Merge commit from fork

Escape some output in alsearch.php
jpatokal · Aug 22, 2024 · bbaa763 · bbaa763
2 parents 17273e9 + e7f5d81
commit bbaa763
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/php/alsearch.php b/php/alsearch.php
@@ -52,7 +52,7 @@
             sprintf(
                 _("A %s using the name or alias %s exists already."),
                 MODES_OPERATOR[$mode],
-                $name
+                htmlspecialchars($name)
             ));
         exit;
     }
@@ -77,7 +77,7 @@
                 sprintf(
                     _("A %s using the name or alias %s exists already."),
                     MODES_OPERATOR[$mode],
-                    $alias
+                    htmlspecialchars($alias)
                 ));
             exit;
         }
@@ -226,15 +226,15 @@
 if ($mode == "F" && $iatafilter != "false") {
     $filters[] = "iata NOT IN ('', 'N/A')";
 }
-if (!$offset) {
+if (!$offset || !is_int($offset)) {
     $offset = 0;
 }
 
 $sql = "SELECT * FROM airlines WHERE "  . implode(" AND ", $filters) . " ORDER BY name";
 
 $sth = $dbh->prepare($sql . " LIMIT 10 OFFSET " . $offset);
 if (!$sth->execute($filterParams)) {
-    die('0;' . sprintf(_('Operation %s failed.'), $action));
+    die('0;' . sprintf(_('Operation %s failed.'), htmlspecialchars($action)));
 }
 $sth2 = $dbh->prepare(str_replace("*", "COUNT(*)", $sql));
 $sth2->execute($filterParams);