fix(RssHander+EntryManager): sanitize id from GET + SQL call

tools/bazar/handlers/RssHandler.php

@@ -16,10 +16,13 @@ public function run()
 
         $urlrss = $this->wiki->href('rss');
         if (isset($_GET['id'])) {
-            $id = $_GET['id'];
-            $urlrss .= '&id='.$id;
+            $id = filter_input(INPUT_GET, 'id', FILTER_UNSAFE_RAW);
+            $id = ($id === false) ? "" : htmlspecialchars(strip_tags($id));
         } elseif (isset($_GET['id_typeannonce'])) {
-            $id = $_GET['id_typeannonce'];
+            $id = filter_input(INPUT_GET, 'id_typeannonce', FILTER_UNSAFE_RAW);
+            $id = ($id === false) ? "" : htmlspecialchars(strip_tags($id));
+        }
+        if (!empty($id) && strval($id) == strval(intval($id))) {
             $urlrss .= '&id='.$id;
         } else {
             $id = '';

tools/bazar/services/EntryManager.php

@@ -193,11 +193,14 @@ private function prepareSearchRequest(&$params = [], bool $filterOnReadACL = fal
         if (!empty($params['formsIds'])) {
             if (is_array($params['formsIds'])) {
                 $requete .= ' AND (' . join(' OR ', array_map(function ($formId) {
-                    return 'body LIKE \'%"id_typeannonce":"' . $formId . '"%\'';
-                }, $params['formsIds'])).') ';
-            } else {
+                    return 'body LIKE \'%"id_typeannonce":"' . $this->dbService->escape(strval($formId)) . '"%\'';
+                }, array_filter(
+                    $params['formsIds'],
+                    'is_scalar'
+                ))).') ';
+            } elseif (is_scalar($params['formsIds'])) {
                 // on a une chaine de caractere pour l'id plutot qu'un tableau
-                $requete .= ' AND body LIKE \'%"id_typeannonce":"' . $params['formsIds'] . '"%\'';
+                $requete .= ' AND body LIKE \'%"id_typeannonce":"' . $this->dbService->escape(strval($params['formsIds'])) . '"%\'';
             }
         }