Sanitize search queries, thanks to Lukas Reschke

author Michael Gapczynski <GapczynskiM@gmail.com>

Sun, 13 May 2012 19:57:10 +0000 (15:57 -0400)

committer Michael Gapczynski <GapczynskiM@gmail.com>

Sun, 13 May 2012 19:57:46 +0000 (15:57 -0400)
author Michael Gapczynski <GapczynskiM@gmail.com>
Sun, 13 May 2012 19:57:10 +0000 (15:57 -0400)
committer Michael Gapczynski <GapczynskiM@gmail.com>
Sun, 13 May 2012 19:57:46 +0000 (15:57 -0400)
diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php

index b832ac2636fedbf79e7fb966a45f5e57fc3a63b5..e9d105ed04329934d5dcfcb9c032a46d1431a0c8 100644 (file)
--- a/core/templates/layout.user.php
+++ b/core/templates/layout.user.php
@@ -30,7 +30,7 @@
                 <header><div id="header">
                         <a href="<?php echo link_to('', 'index.php'); ?>" title="" id="owncloud"><img class="svg" src="<?php echo image_path('', 'logo-wide.svg'); ?>" alt="ownCloud" /></a>
                         <form class="searchbox" action="#" method="post">
-                               <input id="searchbox" class="svg" type="search" name="query" value="<?php if(isset($_POST['query'])){echo $_POST['query'];};?>" autocomplete="off" />
+                               <input id="searchbox" class="svg" type="search" name="query" value="<?php if(isset($_POST['query'])){echo htmlentities($_POST['query']);};?>" autocomplete="off" />
                         </form>
                         <a id="logout" href="<?php echo link_to('', 'index.php'); ?>?logout=true"><img class="svg" alt="<?php echo $l->t('Log out');?>" title="<?php echo $l->t('Log out');?>" src="<?php echo image_path('', 'actions/logout.svg'); ?>" /></a>
                 </div></header>
author	Michael Gapczynski <GapczynskiM@gmail.com>
	Sun, 13 May 2012 19:57:10 +0000 (15:57 -0400)
committer	Michael Gapczynski <GapczynskiM@gmail.com>
	Sun, 13 May 2012 19:57:46 +0000 (15:57 -0400)