#19 unescaped search keywords/phrases broke display

closed
nobody
None
5
2012-10-11
2003-03-25
No

The search keywords and phrases are not escaped in any
way before being inserted into the HTML output. This
can lead to breakage. For example, my site had been
reached with a search containing the string
"<textarea>". This was inserted into the statistics
page without escaping, creating an unclosed textarea
tag that broke the entire search table.

Patch enclosed. I used the HTML::Entities module for
convenience. You could probably get away with just
using this small subset::

$mot =~ s/([^\n\r\t !#\$%\'-;=?-~])/num_entity($1)/ge;
...
sub num_entity {
sprintf "&#x%X;", ord($_[0]);
}

Discussion

  • Robert Sanders

    Robert Sanders - 2003-03-25

    Logged In: YES
    user_id=741452

    I forgot to mention that the patch was against awstats.pl
    5.4 build 1.1.

     
  • Robert Sanders

    Robert Sanders - 2003-03-25

    patch to entity-encode search keywords

     
  • Robert Sanders

    Robert Sanders - 2003-03-25

    complete patch to entity-encode search keywords/phrases

     
  • Robert Sanders

    Robert Sanders - 2003-03-25

    Logged In: YES
    user_id=741452

    Ignore the original patch; I missed two of the four cases.
    A new patch is attached as awstats.entities.patch.new.

     
  • Laurent Destailleur (Eldy)

    Logged In: YES
    user_id=96898

    I thinks this have been fixed by inverting functions
    CleanFromCSSA and DecodeEncodedString

     
  • Laurent Destailleur (Eldy)

    Logged In: YES
    user_id=96898

    Added in CVS tree for next version.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks