From bd12dc8684088fcaa8fc4fd3a4044223e39b5820 Mon Sep 17 00:00:00 2001
From: Carsten  Rose <carsten.rose@math.uzh.ch>
Date: Sun, 21 Jan 2018 10:09:17 +0100
Subject: [PATCH] #5030, Manual.rst: Fixed example with XSS vulnerability.

---
 extension/Documentation/Manual.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/extension/Documentation/Manual.rst b/extension/Documentation/Manual.rst
index 79970869e..4e6b5c284 100644
--- a/extension/Documentation/Manual.rst
+++ b/extension/Documentation/Manual.rst
@@ -3914,11 +3914,11 @@ QFQ content record::
     head = <form action='#' method='get'><input type='hidden' name='id' value='{{pageId:T}}'>Search: <input type='text' name='search' value='{{search:CE:all}}'><input type='submit' value='Submit'></form>
   }
 
-  # SQL statement will find and list all the relevant forms
+  # SQL statement will find and list all the relevant forms - be careful not to open a cross site scripting door: the parameter 'search' needs to be sanatized.
   20 {
     sql = SELECT CONCAT('?detail&form=form&r=', f.id) AS _Pagee, f.id, f.name, f.title
               FROM Form AS f
-              WHERE f.name LIKE  '%{{search:CE:all}}%'
+              WHERE f.name LIKE  '%{{search:CE:alnumx}}%'
     head = <table class='table'>
     tail = </table>
     rbeg = <tr>
-- 
GitLab