Bugfix: Fully correct search context generation. Fixes #30.
Also, fixed a critical security issue in the search context generation which would allow an editor to inject code into the user's browser.
This commit is contained in:
parent
c5017919a1
commit
b8dd51d1a1
|
@ -2209,8 +2209,10 @@ register_module([
|
||||||
{
|
{
|
||||||
$link = "?page=" . rawurlencode($result["pagename"]);
|
$link = "?page=" . rawurlencode($result["pagename"]);
|
||||||
$pagesource = file_get_contents($env->storage_prefix . $result["pagename"] . ".md");
|
$pagesource = file_get_contents($env->storage_prefix . $result["pagename"] . ".md");
|
||||||
|
|
||||||
|
//echo("Extracting context for result " . $result["pagename"] . ".\n");
|
||||||
$context = search::extract_context($_GET["query"], $pagesource);
|
$context = search::extract_context($_GET["query"], $pagesource);
|
||||||
//echo("Generated search context for " . $result["pagename"] . ": $context\n");
|
//echo("'Generated search context for " . $result["pagename"] . ": $context'\n");
|
||||||
$context = search::highlight_context($_GET["query"], $context);
|
$context = search::highlight_context($_GET["query"], $context);
|
||||||
/*if(strlen($context) == 0)
|
/*if(strlen($context) == 0)
|
||||||
{
|
{
|
||||||
|
@ -2564,6 +2566,8 @@ class search
|
||||||
return ($a[1] > $b[1]) ? +1 : -1;
|
return ($a[1] > $b[1]) ? +1 : -1;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
$sourceLength = strlen($source);
|
||||||
|
|
||||||
$contexts = [];
|
$contexts = [];
|
||||||
$basepos = 0;
|
$basepos = 0;
|
||||||
$matches_count = count($matches);
|
$matches_count = count($matches);
|
||||||
|
@ -2596,6 +2600,9 @@ class search
|
||||||
$context_start = $group[0][1] - $settings->search_characters_context;
|
$context_start = $group[0][1] - $settings->search_characters_context;
|
||||||
$context_end = $group[count($group) - 1][1] + $settings->search_characters_context;
|
$context_end = $group[count($group) - 1][1] + $settings->search_characters_context;
|
||||||
|
|
||||||
|
if($context_start < 0) $context_start = 0;
|
||||||
|
if($context_end > $sourceLength) $context_end = $sourceLength;
|
||||||
|
|
||||||
//echo("Got context. Start: $context_start, End: $context_end\n");
|
//echo("Got context. Start: $context_start, End: $context_end\n");
|
||||||
//echo("Group:"); var_dump($group);
|
//echo("Group:"); var_dump($group);
|
||||||
|
|
||||||
|
@ -2603,7 +2610,10 @@ class search
|
||||||
|
|
||||||
// Strip the markdown from the context - it's most likely going to
|
// Strip the markdown from the context - it's most likely going to
|
||||||
// be broken anyway.
|
// be broken anyway.
|
||||||
$context = self::strip_markup($context);
|
//$context = self::strip_markup($context);
|
||||||
|
|
||||||
|
// Escape special characters to protect against attacks
|
||||||
|
$context = htmlentities($context);
|
||||||
|
|
||||||
$contexts[] = $context;
|
$contexts[] = $context;
|
||||||
|
|
|
@ -68,7 +68,7 @@
|
||||||
"author": "Starbeamrainbowlabs",
|
"author": "Starbeamrainbowlabs",
|
||||||
"description": "Adds proper search functionality to Pepperminty Wiki using an inverted index to provide a full text search engine. If pages don't show up, then you might have hit a stop word. If not, try requesting the `invindex-rebuild` action to rebuild the inverted index from scratch.",
|
"description": "Adds proper search functionality to Pepperminty Wiki using an inverted index to provide a full text search engine. If pages don't show up, then you might have hit a stop word. If not, try requesting the `invindex-rebuild` action to rebuild the inverted index from scratch.",
|
||||||
"id": "feature-search",
|
"id": "feature-search",
|
||||||
"lastupdate": 1471604218,
|
"lastupdate": 1471608025,
|
||||||
"optional": false
|
"optional": false
|
||||||
},
|
},
|
||||||
{
|
{
|
|
@ -136,8 +136,10 @@ register_module([
|
||||||
{
|
{
|
||||||
$link = "?page=" . rawurlencode($result["pagename"]);
|
$link = "?page=" . rawurlencode($result["pagename"]);
|
||||||
$pagesource = file_get_contents($env->storage_prefix . $result["pagename"] . ".md");
|
$pagesource = file_get_contents($env->storage_prefix . $result["pagename"] . ".md");
|
||||||
|
|
||||||
|
//echo("Extracting context for result " . $result["pagename"] . ".\n");
|
||||||
$context = search::extract_context($_GET["query"], $pagesource);
|
$context = search::extract_context($_GET["query"], $pagesource);
|
||||||
//echo("Generated search context for " . $result["pagename"] . ": $context\n");
|
//echo("'Generated search context for " . $result["pagename"] . ": $context'\n");
|
||||||
$context = search::highlight_context($_GET["query"], $context);
|
$context = search::highlight_context($_GET["query"], $context);
|
||||||
/*if(strlen($context) == 0)
|
/*if(strlen($context) == 0)
|
||||||
{
|
{
|
||||||
|
@ -491,6 +493,8 @@ class search
|
||||||
return ($a[1] > $b[1]) ? +1 : -1;
|
return ($a[1] > $b[1]) ? +1 : -1;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
$sourceLength = strlen($source);
|
||||||
|
|
||||||
$contexts = [];
|
$contexts = [];
|
||||||
$basepos = 0;
|
$basepos = 0;
|
||||||
$matches_count = count($matches);
|
$matches_count = count($matches);
|
||||||
|
@ -523,6 +527,9 @@ class search
|
||||||
$context_start = $group[0][1] - $settings->search_characters_context;
|
$context_start = $group[0][1] - $settings->search_characters_context;
|
||||||
$context_end = $group[count($group) - 1][1] + $settings->search_characters_context;
|
$context_end = $group[count($group) - 1][1] + $settings->search_characters_context;
|
||||||
|
|
||||||
|
if($context_start < 0) $context_start = 0;
|
||||||
|
if($context_end > $sourceLength) $context_end = $sourceLength;
|
||||||
|
|
||||||
//echo("Got context. Start: $context_start, End: $context_end\n");
|
//echo("Got context. Start: $context_start, End: $context_end\n");
|
||||||
//echo("Group:"); var_dump($group);
|
//echo("Group:"); var_dump($group);
|
||||||
|
|
||||||
|
@ -530,7 +537,10 @@ class search
|
||||||
|
|
||||||
// Strip the markdown from the context - it's most likely going to
|
// Strip the markdown from the context - it's most likely going to
|
||||||
// be broken anyway.
|
// be broken anyway.
|
||||||
$context = self::strip_markup($context);
|
//$context = self::strip_markup($context);
|
||||||
|
|
||||||
|
// Escape special characters to protect against attacks
|
||||||
|
$context = htmlentities($context);
|
||||||
|
|
||||||
$contexts[] = $context;
|
$contexts[] = $context;
|
||||||
|
|
Loading…
Reference in New Issue