smallsolar/libkiwix
1
0
Fork 0
mirror of https://github.com/kiwix/libkiwix.git synced 2025-06-28 05:49:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

FIXED: kiwix-serve XSS attack vulnerability (#763)

Browse Source
This commit is contained in:
Kelson42
2015-01-08 12:51:42 +01:00
parent 191d37a105
commit 8287a64172
3 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/common/kiwix/searcher.cpp
View File

@ -180,7 +180,7 @@ namespace kiwix {
oData["pages"] = pagesCDT;
oData["count"] = kiwix::beautifyInteger(this->estimatedResultCount);
oData["searchPattern"] = this->searchPattern;
oData["searchPattern"] = kiwix::encodeDiples(this->searchPattern);
oData["searchPatternEncoded"] = urlEncode(this->searchPattern);
oData["resultStart"] = this->resultStart + 1;
oData["resultEnd"] = (this->resultEnd > this->estimatedResultCount ? this->estimatedResultCount : this->resultEnd);

8
src/common/stringTools.cpp
View File

@ -104,6 +104,14 @@ void kiwix::stringReplacement(std::string& str, const std::string& oldStr, const
}
}
/* Encode string to avoid XSS attacks */
std::string kiwix::encodeDiples(const std::string& str) {
std::string result = str;
kiwix::stringReplacement(result, "<", "&lt;");
kiwix::stringReplacement(result, ">", "&gt;");
return result;
}
// Urlencode
//based on javascript encodeURIComponent()

1
src/common/stringTools.h
View File

@ -48,6 +48,7 @@ namespace kiwix {
void printStringInHexadecimal(const char *s);
void printStringInHexadecimal(UnicodeString s);
void stringReplacement(std::string& str, const std::string& oldStr, const std::string& newStr);
std::string encodeDiples(const std::string& str);
#endif