From 8132c138c1b7c55545c78e9a091a429531022122 Mon Sep 17 00:00:00 2001
From: aydreeihn <adriane@enhancesoft.com>
Date: Thu, 10 Aug 2017 15:35:05 -0500
Subject: [PATCH] Format the advanced search title so that it will not allow
 javascript

---
 include/ajax.search.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/ajax.search.php b/include/ajax.search.php
index 7e22a8790..f2175a76d 100644
--- a/include/ajax.search.php
+++ b/include/ajax.search.php
@@ -136,7 +136,7 @@ class SearchAjaxAPI extends AjaxController {
 
         $search->config = JsonDataEncoder::encode($form->getState());
         if (isset($_POST['name']))
-            $search->title = $_POST['name'];
+            $search->title = Format::htmlchars($_POST['name']);
         elseif ($search->__new__)
             Http::response(400, 'A name is required');
         if (!$search->save()) {
-- 
GitLab