Minz: missing URL key/param encoding

Caused searches such as "intitle:&" to fail after paging, and possible XSS vulnerabilities. Discovered during https://github.com/FreshRSS/FreshRSS/issues/754
author: Alexandre Alapetite <alexandre@alapetite.fr> 2015-01-21 00:44:26 +0100
committer: Alexandre Alapetite <alexandre@alapetite.fr> 2015-01-21 00:44:26 +0100
commit: 211569ef85f50891035e3e2645ec0c87badec1e1 (patch)
tree: cdd2a1b5889f39bdf09263cb63071618e6da7c32 /app/layout/header.phtml
parent: 12081f7ba2089c8046dacac23ebe44ea843d7ef1 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/app/layout/header.phtml b/app/layout/header.phtml
index 2b968252b..41a63a565 100644
--- a/app/layout/header.phtml
+++ b/app/layout/header.phtml
@@ -25,8 +25,7 @@ if (FreshRSS_Auth::accessNeedsAction()) {
 		<?php if (FreshRSS_Auth::hasAccess() || FreshRSS_Context::$system_conf->allow_anonymous) { ?>
 		<form action="<?php echo _url('index', 'index'); ?>" method="get">
 			<div class="stick">
-				<?php $search = Minz_Request::param('search', ''); ?>
-				<input type="search" name="search" id="search" class="extend" value="<?php echo $search; ?>" placeholder="<?php echo _t('gen.menu.search'); ?>" />
+				<input type="search" name="search" id="search" class="extend" value="<?php echo FreshRSS_Context::$search; ?>" placeholder="<?php echo _t('gen.menu.search'); ?>" />
 
 				<?php $get = Minz_Request::param('get', ''); ?>
 				<?php if ($get != '') { ?>
author	Alexandre Alapetite <alexandre@alapetite.fr>	2015-01-21 00:44:26 +0100
committer	Alexandre Alapetite <alexandre@alapetite.fr>	2015-01-21 00:44:26 +0100
commit	211569ef85f50891035e3e2645ec0c87badec1e1 (patch)
tree	cdd2a1b5889f39bdf09263cb63071618e6da7c32 /app/layout/header.phtml
parent	12081f7ba2089c8046dacac23ebe44ea843d7ef1 (diff)