Fixed bug: #5052: Form action URL is not htmlspecialchared (patch by Michael Stucki)

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@2158 709f56b5-9817-0410-a4d7-c38de5d9e867

diff --git a/ChangeLog b/ChangeLog
index b346864..117f9cd 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+2007-02-27  Oliver Hader  <oh@inpublica.de>
+
+       * Fixed bug: #5052: Form action URL is not htmlspecialchared (patch by Michael Stucki)
 
 2007-02-27  Martin Kutschker  <martin.t.kutschker@blackbox.net>
 

diff --git a/typo3/sysext/indexed_search/pi/class.tx_indexedsearch.php b/typo3/sysext/indexed_search/pi/class.tx_indexedsearch.php
index bc855c5..974e5c4 100755 (executable)
--- a/typo3/sysext/indexed_search/pi/class.tx_indexedsearch.php
+++ b/typo3/sysext/indexed_search/pi/class.tx_indexedsearch.php
@@ -1324,7 +1324,7 @@ class tx_indexedsearch extends tslib_pibase {
                        $html = $this->cObj->substituteSubpart($html, '###ADDITONAL_KEYWORD###', '');
                }
 
-               $markerArray['###ACTION_URL###'] = $this->pi_getPageLink($GLOBALS['TSFE']->id, $GLOBALS['TSFE']->sPre);
+               $markerArray['###ACTION_URL###'] = htmlspecialchars($this->pi_getPageLink($GLOBALS['TSFE']->id, $GLOBALS['TSFE']->sPre));
 
                $hiddenFieldCode = $this->cObj->getSubpart($this->templateCode, '###HIDDEN_FIELDS###');
                $hiddenFieldCode = preg_replace('/^\n\t(.+)/ms', '$1', $hiddenFieldCode);               // Remove first newline and tab (cosmetical issue)