From 3bfe2491e5930d40ef7691bea17c19a9ec64719a Mon Sep 17 00:00:00 2001
From: dweller <dweller@cabin.digital>
Date: Tue, 12 Mar 2024 01:08:28 +0200
Subject: HTML escape outputs, prevent dubious values in $section and $arch

---
 index.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'index.php')

diff --git a/index.php b/index.php
index 6c8a8ed..951be29 100644
--- a/index.php
+++ b/index.php
@@ -54,7 +54,7 @@
                 <form action="/search.php">
                     <div id="query_wrap">
                         <div    id="query_icon"></div>
-                        <input  id="query"   type='search' value='<?php if($action === 'lmmtfy') echo $query;?>' name='query' autocorrect="off" autocapitalize="none" required autofocus/>
+                        <input  id="query"   type='search' value='<?php if($action === 'lmmtfy') echo htmlspecialchars($query);?>' name='query' autocorrect="off" autocapitalize="none" required autofocus/>
                         <button id="btn_def" type='submit' value='man' name='action' class="btn-def" aria-hidden="true" tabindex="-1"></button>
                         <input type="checkbox" id="query_opts_toggle"/>
                         <div id="query_opts">
@@ -80,6 +80,8 @@
                                         $sel = "";
                                         if((strlen($arch) > 0) && ($arch == $a))
                                             $sel = 'selected="selected"';
+
+                                        $a = htmlspecialchars($a);
                                         echo "<option value='$a' $sel>$a</option>";
                                     }
                                 ?>
-- 
cgit v1.2.3