Merge pull request #3919 from aydreeihn/issue/advanced_search_xss

Format the advanced search title so that it will not allow javascript

Merge pull request #3919 from aydreeihn/issue/advanced_search_xss
Format the advanced search title so that it will not allow javascript
ebe19531 · Peter Rotich · GitHub · c26b11ca · 8132c138 · ebe19531
Commit ebe19531 authored 7 years ago by Peter Rotich Committed by GitHub 7 years ago
--- a/include/ajax.search.php
+++ b/include/ajax.search.php
@@ -136,7 +136,7 @@ class SearchAjaxAPI extends AjaxController {

        $search->config = JsonDataEncoder::encode($form->getState());
        if (isset($_POST['name']))
-            $search->title = $_POST['name'];
+            $search->title = Format::htmlchars($_POST['name']);
        elseif ($search->__new__)
            Http::response(400, 'A name is required');
        if (!$search->save()) {