0001-SECURITY-Pass-escaped-HTML-to-FullSearchResultWidget.patch
Zabe
Actions

Authored By

	Zabe
	Jun 24 2021, 10:47 PM

Size

1 KB

Referenced Files

None

Subscribers

None

0001-SECURITY-Pass-escaped-HTML-to-FullSearchResultWidget.patch
View Options

	From d526bd06cf9d2feb8618739f7040754d579547fc Mon Sep 17 00:00:00 2001
	From: Alexander Vorwerk <alec@vc-celle.de>
	Date: Fri, 25 Jun 2021 00:37:32 +0200
	Subject: [PATCH] SECURITY: Pass escaped HTML to
	FullSearchResultWidget::buildMeta for sanity

	Bug: T285515
	Change-Id: I771e44af5641f3065141fa3478f68ab05e31d71f
	---
	includes/search/searchwidgets/FullSearchResultWidget.php \| 8 +++++---
	1 file changed, 5 insertions(+), 3 deletions(-)

	diff --git a/includes/search/searchwidgets/FullSearchResultWidget.php b/includes/search/searchwidgets/FullSearchResultWidget.php
	index 499c3b1630..3820e9de45 100644
	--- a/includes/search/searchwidgets/FullSearchResultWidget.php
	+++ b/includes/search/searchwidgets/FullSearchResultWidget.php
	@@ -60,9 +60,11 @@ class FullSearchResultWidget implements SearchResultWidget {
	$redirect = $this->generateRedirectHtml( $result );
	$section = $this->generateSectionHtml( $result );
	$category = $this->generateCategoryHtml( $result );
	- $date = $this->specialPage->getLanguage()->userTimeAndDate(
	- $result->getTimestamp(),
	- $this->specialPage->getUser()
	+ $date = htmlspecialchars(
	+ $this->specialPage->getLanguage()->userTimeAndDate(
	+ $result->getTimestamp(),
	+ $this->specialPage->getUser()
	+ )
	);
	list( $file, $desc, $thumb ) = $this->generateFileHtml( $result );
	$snippet = $result->getTextSnippet();
	--
	2.17.1

Mime Type: text/x-diff
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 9110092
Default Alt Text: 0001-SECURITY-Pass-escaped-HTML-to-FullSearchResultWidget.patch (1 KB)