Sanitize index.php and search-relay.php input.

As q and p can be utilized by reflected xss or full-path-disclosure. (see #12)
approach0 · Sep 12, 2016 · 977ad40 · 977ad40
1 parent ede35e7
commit 977ad40
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/demo/web/index.php b/demo/web/index.php
@@ -146,8 +146,10 @@
 		placeholder="empty"/>
 
 		<!-- hidden URI parameters -->
-		<input id="q" type="hidden" value="<?php if (isset($_GET['q'])) echo $_GET['q']; ?>"/>
-		<input id="p" type="hidden" value="<?php if (isset($_GET['p'])) echo $_GET['p']; ?>"/>
+		<input id="q" type="hidden" value=
+		"<?php if (isset($_GET['q']) && is_scalar($_GET['q'])) echo htmlentities($_GET['q'], ENT_QUOTES,'UTF-8'); ?>"/>
+		<input id="p" type="hidden" value=
+		"<?php if (isset($_GET['p']) && is_scalar($_GET['p'])) echo htmlentities($_GET['p'], ENT_QUOTES,'UTF-8'); ?>"/>
 
 		<p>WEB API (for developers):</p>
 		<p style="background-color: black; color: #bbb; padding: 3px 0 3px 6px; overflow-x: auto; white-space: nowrap;">

diff --git a/demo/web/search-relay.php b/demo/web/search-relay.php
@@ -74,18 +74,19 @@ function qry_explode($qry_str)
 $req_qry_str = '';
 $req_page = 1;
 
-if(!isset($_GET['q'])) { /* q for query string */
+/* q for query string */
+if(!isset($_GET['q']) || !is_scalar($_GET['q'])) {
 	http_response_code(400);
 	echo 'Dude, Bad GET Request!';
 	exit;
 } else {
 	$req_qry_str = $_GET['q'];
 }
 
-if(isset($_GET['p'])) /* p for page */
+/* p for page */
+if(isset($_GET['p']) && is_scalar($_GET['p']))
 	$req_page = intval($_GET['p']);
 
-
 /*
  * split and handle each query keyword
  */