From bfe6e00b147a7198badb5e21a0318cfff1886029 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Jacquet?=
 <francoisjacquet@users.noreply.github.com>
Date: Sun, 22 May 2022 20:57:45 +0200
Subject: [PATCH] Add use of AttrEscape() & json_encode(), fix reflected XSS,
 thanks to @dungtuanha

---
 functions/ListOutput.fnc.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/functions/ListOutput.fnc.php b/functions/ListOutput.fnc.php
index 3755193b3..5ee57f028 100644
--- a/functions/ListOutput.fnc.php
+++ b/functions/ListOutput.fnc.php
@@ -377,12 +377,16 @@ function ListOutput( $result, $column_names, $singular = '.', $plural = '.', $li
 			// Do not remove search URL due to document.URL = 'index.php' in old IE browsers.
 			$search_URL = PreparePHP_SELF( $_REQUEST, [ 'LO_search' ] );
 
+			$onkeypress_js = 'LOSearch(event, this.value, ' . json_encode( $search_URL ) . ');';
+
+			$onclick_js = 'LOSearch(event, $(\'#LO_search\').val(), ' . json_encode( $search_URL ) . ');';
+
 			echo '<input type="text" id="LO_search" name="LO_search" value="' .
 			AttrEscape( str_replace( "''", "'", $LO_search ) ) .
-			'" placeholder="' . AttrEscape( _( 'Search' ) ) . '" onkeypress="LOSearch(event, this.value, \'' .
-			$search_URL . '\');" autocomplete="off" />
+			'" placeholder="' . AttrEscape( _( 'Search' ) ) .
+			'" onkeypress="' . AttrEscape( $onkeypress_js ) . '" autocomplete="off" />
 				<img src="assets/themes/' . Preferences( 'THEME' ) . '/btn/visualize.png"
-				onclick="LOSearch(event, $(\'#LO_search\').val(), \'' . $search_URL . '\');"
+				onclick="' . AttrEscape( $onclick_js ) . '"
 				class="button" alt="" title="' . AttrEscape( _( 'Search' ) ) . '" />
 				<label for="LO_search" class="a11y-hidden">' . _( 'Search' ) . '</label>';