#252 Fix double-escaping in searchtext_escaped

v2.0
closed-fixed
Andre-Littoz
None
5
2014-10-25
2014-04-05
David Faure
No

Using the general search to search for files containing "foo" (with the double-quotes) leads to "foo" in the result page. This is due to double-escaping in the search script, in the line that calculates searchtext_escaped:

first " is replaced with " and then & is replaced with &...

1 Attachments

Discussion

  • Andre-Littoz
    Andre-Littoz
    2014-04-06

    • assigned_to: Andre-Littoz
    • Group: Experimental --> Bugfix
     
  • Andre-Littoz
    Andre-Littoz
    2014-04-06

    This is a bug.

    For the record: invalid order of transformations to avoid XSS attacks. Ampersands should be transformed first into HTML entity, before transforming other "dangerous" characters. Otherwise, the initial & in HTML entity name gets transformed into & preventing LXR to recover the intended character.

    The line for _searchtext has the correct order.

    As a precaution, the same protection against ampersand is transferred into ident.

     
  • Andre-Littoz
    Andre-Littoz
    2014-04-07

    Ticket moved from /p/lxr/patches/46/

     
  • Andre-Littoz
    Andre-Littoz
    2014-04-07

    • Group: Bugfix --> v2.0
     
  • Andre-Littoz
    Andre-Littoz
    2014-10-25

    Fixed in 2.0.2

     
  • Andre-Littoz
    Andre-Littoz
    2014-10-25

    • status: open --> closed-fixed