fixed XSS security in integration search

git-svn-id: http://xe-core.googlecode.com/svn/branches/1.5.0@9839 201d5d3c-b55e-5fd7-737f-ddc643e51545
2026-01-27 23:29:57 +09:00 · 2011-11-17 08:32:55 +00:00 · 2011-11-17 08:32:55 +00:00 · 0dbd9091b0
commit 0dbd9091b0
parent 75d660bf1a
6 changed files with 36 additions and 24 deletions
--- a/modules/integration_search/skins/default/header.html
+++ b/modules/integration_search/skins/default/header.html
@ -19,17 +19,17 @@
            <input type="hidden" name="act" value="IS" />
            <input type="hidden" name="where" value="{$where}" />
 			<input type="hidden" name="search_target" value="title_content" />
-            <input name="is_keyword" type="text" class="inputText" value="{htmlspecialchars($is_keyword)}"/>
+            <input name="is_keyword" type="text" class="inputText" value="{$is_keyword}"/>
            <span class="button large strong black"><input type="submit" value="{$lang->cmd_search}" /></span>
        </form>
    </div>

    <ul class="localNavigation">
-        <li <!--@if(!$where)-->class="on"<!--@end-->><a href="{getUrl('where','','page','','division','')}">{$lang->integration_search}</a></li>
-        <li <!--@if($where=='document')-->class="on"<!--@end-->><a href="{getUrl('where','document','page',1,'division','')}">{$lang->document}</a></li>
-        <li <!--@if($where=='comment')-->class="on"<!--@end-->><a href="{getUrl('where','comment','page',1,'division','')}">{$lang->comment}</a></li>
-        <li <!--@if($where=='trackback')-->class="on"<!--@end-->><a href="{getUrl('where','trackback','page',1,'division','')}">{$lang->trackback}</a></li>
-        <li <!--@if($where=='multimedia')-->class="on"<!--@end-->><a href="{getUrl('where','multimedia','page',1,'division','')}">{$lang->multimedia}</a></li>
-        <li <!--@if($where=='file')-->class="on"<!--@end-->><a href="{getUrl('where','file','page',1,'division','')}">{$lang->file}</a></li>
+        <li <!--@if(!$where)-->class="on"<!--@end-->><a href="{getAutoEncodedUrl('where','','page','','division','')}">{$lang->integration_search}</a></li>
+        <li <!--@if($where=='document')-->class="on"<!--@end-->><a href="{getAutoEncodedUrl('where','document','page',1,'division','')}">{$lang->document}</a></li>
+        <li <!--@if($where=='comment')-->class="on"<!--@end-->><a href="{getAutoEncodedUrl('where','comment','page',1,'division','')}">{$lang->comment}</a></li>
+        <li <!--@if($where=='trackback')-->class="on"<!--@end-->><a href="{getAutoEncodedUrl('where','trackback','page',1,'division','')}">{$lang->trackback}</a></li>
+        <li <!--@if($where=='multimedia')-->class="on"<!--@end-->><a href="{getAutoEncodedUrl('where','multimedia','page',1,'division','')}">{$lang->multimedia}</a></li>
+        <li <!--@if($where=='file')-->class="on"<!--@end-->><a href="{getAutoEncodedUrl('where','file','page',1,'division','')}">{$lang->file}</a></li>
    </ul>
 <!--@end-->