Bugfix: Fully correct search context generation. Fixes #30.
Also, fixed a critical security issue in the search context generation which would allow an editor to inject code into the user's browser.
This commit is contained in:
parent
c5017919a1
commit
b8dd51d1a1
|
@ -2209,8 +2209,10 @@ register_module([
|
|||
{
|
||||
$link = "?page=" . rawurlencode($result["pagename"]);
|
||||
$pagesource = file_get_contents($env->storage_prefix . $result["pagename"] . ".md");
|
||||
|
||||
//echo("Extracting context for result " . $result["pagename"] . ".\n");
|
||||
$context = search::extract_context($_GET["query"], $pagesource);
|
||||
//echo("Generated search context for " . $result["pagename"] . ": $context\n");
|
||||
//echo("'Generated search context for " . $result["pagename"] . ": $context'\n");
|
||||
$context = search::highlight_context($_GET["query"], $context);
|
||||
/*if(strlen($context) == 0)
|
||||
{
|
||||
|
@ -2564,6 +2566,8 @@ class search
|
|||
return ($a[1] > $b[1]) ? +1 : -1;
|
||||
});
|
||||
|
||||
$sourceLength = strlen($source);
|
||||
|
||||
$contexts = [];
|
||||
$basepos = 0;
|
||||
$matches_count = count($matches);
|
||||
|
@ -2596,6 +2600,9 @@ class search
|
|||
$context_start = $group[0][1] - $settings->search_characters_context;
|
||||
$context_end = $group[count($group) - 1][1] + $settings->search_characters_context;
|
||||
|
||||
if($context_start < 0) $context_start = 0;
|
||||
if($context_end > $sourceLength) $context_end = $sourceLength;
|
||||
|
||||
//echo("Got context. Start: $context_start, End: $context_end\n");
|
||||
//echo("Group:"); var_dump($group);
|
||||
|
||||
|
@ -2603,7 +2610,10 @@ class search
|
|||
|
||||
// Strip the markdown from the context - it's most likely going to
|
||||
// be broken anyway.
|
||||
$context = self::strip_markup($context);
|
||||
//$context = self::strip_markup($context);
|
||||
|
||||
// Escape special characters to protect against attacks
|
||||
$context = htmlentities($context);
|
||||
|
||||
$contexts[] = $context;
|
||||
|
|
@ -68,7 +68,7 @@
|
|||
"author": "Starbeamrainbowlabs",
|
||||
"description": "Adds proper search functionality to Pepperminty Wiki using an inverted index to provide a full text search engine. If pages don't show up, then you might have hit a stop word. If not, try requesting the `invindex-rebuild` action to rebuild the inverted index from scratch.",
|
||||
"id": "feature-search",
|
||||
"lastupdate": 1471604218,
|
||||
"lastupdate": 1471608025,
|
||||
"optional": false
|
||||
},
|
||||
{
|
|
@ -136,8 +136,10 @@ register_module([
|
|||
{
|
||||
$link = "?page=" . rawurlencode($result["pagename"]);
|
||||
$pagesource = file_get_contents($env->storage_prefix . $result["pagename"] . ".md");
|
||||
|
||||
//echo("Extracting context for result " . $result["pagename"] . ".\n");
|
||||
$context = search::extract_context($_GET["query"], $pagesource);
|
||||
//echo("Generated search context for " . $result["pagename"] . ": $context\n");
|
||||
//echo("'Generated search context for " . $result["pagename"] . ": $context'\n");
|
||||
$context = search::highlight_context($_GET["query"], $context);
|
||||
/*if(strlen($context) == 0)
|
||||
{
|
||||
|
@ -491,6 +493,8 @@ class search
|
|||
return ($a[1] > $b[1]) ? +1 : -1;
|
||||
});
|
||||
|
||||
$sourceLength = strlen($source);
|
||||
|
||||
$contexts = [];
|
||||
$basepos = 0;
|
||||
$matches_count = count($matches);
|
||||
|
@ -523,6 +527,9 @@ class search
|
|||
$context_start = $group[0][1] - $settings->search_characters_context;
|
||||
$context_end = $group[count($group) - 1][1] + $settings->search_characters_context;
|
||||
|
||||
if($context_start < 0) $context_start = 0;
|
||||
if($context_end > $sourceLength) $context_end = $sourceLength;
|
||||
|
||||
//echo("Got context. Start: $context_start, End: $context_end\n");
|
||||
//echo("Group:"); var_dump($group);
|
||||
|
||||
|
@ -530,7 +537,10 @@ class search
|
|||
|
||||
// Strip the markdown from the context - it's most likely going to
|
||||
// be broken anyway.
|
||||
$context = self::strip_markup($context);
|
||||
//$context = self::strip_markup($context);
|
||||
|
||||
// Escape special characters to protect against attacks
|
||||
$context = htmlentities($context);
|
||||
|
||||
$contexts[] = $context;
|
||||
|
Loading…
Reference in New Issue