This module calls check_plain() on search input keys before passing them to API functions like node_search_execute() and user_search_execute().

This seems unnecessary because these are just API functions that are using the data; they are not printing it to HTML.

Also, they were already run through check_plain() before, via this code:

 $result = call_user_func("_spotlight_search_{$category}", check_plain($key));

So a double check_plain() is happening, which is definitely not right.

I think the check_plain() call could probably be removed from there too, but since it's calling an arbitrarily-named function and I don't know for sure all the places that might implement that and how they might use the passed-in $key, I left that off for now and just removed it from the node_search_execute() and user_search_execute() calls.

CommentFileSizeAuthor
#1 spotlight-remove-check-plain-on-params-2360337-1.patch757 bytesDavid_Rothstein

Comments

David_Rothstein’s picture

David_Rothstein commented
Status: Active » Needs review
StatusFileSize
new spotlight-remove-check-plain-on-params-2360337-1.patch757 bytes

Here is a patch.

kharbat’s picture

kharbat commented
Status: Needs review » Patch (to be ported)

  • kharbat committed 20e2029 on 7.x-1.x 
    Issue #2395927 by David_Rothstein: Spotlight should allow other...
David_Rothstein’s picture

David_Rothstein commented

Thanks for the commits.

Did you really mean to move this issue (and a couple others) to "to be ported" status rather than "fixed"? I don't see another branch to port these to...