diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2025-12-13 11:31:34 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-12-13 11:31:34 +0100 |
| commit | a8a544a2a205b42d2009b5c52d8939e8bc36263c (patch) | |
| tree | 27922ce7e14eec886cb0348aeb2501c3dceecf9c /p | |
| parent | b66d4ade4160b0f13efa4fb48a6c27884ad81804 (diff) | |
Fix search encoding and quoting (#8311)
Revised the encoding approach for searches: the HTML encoding is done just before its use for DB search.
Fix also some cases with wrong quoting.
Fix https://github.com/FreshRSS/FreshRSS/pull/8306#issuecomment-3643865439
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/8293
Diffstat (limited to 'p')
| -rw-r--r-- | p/api/query.php | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/p/api/query.php b/p/api/query.php index 3fb4cadd7..991a1a7bb 100644 --- a/p/api/query.php +++ b/p/api/query.php @@ -8,21 +8,21 @@ require LIB_PATH . '/lib_rss.php'; //Includes class autoloader Minz_Request::init(); -$token = Minz_Request::paramString('t'); +$token = Minz_Request::paramString('t', plaintext: true); if (!ctype_alnum($token)) { header('HTTP/1.1 422 Unprocessable Entity'); header('Content-Type: text/plain; charset=UTF-8'); die('Invalid token `t`!' . $token); } -$format = Minz_Request::paramString('f'); +$format = Minz_Request::paramString('f', plaintext: true); if (!in_array($format, ['atom', 'greader', 'html', 'json', 'opml', 'rss'], true)) { header('HTTP/1.1 422 Unprocessable Entity'); header('Content-Type: text/plain; charset=UTF-8'); die('Invalid format `f`!'); } -$user = Minz_Request::paramString('user'); +$user = Minz_Request::paramString('user', plaintext: true); if (!FreshRSS_user_Controller::checkUsername($user)) { header('HTTP/1.1 422 Unprocessable Entity'); header('Content-Type: text/plain; charset=UTF-8'); @@ -87,19 +87,19 @@ foreach (FreshRSS_Context::userConf()->queries as $raw_query) { } $query = new FreshRSS_UserQuery($raw_query, FreshRSS_Context::categories(), FreshRSS_Context::labels()); Minz_Request::_param('get', $query->getGet()); - if (Minz_Request::paramString('order') === '') { + if (Minz_Request::paramString('order', plaintext: true) === '') { Minz_Request::_param('order', $query->getOrder()); } Minz_Request::_param('state', (string)$query->getState()); - $search = $query->getSearch()->getRawInput(); + $search = $query->getSearch()->__toString(); // Note: we disallow references to user queries in public user search to avoid sniffing internal user queries - $userSearch = new FreshRSS_BooleanSearch(Minz_Request::paramString('search'), 0, 'AND', allowUserQueries: false); - if ($userSearch->getRawInput() !== '') { + $userSearch = new FreshRSS_BooleanSearch(Minz_Request::paramString('search', plaintext: true), 0, 'AND', allowUserQueries: false); + if ($userSearch->__toString() !== '') { if ($search === '') { - $search = $userSearch->getRawInput(); + $search = $userSearch->__toString(); } else { - $search .= ' (' . $userSearch->getRawInput() . ')'; + $search .= ' (' . $userSearch->__toString() . ')'; } } Minz_Request::_param('search', $search); |