boxtec
/
yacy_search_server
mirror of https://github.com/yacy/yacy_search_server
4
1
Fork 0
Code Issues Projects Releases Wiki Activity

xss protection

Browse Source
pull/338/head
Michael Christen 5 years ago
parent 090c0e56ab
commit 57484eb1cc
2 changed files with 222 additions and 221 deletions
Show Stats Download Patch File Download Diff File

5
htroot/yacysearch.java
Unescape View File

@ -137,7 +137,8 @@ public class yacysearch {
}
final boolean focus = (post == null) ? true : post.get("focus", "1").equals("1");
// get query
final String originalquerystring = (post == null) ? "" : post.get("query", post.get("search", "")).trim();
String originalquerystring = (post == null) ? "" : post.get("query", post.get("search", "")).trim();
originalquerystring = originalquerystring.replace('<', ' ').replace('>', ' '); // light xss protection
String querystring = originalquerystring;
CacheStrategy snippetFetchStrategy = (post == null) ? null : CacheStrategy.parse(post.get("verify", sb.getConfig("search.verify", "")));
@ -1027,7 +1028,7 @@ public class yacysearch {
prop.put("focus", focus ? 1 : 0); // focus search field
prop.put("searchagain", global ? "1" : "0");
String former = originalquerystring.replaceAll(Segment.catchallString, "*");
String former = originalquerystring.replaceAll(Segment.catchallString, "*"); // hide catchallString in output
prop.putHTML("former", former);
try {
prop.put("formerEncoded", URLEncoder.encode(former, StandardCharsets.UTF_8.name()));

4
htroot/yacysearchtrailer.java
Unescape View File

@ -97,7 +97,6 @@ public class yacysearchtrailer {
}
final RequestHeader.FileType fileType = header.fileType();
final boolean clustersearch = sb.isRobinsonMode() && sb.getConfig(SwitchboardConstants.CLUSTER_MODE, "").equals(SwitchboardConstants.CLUSTER_MODE_PUBLIC_CLUSTER);
final boolean indexReceiveGranted = sb.getConfigBool(SwitchboardConstants.INDEX_RECEIVE_ALLOW_SEARCH, true) || clustersearch;
boolean p2pmode = sb.peers != null && sb.peers.sizeConnected() > 0 && indexReceiveGranted;
@ -113,7 +112,8 @@ public class yacysearchtrailer {
|| sb.getConfigBool("search.image", true)
|| sb.getConfigBool("search.app", true) ? 1 : 0);
final String originalquerystring = post.get("query", post.get("search", "")).trim();
String originalquerystring = post.get("query", post.get("search", "")).trim();
originalquerystring = originalquerystring.replace('<', ' ').replace('>', ' '); // light xss protection
final String former = originalquerystring.replaceAll(Segment.catchallString, "*");
final CacheStrategy snippetFetchStrategy = CacheStrategy.parse(post.get("verify", sb.getConfig("search.verify", "")));
final String snippetFetchStrategyName = snippetFetchStrategy == null

Write Preview
Loading…
Cancel
Save