu.search_short'); ?>" />
+			<input type="search" name="search" class="extend" value="<?php echo FreshRSS_Context::$search; ?>" placeholder="<?php echo _t('index.menu.search_short'); ?>" />
 
 			<?php $get = Minz_Request::param('get', ''); ?>
 			<?php if($get != '') { ?>
diff --git a/lib/Minz/Url.php b/lib/Minz/Url.php
index e9f9a69ba..af555a277 100644
--- a/lib/Minz/Url.php
+++ b/lib/Minz/Url.php
@@ -45,45 +45,45 @@ class Minz_Url {
 
 		return $url_string;
 	}
-	
+
 	/**
 	 * Construit l'URI d'une URL
 	 * @param l'url sous forme de tableau
 	 * @param $encodage pour indiquer comment encoder les & (& ou &amp; pour html)
 	 * @return l'uri sous la forme ?key=value&key2=value2
 	 */
-	private static function printUri ($url, $encodage) {
+	private static function printUri($url, $encodage) {
 		$uri = '';
 		$separator = '?';
-		
-		if($encodage == 'html') {
+
+		if ($encodage === 'html') {
 			$and = '&amp;';
 		} else {
 			$and = '&';
 		}
-		
-		if (isset ($url['c'])
-		 && $url['c'] != Minz_Request::defaultControllerName ()) {
+
+		if (isset($url['c'])
+		 && $url['c'] != Minz_Request::defaultControllerName()) {
 			$uri .= $separator . 'c=' . $url['c'];
 			$separator = $and;
 		}
-		
-		if (isset ($url['a'])
-		 && $url['a'] != Minz_Request::defaultActionName ()) {
+
+		if (isset($url['a'])
+		 && $url['a'] != Minz_Request::defaultActionName()) {
 			$uri .= $separator . 'a=' . $url['a'];
 			$separator = $and;
 		}
-		
-		if (isset ($url['params'])) {
+
+		if (isset($url['params'])) {
 			foreach ($url['params'] as $key => $param) {
-				$uri .= $separator . $key . '=' . $param;
+				$uri .= $separator . urlencode($key) . '=' . urlencode($param);
 				$separator = $and;
 			}
 		}
-		
+
 		return $uri;
 	}
-	
+
 	/**
 	 * Vérifie que les éléments du tableau représentant une url soit ok
 	 * @param l'url sous forme de tableau (sinon renverra directement $url)
@@ -91,7 +91,7 @@ class Minz_Url {
 	 */
 	public static function checkUrl ($url) {
 		$url_checked = $url;
-		
+
 		if (is_array ($url)) {
 			if (!isset ($url['c'])) {
 				$url_checked['c'] = Minz_Request::defaultControllerName ();
@@ -103,7 +103,7 @@ class Minz_Url {
 				$url_checked['params'] = array ();
 			}
 		}
-		
+
 		return $url_checked;
 	}
 }