[pmwiki-devel] Search forms and FmtPageList()

Hans design5 at softflow.co.uk
Fri Sep 25 04:26:36 CDT 2009


Friday, September 25, 2009, 9:07:00 AM, Hans wrote:

> In FmtPageList the query string from $_REQUEST['q'] is transformed
> with htmlspecialchars().
> What are the risks if the search script reverses this for each query
> argument with htmlspecialchars_decode(), in order to be able to
> search for instance for terms including < and > characters?

Looking at pagelist.php and pmwiki.php I see now that
htmlspecialchars() encoding is need for the search query,
because $SearchResultsFmt contains $[SearchFor]
which is translated to
   'Results of search for <em>$Needle</em>:'
so any unencoded HTML in $Needle would be executed.

On the other hand any script output going through
MarkupToHTML() will have htmlcharacters encoded,
because MarkupToHTML() uses PVSE() on all text.

So I see no reason not to decode the query string,
as any output will pass through MarkupToHTML().



Hans




More information about the pmwiki-devel mailing list