Bug #23214 Clarification Requested

Addons.php should check if get_post(‘search’) is a string before running it through htmlentities

Version: 3.5.11 Reporter: Matt Weinberg

Hello,

I’m with DevDemon. We use the “search” POST param in AJAX requests in some addons . It looks like Addons.php line 72 assumes “search” will always be a string:

ee()->view->search_value = htmlentities(ee()->input->get_post('search'), ENT_QUOTES, 'UTF-8');

We use it as an array so get “htmlentities() expects parameter 1 to be string, array given” if the server has PHP debugging turned on. I fixed it on a specific copy with:

if (is_string(ee()->input->get_post('search'))) {
    ee()->view->search_value = htmlentities(ee()->input->get_post('search'), ENT_QUOTES, 'UTF-8');
}

You might want to consider updating this for future versions. Thanks!

  • I too am running into this issue.

    Chris Davies
    21st October, 2017 at 9:00am
  • It looks like that was added for security, so I’m hesitant to skip it entirely. Wondering if a callback to apply it to the array values would work for what you need?

    Robin Sowell
    31st October, 2017 at 12:24pm
  • Can you guys walk me through how you’re using the search that it’s dealing with an array at that point in the code? We’re wondering if there isn’t a better way to achieve the end goal.

    Robin Sowell
    31st October, 2017 at 12:36pm
  • A bunch of DevDemon addons use “search” as an array key for a bunch of search parameters, so it’s an array key with an array value.

    A callback that applies it to array values would be fine. From our perspective you can do whatever you want with it, as long as you’re not modifying it. But if any add-on uses “search” as a get/post var key then the current code as-is would break.

    Matt Weinberg
    31st October, 2017 at 12:44pm

You must be signed in to comment on a bug report.

ExpressionEngine News

#eecms, #events, #releases