Merge branch 'release/1.8.5' into develop

classes/display/HTMLDisplayHandler.php

@@ -60,6 +60,10 @@ class HTMLDisplayHandler
 
 		$output = $oTemplate->compile($template_path, $tpl_file);
 
+		// SECISSUE https://github.com/xpressengine/xe-core/issues/1583
+		$oSecurity = new Security();
+		$oSecurity->encodeHTML('is_keyword');
+
 		// add .x div for adminitration pages
 		if(Context::getResponseMethod() == 'HTML')
 		{

config/config.inc.php

@@ -29,7 +29,7 @@ define('__ZBXE__', __XE__);
 /**
  * Display XE's full version.
  */
-define('__XE_VERSION__', '1.8.4');
+define('__XE_VERSION__', '1.8.5');
 define('__XE_VERSION_ALPHA__', (stripos(__XE_VERSION__, 'alpha') !== false));
 define('__XE_VERSION_BETA__', (stripos(__XE_VERSION__, 'beta') !== false));
 define('__XE_VERSION_RC__', (stripos(__XE_VERSION__, 'rc') !== false));

layouts/default/layout.html

@@ -22,7 +22,7 @@
 				<input type="hidden" name="vid" value="{$vid}" />
 				<input type="hidden" name="mid" value="{$mid}" />
 				<input type="hidden" name="act" value="IS" />
-				<input type="text" name="is_keyword" value="{htmlspecialchars($is_keyword, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" required placeholder="{$lang->cmd_search}" title="{$lang->cmd_search}" />
+				<input type="text" name="is_keyword" value="{$is_keyword}" required placeholder="{$lang->cmd_search}" title="{$lang->cmd_search}" />
 				<input type="submit" value="{$lang->cmd_search}" />
 			</form>
 			<!-- /SEARCH -->

layouts/user_layout/layout.html

@@ -6,7 +6,7 @@
 			<input type="hidden" name="vid" value="{$vid}" />
 			<input type="hidden" name="mid" value="{$mid}" />
 			<input type="hidden" name="act" value="IS" />
-			<input type="text" name="is_keyword" value="{htmlspecialchars($is_keyword, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" title="{$lang->cmd_search}" />
+			<input type="text" name="is_keyword" value="{$is_keyword}" title="{$lang->cmd_search}" />
 			<input type="submit" value="{$lang->cmd_search}" />
 		</form>
 		<hr />

layouts/xedition/layout.html

@@ -170,7 +170,7 @@
 					<input type="hidden" name="vid" value="{$vid}" />
 					<input type="hidden" name="mid" value="{$mid}" />
 					<input type="hidden" name="act" value="IS" />
-					<input type="text" name="is_keyword" value="{htmlspecialchars($is_keyword, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" required="required" title="{$lang->cmd_search}" placeholder="Search" />
+					<input type="text" name="is_keyword" value="{$is_keyword}" required="required" title="{$lang->cmd_search}" placeholder="Search" />
 				</form>
 				<!-- /SEARCH -->
 				<a href="#" class="btn_close" title="{$lang->cmd_xedition_search_close}" onclick="return false"><i class="xi-close"></i><span class="blind">{$lang->cmd_xedition_search_close}</span></a>

modules/member/member.controller.php

@@ -2119,7 +2119,7 @@ class memberController extends member
 		}
 
 		// Sanitize user ID, username, nickname, homepage, blog
-		$args->user_id = htmlspecialchars($args->user_id, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
+		if($args->user_id) $args->user_id = htmlspecialchars($args->user_id, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
 		$args->user_name = htmlspecialchars($args->user_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
 		$args->nick_name = htmlspecialchars($args->nick_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
 		$args->homepage = htmlspecialchars($args->homepage, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
@@ -2161,10 +2161,13 @@ class memberController extends member
 		}
 
 		// Check if ID is duplicate
-		$member_srl = $oMemberModel->getMemberSrlByUserID($args->user_id);
-		if($member_srl && $args->member_srl != $member_srl)
+		if($args->user_id)
 		{
-			return new Object(-1,'msg_exists_user_id');
+			$member_srl = $oMemberModel->getMemberSrlByUserID($args->user_id);
+			if($member_srl && $args->member_srl != $member_srl)
+			{
+				return new Object(-1,'msg_exists_user_id');
+			}
 		}
 
 		// Check if nickname is prohibited