From 1b2c2666493f6160fe4742370f62d6e1dc73fa84 Mon Sep 17 00:00:00 2001
From: Nathan Kinkade <nath@nkinka.de>
Date: Fri, 14 Mar 2014 23:56:30 +0000
Subject: Fixed some escaping problems which were perhaps insecure and
 definitely causing validation problems.

---
 templates/food_search.tpl | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/templates/food_search.tpl b/templates/food_search.tpl
index e265360..7d8b26d 100644
--- a/templates/food_search.tpl
+++ b/templates/food_search.tpl
@@ -12,7 +12,7 @@
 {if isset($searchResults)}
 			<div style='margin-top: 2ex;'>
 				The following items matched your search.
-				Select one, or <a href='/?{$smarty.server.QUERY_STRING}'>refine your search</a>.
+				Select one, or <a href='/?{$smarty.server.QUERY_STRING|escape:"url"}'>refine your search</a>.
 			</div>
 			<div style='margin-top: 2ex;'>
 	{if $sortType == "Category"}
@@ -21,11 +21,11 @@
 			{foreach from=$foodCat.searchResults item=searchResult}
 				<div>
 				{if $category == "userFood"}
-					<a href='view_food?{$searchResult.food}&description={$searchResult.foodDesc}'>{$searchResult.foodDesc}</a>
+					<a href='view_food?{$searchResult.food|escape:"url"}&amp;description={$searchResult.foodDesc|escape:"url"}'>{$searchResult.foodDesc|escape:"html"}</a>
 				{elseif $category == "userMeal"}
-					<a href='view_meal?meal={$searchResult.food}&description={$searchResult.foodDesc}'>{$searchResult.foodDesc}</a>
+					<a href='view_meal?meal={$searchResult.food|escape:"url"}&amp;description={$searchResult.foodDesc|escape:"url"}'>{$searchResult.foodDesc|escape:"html"}</a>
 				{else}
-					<a href='food_quantity?food={$searchResult.food}'>{$searchResult.foodDesc}</a>
+					<a href='food_quantity?food={$searchResult.food|escape:"url"}'>{$searchResult.foodDesc|escape:"html"}</a>
 				{/if}
 				</div>
 			{/foreach}
@@ -34,11 +34,11 @@
 		{foreach from=$searchResults item=searchResult}
 				<div>	
 			{if $searchResult.category == "userFood"}
-					<a href='view_food?{$searchResult.food}&description={$searchResult.foodDesc|escape:"html"}'>{$searchResult.foodDesc|escape:"html"}</a>
+					<a href='view_food?{$searchResult.food|escape:"url"}&amp;description={$searchResult.foodDesc|escape:"url"}'>{$searchResult.foodDesc|escape:"html"}</a>
 			{elseif $searchResult.category == "userMeal"}
-					<a href='view_meal?meal={$searchResult.food}&description={$searchResult.foodDesc|escape:"html"}'>{$searchResult.foodDesc|escape:"html"}</a>
+					<a href='view_meal?meal={$searchResult.food|escape:"url"}&amp;description={$searchResult.foodDesc|escape:"url"}'>{$searchResult.foodDesc|escape:"html"}</a>
 			{else}
-					<a href='food_quantity?food={$searchResult.food}'>{$searchResult.foodDesc|escape:"html"}</a>
+					<a href='food_quantity?food={$searchResult.food|escape:"url"}'>{$searchResult.foodDesc|escape:"html"}</a>
 			{/if}
 				</div>
 		{/foreach}
-- 
cgit v1.2.3