From: Ciaran Gultnieks <ciaran@ciarang.com>
Date: Mon, 26 Jan 2015 18:12:30 +0000 (+0000)
Subject: wp-fdroid: Properly escape fdfilter
X-Git-Tag: 0.4.0~131
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=43ccdce0ac1dee263fcbf7706aee403cb9911698;p=fdroidserver.git

wp-fdroid: Properly escape fdfilter

Resolves an XSS issue identified by Cure53 (https://cure53.de)
---

diff --git a/wp-fdroid/wp-fdroid.php b/wp-fdroid/wp-fdroid.php
index 98fffbdf..72c6d6f9 100644
--- a/wp-fdroid/wp-fdroid.php
+++ b/wp-fdroid/wp-fdroid.php
@@ -171,7 +171,7 @@ class FDroid
 			$out.=$this->get_app($query_vars);
 		} else {
 			$out.='<form name="searchform" action="" method="get">';
-			$out.='<p><input name="fdfilter" type="text" value="'.$query_vars['fdfilter'].'" size="30"> ';
+			$out.='<p><input name="fdfilter" type="text" value="'.esc_attr($query_vars['fdfilter']).'" size="30"> ';
 			$out.='<input type="hidden" name="fdpage" value="1">';
 			$out.='<input type="submit" value="Search"></p>';
 			$out.=$this->makeformdata($query_vars);
@@ -690,7 +690,7 @@ class FDroid
 				$out.='</form>'."\n";
 			}
 			else {
-				$out.='Applications matching "'.$query_vars['fdfilter'].'"';
+				$out.='Applications matching "'.esc_attr($query_vars['fdfilter']).'"';
 			}
 			$out.="</div>";
 
@@ -749,7 +749,7 @@ class FDroid
 		$out.='<input type="hidden" name="page_id" value="'.(int)get_query_var('page_id').'">';
 		foreach($query_vars as $name => $value) {
 			if($value !== null && $name != 'fdfilter' && $name != 'fdpage')
-				$out.='<input type="hidden" name="'.$name.'" value="'.sanitize_text_field($value).'">';
+				$out.='<input type="hidden" name="'.esc_attr($name).'" value="'.esc_attr($value).'">';
 		}
 
 		return $out;