Commit bd12dc86 authored by Carsten  Rose's avatar Carsten Rose
Browse files

#5030, Manual.rst: Fixed example with XSS vulnerability.

parent 21af30b0
......@@ -3914,11 +3914,11 @@ QFQ content record::
head = <form action='#' method='get'><input type='hidden' name='id' value='{{pageId:T}}'>Search: <input type='text' name='search' value='{{search:CE:all}}'><input type='submit' value='Submit'></form>
}
# SQL statement will find and list all the relevant forms
# SQL statement will find and list all the relevant forms - be careful not to open a cross site scripting door: the parameter 'search' needs to be sanatized.
20 {
sql = SELECT CONCAT('?detail&form=form&r=', f.id) AS _Pagee, f.id, f.name, f.title
FROM Form AS f
WHERE f.name LIKE '%{{search:CE:all}}%'
WHERE f.name LIKE '%{{search:CE:alnumx}}%'
head = <table class='table'>
tail = </table>
rbeg = <tr>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment