From a8a544a2a205b42d2009b5c52d8939e8bc36263c Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sat, 13 Dec 2025 11:31:34 +0100
Subject: Fix search encoding and quoting (#8311)

Revised the encoding approach for searches: the HTML encoding is done just before its use for DB search.
Fix also some cases with wrong quoting.
Fix https://github.com/FreshRSS/FreshRSS/pull/8306#issuecomment-3643865439
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/8293
---
 p/api/query.php | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

(limited to 'p/api')

diff --git a/p/api/query.php b/p/api/query.php
index 3fb4cadd7..991a1a7bb 100644
--- a/p/api/query.php
+++ b/p/api/query.php
@@ -8,21 +8,21 @@ require LIB_PATH . '/lib_rss.php';	//Includes class autoloader
 
 Minz_Request::init();
 
-$token = Minz_Request::paramString('t');
+$token = Minz_Request::paramString('t', plaintext: true);
 if (!ctype_alnum($token)) {
 	header('HTTP/1.1 422 Unprocessable Entity');
 	header('Content-Type: text/plain; charset=UTF-8');
 	die('Invalid token `t`!' . $token);
 }
 
-$format = Minz_Request::paramString('f');
+$format = Minz_Request::paramString('f', plaintext: true);
 if (!in_array($format, ['atom', 'greader', 'html', 'json', 'opml', 'rss'], true)) {
 	header('HTTP/1.1 422 Unprocessable Entity');
 	header('Content-Type: text/plain; charset=UTF-8');
 	die('Invalid format `f`!');
 }
 
-$user = Minz_Request::paramString('user');
+$user = Minz_Request::paramString('user', plaintext: true);
 if (!FreshRSS_user_Controller::checkUsername($user)) {
 	header('HTTP/1.1 422 Unprocessable Entity');
 	header('Content-Type: text/plain; charset=UTF-8');
@@ -87,19 +87,19 @@ foreach (FreshRSS_Context::userConf()->queries as $raw_query) {
 		}
 		$query = new FreshRSS_UserQuery($raw_query, FreshRSS_Context::categories(), FreshRSS_Context::labels());
 		Minz_Request::_param('get', $query->getGet());
-		if (Minz_Request::paramString('order') === '') {
+		if (Minz_Request::paramString('order', plaintext: true) === '') {
 			Minz_Request::_param('order', $query->getOrder());
 		}
 		Minz_Request::_param('state', (string)$query->getState());
 
-		$search = $query->getSearch()->getRawInput();
+		$search = $query->getSearch()->__toString();
 		// Note: we disallow references to user queries in public user search to avoid sniffing internal user queries
-		$userSearch = new FreshRSS_BooleanSearch(Minz_Request::paramString('search'), 0, 'AND', allowUserQueries: false);
-		if ($userSearch->getRawInput() !== '') {
+		$userSearch = new FreshRSS_BooleanSearch(Minz_Request::paramString('search', plaintext: true), 0, 'AND', allowUserQueries: false);
+		if ($userSearch->__toString() !== '') {
 			if ($search === '') {
-				$search = $userSearch->getRawInput();
+				$search = $userSearch->__toString();
 			} else {
-				$search .= ' (' . $userSearch->getRawInput() . ')';
+				$search .= ' (' . $userSearch->__toString() . ')';
 			}
 		}
 		Minz_Request::_param('search', $search);
-- 
cgit v1.2.3