Uploaded image for project: 'CMS CONTENIDO'
  1. CMS CONTENIDO
  2. CON-2194

Search terms using example client are not properly escaped

    Details

      Description

      Administration -> Search Terms:
      Search terms are not properly escaped. Same issue on frontend page with example client. It appears cSecurity::toString is used here. Using stripslashes might be wrong, too. It rather depends on $cfg['simulate_magic_quotes'] value (which is wrong on PHP 5.3 because it does not take magic_quotes_sybase into account) on input. For database purposes driver specific encoding is better.
      Search | Shown term
      "test<" | "test"
      "tes<1" | "tes"
      "test< 22" | "test < 22"

      Tasks to do:
      Make sure $cfg['simulate_magic_quotes'] takes magic_quotes_sybase into account.
      Escape chars (not just special ones) using html escape functions on output.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                thomas.stauer Thomas Stauer
                Reporter:
                thomas.stauer Thomas Stauer
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: