Fix inversed encoding logic in paramArray (#6800)

* Fix inversed encoding logic in paramArray https://github.com/FreshRSS/FreshRSS/pull/6797#discussion_r1754661634 Also fix the possibility to use `<'&">` in shortcuts, and some minor encoding bugs in user queries * Forgot paramArrayString
author: Alexandre Alapetite <alexandre@alapetite.fr> 2024-09-12 11:04:49 +0200
committer: GitHub <noreply@github.com> 2024-09-12 11:04:49 +0200
commit: fd1b5e9343b6fe92b4e5dfbbc2f01ddfcd010af9 (patch)
tree: 5cc4e7399212d2fdce401465e3590f2275b16c26 /app/Controllers/configureController.php
parent: d1f1e42c2b180f34276d7ddd1a2bfeaf4e59ed05 (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/app/Controllers/configureController.php b/app/Controllers/configureController.php
index a9304376f..612129b8a 100644
--- a/app/Controllers/configureController.php
+++ b/app/Controllers/configureController.php
@@ -202,7 +202,7 @@ class FreshRSS_configure_Controller extends FreshRSS_ActionController {
 		$this->view->list_keys = SHORTCUT_KEYS;
 
 		if (Minz_Request::isPost()) {
-			$shortcuts = Minz_Request::paramArray('shortcuts');
+			$shortcuts = Minz_Request::paramArray('shortcuts', specialchars: true);
 			if (Minz_Request::paramBoolean('load_default_shortcuts')) {
 				$default = Minz_Configuration::load(FRESHRSS_PATH . '/config-user.default.php');
 				$shortcuts = $default['shortcuts'];
@@ -379,12 +379,13 @@ class FreshRSS_configure_Controller extends FreshRSS_ActionController {
 				$name = _t('conf.query.number', $id + 1);
 			}
 			if (!empty($params['get']) && is_string($params['get'])) {
-				$queryParams['get'] = htmlspecialchars_decode($params['get'], ENT_QUOTES);
+				$queryParams['get'] = $params['get'];
 			}
 			if (!empty($params['order']) && is_string($params['order'])) {
-				$queryParams['order'] = htmlspecialchars_decode($params['order'], ENT_QUOTES);
+				$queryParams['order'] = $params['order'];
 			}
 			if (!empty($params['search']) && is_string($params['search'])) {
+				// Search must be as plain text to be XML-encoded or URL-encoded depending on the situation
 				$queryParams['search'] = htmlspecialchars_decode($params['search'], ENT_QUOTES);
 			}
 			if (!empty($params['state']) && is_array($params['state'])) {
@@ -398,7 +399,7 @@ class FreshRSS_configure_Controller extends FreshRSS_ActionController {
 			$queryParams['url'] = Minz_Url::display(['params' => $queryParams]);
 			$queryParams['name'] = $name;
 			if (!empty($params['description']) && is_string($params['description'])) {
-				$queryParams['description'] = htmlspecialchars_decode($params['description'], ENT_QUOTES);
+				$queryParams['description'] = $params['description'];
 			}
 			if (!empty($params['imageUrl']) && is_string($params['imageUrl'])) {
 				$queryParams['imageUrl'] = $params['imageUrl'];
author	Alexandre Alapetite <alexandre@alapetite.fr>	2024-09-12 11:04:49 +0200
committer	GitHub <noreply@github.com>	2024-09-12 11:04:49 +0200
commit	fd1b5e9343b6fe92b4e5dfbbc2f01ddfcd010af9 (patch)
tree	5cc4e7399212d2fdce401465e3590f2275b16c26 /app/Controllers/configureController.php
parent	d1f1e42c2b180f34276d7ddd1a2bfeaf4e59ed05 (diff)