diff options
| author | Paul Arthur <paul.arthur@flowerysong.com> | 2012-03-09 14:02:50 -0500 |
|---|---|---|
| committer | Paul Arthur <paul.arthur@flowerysong.com> | 2012-03-09 14:02:50 -0500 |
| commit | e8f4577d9a61ff3aeb721bffb1654977305e6feb (patch) | |
| tree | 8ea0ca757fdafaab944a988987febe1de686db86 | |
| parent | a7b336e3265fc59fa0c8ba56744178c7098699cf (diff) | |
| download | ampache-e8f4577d9a61ff3aeb721bffb1654977305e6feb.tar.gz ampache-e8f4577d9a61ff3aeb721bffb1654977305e6feb.tar.bz2 ampache-e8f4577d9a61ff3aeb721bffb1654977305e6feb.zip | |
Clean JSON output of user-controlled strings
JSON has some strict rules about what can be escaped, and we should have
been scrubbing to entities all along.
| -rwxr-xr-x | docs/CHANGELOG | 2 | ||||
| -rw-r--r-- | lib/javascript/search-data.php | 4 |
2 files changed, 5 insertions, 1 deletions
diff --git a/docs/CHANGELOG b/docs/CHANGELOG index ee709d30..d00afa1f 100755 --- a/docs/CHANGELOG +++ b/docs/CHANGELOG @@ -4,6 +4,8 @@ -------------------------------------------------------------------------- v.3.6-Alpha2 + - Fixed JSON escaping issue that broke search in some cases + (reported by XeeNiX) - Added admin_enable_required option to user registration - Fixed session issue preventing some users from streaming (reported by miir01) diff --git a/lib/javascript/search-data.php b/lib/javascript/search-data.php index 11ef68d9..18432454 100644 --- a/lib/javascript/search-data.php +++ b/lib/javascript/search-data.php @@ -29,7 +29,9 @@ function arrayToJSON($array) { $json .= arrayToJSON($value); } else { - $json .= '"' . $value . '"'; + // Make sure to strip backslashes and convert things to + // entities in our output + $json .= '"' . scrub_out(str_replace('\\', '', $value)) . '"'; } $json .= ' , '; } |