Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#19 unescaped search keywords/phrases broke display

closed
nobody
None
5
2012-10-11
2003-03-25
Robert Sanders
No

The search keywords and phrases are not escaped in any
way before being inserted into the HTML output. This
can lead to breakage. For example, my site had been
reached with a search containing the string
"<textarea>". This was inserted into the statistics
page without escaping, creating an unclosed textarea
tag that broke the entire search table.

Patch enclosed. I used the HTML::Entities module for
convenience. You could probably get away with just
using this small subset::

$mot =~ s/([^\n\r\t !#\$%\'-;=?-~])/num_entity($1)/ge;
...
sub num_entity {
sprintf "&#x%X;", ord($_[0]);
}

Discussion

  • Robert Sanders
    Robert Sanders
    2003-03-25

    Logged In: YES
    user_id=741452

    I forgot to mention that the patch was against awstats.pl
    5.4 build 1.1.

     
  • Robert Sanders
    Robert Sanders
    2003-03-25

    patch to entity-encode search keywords

     
  • Robert Sanders
    Robert Sanders
    2003-03-25

    complete patch to entity-encode search keywords/phrases

     
  • Robert Sanders
    Robert Sanders
    2003-03-25

    Logged In: YES
    user_id=741452

    Ignore the original patch; I missed two of the four cases.
    A new patch is attached as awstats.entities.patch.new.

     
  • Logged In: YES
    user_id=96898

    I thinks this have been fixed by inverting functions
    CleanFromCSSA and DecodeEncodedString

     
  • Logged In: YES
    user_id=96898

    Added in CVS tree for next version.