From 31f4d9066b6bffcbe539f293bf814c418f1523cf Mon Sep 17 00:00:00 2001
From: zotlabs <mike@macgirvin.com>
Date: Tue, 13 Nov 2018 14:23:56 -0800
Subject: xss in search

---
 Zotlabs/Module/Search.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'Zotlabs')

diff --git a/Zotlabs/Module/Search.php b/Zotlabs/Module/Search.php
index e520c671d..272bbdac1 100644
--- a/Zotlabs/Module/Search.php
+++ b/Zotlabs/Module/Search.php
@@ -6,7 +6,7 @@ class Search extends \Zotlabs\Web\Controller {
 
 	function init() {
 		if(x($_REQUEST,'search'))
-			\App::$data['search'] = $_REQUEST['search'];
+			\App::$data['search'] = escape_tags($_REQUEST['search']);
 	}
 	
 	
@@ -46,12 +46,12 @@ class Search extends \Zotlabs\Web\Controller {
 		if(x(\App::$data,'search'))
 			$search = trim(\App::$data['search']);
 		else
-			$search = ((x($_GET,'search')) ? trim(rawurldecode($_GET['search'])) : '');
+			$search = ((x($_GET,'search')) ? trim(escape_tags(rawurldecode($_GET['search']))) : '');
 	
 		$tag = false;
 		if(x($_GET,'tag')) {
 			$tag = true;
-			$search = ((x($_GET,'tag')) ? trim(rawurldecode($_GET['tag'])) : '');
+			$search = ((x($_GET,'tag')) ? trim(escape_tags(rawurldecode($_GET['tag']))) : '');
 		}
 
 		$static = ((array_key_exists('static',$_REQUEST)) ? intval($_REQUEST['static']) : 0);
-- 
cgit v1.2.3