summaryrefslogtreecommitdiff
path: root/search.php
diff options
context:
space:
mode:
authordweller <dweller@cabin.digital>2024-03-12 01:08:28 +0200
committerdweller <dweller@cabin.digital>2024-03-12 01:08:28 +0200
commit3bfe2491e5930d40ef7691bea17c19a9ec64719a (patch)
tree3321c60857ce94e049ef8997d9abf10ed4c93b42 /search.php
parent4b83175fcab8caa4f1a863cc654f0d991b6ffb58 (diff)
HTML escape outputs, prevent dubious values in $section and $arch
Diffstat (limited to 'search.php')
-rw-r--r--search.php21
1 files changed, 18 insertions, 3 deletions
diff --git a/search.php b/search.php
index 234aa9e..e61da1b 100644
--- a/search.php
+++ b/search.php
@@ -48,7 +48,7 @@
<nav id="search_pane">
<form>
<div id="query_wrap">
- <input id="query" type='search' value='<?=$query;?>' name='query' autocorrect="off" autocapitalize="none" required/>
+ <input id="query" type='search' value='<?= htmlspecialchars($query);?>' name='query' autocorrect="off" autocapitalize="none" required/>
<button id="btn_def" type='submit' value='man' name='action' class="btn-def" aria-hidden="true" tabindex="-1"></button>
<input type="checkbox" id="query_opts_toggle"/>
<div id="query_opts">
@@ -74,6 +74,8 @@
$sel = "";
if((strlen($arch) > 0) && ($arch == $a))
$sel = 'selected="selected"';
+
+ $a = htmlspecialchars($a);
echo "<option value='$a' $sel>$a</option>";
}
?>
@@ -96,9 +98,17 @@
<?php
$arg_section = "";
if(!empty($section))
- $arg_section .= " -s ". escapeshellarg($section);
+ {
+ if(is_numeric($section) && (0 < $section) && ($section <= 9))
+ $arg_section .= " -s ". escapeshellarg($section);
+ else $section = null;
+ }
if(!empty($arch))
- $arg_section .= " -S ". escapeshellarg($arch);
+ {
+ if(in_array($arch, $archs, true))
+ $arg_section .= " -S ". escapeshellarg($arch);
+ else $arch = null;
+ }
/* NOTE: This seems like it's a too ad hoc of a solution, but _theoretically_ escapeshellarg()
* should take care of the rest. I need more testing.
@@ -125,6 +135,7 @@
* As you can see, they also decided to pepper the HTML with inline style coz they
* just absolutely hate me, so I strip it too.
*/
+ /* NOTE: don't htmlspecialchars() here because this is raw HTML from mandoc! */
for($i = 0; $i < count($lines); $i++)
{
$line = preg_replace('/\<br.\>/i', '', $lines[$i]);
@@ -171,6 +182,10 @@
$url = "$root/search.php?query=". urlencode($name) ."&section=". urlencode($sect)
."&arch=". urlencode($arch) ."&action=man";
+ $fname = htmlspecialchars($fname);
+ $fsect = htmlspecialchars($fsect);
+ $desc = htmlspecialchars($desc);
+
echo '<dl>';
echo " <dt><a href='".$url."'>$fname($fsect)</a></dt>";
echo " <dd>$desc</dd>";