From 0dbd9091b06962bec96c0d7cc78eb1f3cacc0dc3 Mon Sep 17 00:00:00 2001
From: devjin <namnyams@gmail.com>
Date: Thu, 17 Nov 2011 08:32:55 +0000
Subject: [PATCH] fixed XSS security in integration search

git-svn-id: http://xe-core.googlecode.com/svn/branches/1.5.0@9839 201d5d3c-b55e-5fd7-737f-ddc643e51545
---
 classes/context/Context.class.php                 | 15 ++++++++-------
 config/func.inc.php                               | 10 +++++++++-
 .../integration_search.view.php                   |  3 +++
 .../skins/default/document.html                   |  8 ++++----
 .../integration_search/skins/default/header.html  | 14 +++++++-------
 .../integration_search/skins/default/index.html   | 10 +++++-----
 6 files changed, 36 insertions(+), 24 deletions(-)

diff --git a/classes/context/Context.class.php b/classes/context/Context.class.php
index 0605543bc..40c447551 100644
--- a/classes/context/Context.class.php
+++ b/classes/context/Context.class.php
@@ -789,7 +789,7 @@ class Context {
 	 * @brief make URL with args_list upon request URL
 	 * @return result URL
 	 **/
-	function getUrl($num_args=0, $args_list=array(), $domain = null, $encode = true, $auto = false) {
+	function getUrl($num_args=0, $args_list=array(), $domain = null, $encode = true, $autoEncode = false) {
 		static $site_module_info = null;
 		static $current_info = null;
 
@@ -936,21 +936,22 @@ class Context {
 		}
 
 		if ($encode){
-			if($auto){
+			if($autoEncode){
 				$parsedUrl = parse_url($query);
 				parse_str($parsedUrl['query'], $output);
 				$encode_queries = array();
 				foreach($output as $key=>$value){
-					if (!preg_match('/&([a-z]{2,}|#\d+);/', $value)){
-						$value = htmlspecialchars($value);
+					if (preg_match('/&([a-z]{2,}|#\d+);/', urldecode($value))){
+						$value = urlencode(htmlspecialchars_decode(urldecode($value)));
 					}
 					$encode_queries[] = $key.'='.$value;
 				}
-				$encode_query = implode('&amp;', $encode_queries);
-				return $parsedUrl['path'].'?'.$encode_query;
+				$encode_query = implode('&', $encode_queries);
+				return htmlspecialchars($parsedUrl['path'].'?'.$encode_query);
 			}
-			else
+			else{
 				return htmlspecialchars($query);
+			}
 		}else{
 			return $query;		
 		}
diff --git a/config/func.inc.php b/config/func.inc.php
index 130d7d0c4..ac2bd5642 100644
--- a/config/func.inc.php
+++ b/config/func.inc.php
@@ -27,7 +27,15 @@
                 return $str;
             }
         ');
-    }
+	}
+
+	if ( !function_exists('htmlspecialchars_decode') )
+	{
+		function htmlspecialchars_decode($text)
+		{
+			return strtr($text, array_flip(get_html_translation_table(HTML_SPECIALCHARS)));
+		}
+	}
 
     // time zone
     $time_zone = array(
diff --git a/modules/integration_search/integration_search.view.php b/modules/integration_search/integration_search.view.php
index 8b459d8d5..156ec0bf5 100644
--- a/modules/integration_search/integration_search.view.php
+++ b/modules/integration_search/integration_search.view.php
@@ -98,6 +98,9 @@
             } else {
                 $this->setTemplateFile("no_keywords");
             }
+
+			$security = new Security();
+			$security->encodeHTML('is_keyword', 'search_target', 'where', 'page');
         }
     }
 ?>
diff --git a/modules/integration_search/skins/default/document.html b/modules/integration_search/skins/default/document.html
index e6d765804..c1bf9d367 100644
--- a/modules/integration_search/skins/default/document.html
+++ b/modules/integration_search/skins/default/document.html
@@ -37,17 +37,17 @@
 
     <!--@if($where == 'document' && $output->page_navigation)-->
         <div class="pagination a1">
-            <a href="{getUrl('page','')}" class="prevEnd">{$lang->first_page}</a> 
+            <a href="{getAutoEncodedUrl('page','')}" class="prevEnd">{$lang->first_page}</a> 
             <!--@while($page_no = $output->page_navigation->getNextPage())-->
                 <!--@if($page == $page_no)-->
                     <strong>{$page_no}</strong> 
                 <!--@else-->
-                    <a href="{getUrl('page',$page_no)}">{$page_no}</a>
+                    <a href="{getAutoEncodedUrl('page',$page_no)}">{$page_no}</a>
                 <!--@end-->
             <!--@end-->
-            <a href="{getUrl('page',$output->page_navigation->last_page)}" <!--@if(!$last_division)-->class="nextEnd"<!--@end-->>{$lang->last_page}</a>
+            <a href="{getAutoEncodedUrl('page',$output->page_navigation->last_page)}" <!--@if(!$last_division)-->class="nextEnd"<!--@end-->>{$lang->last_page}</a>
             <!--@if($last_division)-->
-            <a href="{getUrl('page',1,'document_srl','','search_target',$search_target,'is_keyword',$is_keyword,'division',$last_division,'last_division','')}" class="nextEnd">{$lang->cmd_search_next}</a>
+            <a href="{getAutoEncodedUrl('page',1,'document_srl','','search_target',$search_target,'is_keyword',$is_keyword,'division',$last_division,'last_division','')}" class="nextEnd">{$lang->cmd_search_next}</a>
             <!--@end-->
         </div>
     <!--@end-->
diff --git a/modules/integration_search/skins/default/header.html b/modules/integration_search/skins/default/header.html
index 424e6121f..aa65829a3 100644
--- a/modules/integration_search/skins/default/header.html
+++ b/modules/integration_search/skins/default/header.html
@@ -19,17 +19,17 @@
             <input type="hidden" name="act" value="IS" />
             <input type="hidden" name="where" value="{$where}" />
 			<input type="hidden" name="search_target" value="title_content" />
-            <input name="is_keyword" type="text" class="inputText" value="{htmlspecialchars($is_keyword)}"/>
+            <input name="is_keyword" type="text" class="inputText" value="{$is_keyword}"/>
             <span class="button large strong black"><input type="submit" value="{$lang->cmd_search}" /></span>
         </form>
     </div>
 
     <ul class="localNavigation">
-        <li <!--@if(!$where)-->class="on"<!--@end-->><a href="{getUrl('where','','page','','division','')}">{$lang->integration_search}</a></li>
-        <li <!--@if($where=='document')-->class="on"<!--@end-->><a href="{getUrl('where','document','page',1,'division','')}">{$lang->document}</a></li>
-        <li <!--@if($where=='comment')-->class="on"<!--@end-->><a href="{getUrl('where','comment','page',1,'division','')}">{$lang->comment}</a></li>
-        <li <!--@if($where=='trackback')-->class="on"<!--@end-->><a href="{getUrl('where','trackback','page',1,'division','')}">{$lang->trackback}</a></li>
-        <li <!--@if($where=='multimedia')-->class="on"<!--@end-->><a href="{getUrl('where','multimedia','page',1,'division','')}">{$lang->multimedia}</a></li>
-        <li <!--@if($where=='file')-->class="on"<!--@end-->><a href="{getUrl('where','file','page',1,'division','')}">{$lang->file}</a></li>
+        <li <!--@if(!$where)-->class="on"<!--@end-->><a href="{getAutoEncodedUrl('where','','page','','division','')}">{$lang->integration_search}</a></li>
+        <li <!--@if($where=='document')-->class="on"<!--@end-->><a href="{getAutoEncodedUrl('where','document','page',1,'division','')}">{$lang->document}</a></li>
+        <li <!--@if($where=='comment')-->class="on"<!--@end-->><a href="{getAutoEncodedUrl('where','comment','page',1,'division','')}">{$lang->comment}</a></li>
+        <li <!--@if($where=='trackback')-->class="on"<!--@end-->><a href="{getAutoEncodedUrl('where','trackback','page',1,'division','')}">{$lang->trackback}</a></li>
+        <li <!--@if($where=='multimedia')-->class="on"<!--@end-->><a href="{getAutoEncodedUrl('where','multimedia','page',1,'division','')}">{$lang->multimedia}</a></li>
+        <li <!--@if($where=='file')-->class="on"<!--@end-->><a href="{getAutoEncodedUrl('where','file','page',1,'division','')}">{$lang->file}</a></li>
     </ul>
 <!--@end-->
diff --git a/modules/integration_search/skins/default/index.html b/modules/integration_search/skins/default/index.html
index e1aef06ec..c701fd677 100644
--- a/modules/integration_search/skins/default/index.html
+++ b/modules/integration_search/skins/default/index.html
@@ -3,30 +3,30 @@
 {@ $output = $search_result['document'] }
 <!--#include("document.html")-->
 <!--@if(count($output->data))-->
-<div class="isMore"><a href="{getUrl('where','document','page',1)}">more</a></div>
+<div class="isMore"><a href="{getAutoEncodedUrl('where','document','page',1)}">more</a></div>
 <!--@end-->
 
 {@ $output = $search_result['comment'] }
 <!--#include("comment.html")-->
 <!--@if(count($output->data))-->
-<div class="isMore"><a href="{getUrl('where','comment','page',1)}">more</a></div>
+<div class="isMore"><a href="{getAutoEncodedUrl('where','comment','page',1)}">more</a></div>
 <!--@end-->
 
 {@ $output = $search_result['trackback'] }
 {@ $search_target = 'title'; }
 <!--#include("trackback.html")-->
 <!--@if(count($output->data))-->
-<div class="isMore"><a href="{getUrl('where','trackback','page',1)}">more</a></div>
+<div class="isMore"><a href="{getAutoEncodedUrl('where','trackback','page',1)}">more</a></div>
 <!--@end-->
 
 {@ $output = $search_result['multimedia'] }
 <!--#include("multimedia.html")-->
 <!--@if(count($output->data))-->
-<div class="isMore"><a href="{getUrl('where','multimedia','page',1)}">more</a></div>
+<div class="isMore"><a href="{getAutoEncodedUrl('where','multimedia','page',1)}">more</a></div>
 <!--@end-->
 
 {@ $output = $search_result['file'] }
 <!--#include("file.html")-->
 <!--@if(count($output->data))-->
-<div class="isMore"><a href="{getUrl('where','file','page',1)}">more</a></div>
+<div class="isMore"><a href="{getAutoEncodedUrl('where','file','page',1)}">more</a></div>
 <!--@end-->