@@ -35,6 +35,9 @@ sub LocalSearch ($) {
3535 my %params = exists $ArgRef -> {-cgiparams} ? %{$ArgRef -> {-cgiparams}} : ();
3636 my $NoXMLHead = exists $ArgRef -> {-noxmlhead} ? $ArgRef -> {-noxmlhead} : $FALSE ;
3737
38+ use CGI::Untaint;
39+ require " UntaintInput.pm"
40+
3841 require " FSUtilities.pm"
3942 require " WebUtilities.pm"
4043 require " Utilities.pm"
@@ -58,58 +61,61 @@ sub LocalSearch ($) {
5861
5962 # ## Pull info out of params into local variables
6063
61- my $OutFormat = $params {outformat } || " HTML"
62-
63- $InnerLogic = $params {innerlogic } || " OR"
64- $OuterLogic = $params {outerlogic } || " AND"
65-
66- $TitleSearch = $params {titlesearch };
67- $TitleSearchMode = $params {titlesearchmode };
68- $AbstractSearch = $params {abstractsearch };
69- $AbstractSearchMode = $params {abstractsearchmode };
70- $KeywordSearch = $params {keywordsearch };
71- $KeywordSearchMode = $params {keywordsearchmode };
72- $RevisionNoteSearch = $params {revisionnotesearch };
73- $RevisionNoteSearchMode = $params {revisionnotesearchmode };
74- $PubInfoSearch = $params {pubinfosearch };
75- $PubInfoSearchMode = $params {pubinfosearchmode };
76- $FileSearch = $params {filesearch };
77- $FileSearchMode = $params {filesearchmode };
78- $FileDescSearch = $params {filedescsearch };
79- $FileDescSearchMode = $params {filedescsearchmode };
80- $FileContSearch = $params {filecontsearch };
81- $FileContSearchMode = $params {filecontsearchmode };
82-
83- my $AuthorManual = $params {authormanual };
84- @RequesterSearchIDs = split /\0/,$params {requestersearch };
85- @AuthorSearchIDs = split /\0/,$params {authors };
86- @TypeSearchIDs = split /\0/,$params {doctypemulti };
87-
88- my @TopicSearchIDs = split /\0/,$params {topics };
89- my $IncludeSubTopics = $params {includesubtopics };
64+ my $Untaint = CGI::Untaint -> new(%params );
65+
66+ my $OutFormat = $Untaint -> extract(-as_printable => " outformat" " HTML"
67+
68+ $InnerLogic = $Untaint -> extract(-as_printable => " innerlogic" " OR"
69+ $OuterLogic = $Untaint -> extract(-as_printable => " outerlogic" " AND"
70+
71+ $TitleSearch = $Untaint -> extract(-as_printable => " titlesearch"
72+ $TitleSearchMode = $Untaint -> extract(-as_printable => " titlesearchmode"
73+ $AbstractSearch = $Untaint -> extract(-as_printable => " abstractsearch"
74+ $AbstractSearchMode = $Untaint -> extract(-as_printable => " abstractsearchmode"
75+ $KeywordSearch = $Untaint -> extract(-as_printable => " keywordsearch"
76+ $KeywordSearchMode = $Untaint -> extract(-as_printable => " keywordsearchmode"
77+ $RevisionNoteSearch = $Untaint -> extract(-as_printable => " revisionnotesearch"
78+ $RevisionNoteSearchMode = $Untaint -> extract(-as_printable => " revisionnotesearchmode"
79+ $PubInfoSearch = $Untaint -> extract(-as_printable => " pubinfosearch"
80+ $PubInfoSearchMode = $Untaint -> extract(-as_printable => " pubinfosearchmode"
81+ $FileSearch = $Untaint -> extract(-as_printable => " filesearch"
82+ $FileSearchMode = $Untaint -> extract(-as_printable => " filesearchmode"
83+ $FileDescSearch = $Untaint -> extract(-as_printable => " filedescsearch"
84+ $FileDescSearchMode = $Untaint -> extract(-as_printable => " filedescsearchmode"
85+ $FileContSearch = $Untaint -> extract(-as_printable => " filecontsearch"
86+ $FileContSearchMode = $Untaint -> extract(-as_printable => " filecontsearchmode"
87+
88+ my $AuthorManual = $Untaint -> extract(-as_printable => " authormanual"
89+
90+ @RequesterSearchIDs = @{ $Untaint -> extract(-as_listofint => " requestersearch" undef };
91+ @AuthorSearchIDs = @{ $Untaint -> extract(-as_listofint => " authors" undef };
92+ @TypeSearchIDs = @{ $Untaint -> extract(-as_listofint => " doctypemulti" undef };
93+
94+ my @TopicSearchIDs = @{ $Untaint -> extract(-as_listofint => " topics" undef };
95+ my $IncludeSubTopics = $Untaint -> extract(-as_printable => " includesubtopics"
9096 if ($IncludeSubTopics ) {
9197 $IncludeSubTopics = $TRUE ;
9298 }
9399
94100 push @DebugStack ," Searching for topics " join ' , ' @TopicSearchIDs ;
95- my @EventSearchIDs = split /\0/, $params { events };
96- my @EventGroupSearchIDs = split /\0/, $params { eventgroups };
101+ my @EventSearchIDs = @{ $Untaint -> extract(- as_listofint => " events" ) || undef };
102+ my @EventGroupSearchIDs = @{ $Untaint -> extract(- as_listofint => " eventgroups" ) || undef };
97103
98104 # ## Parameters for simple search
99105
100- my $Simple = $params { simple } ;
101- my $SimpleText = $params { simpletext } ;
106+ my $Simple = $Untaint -> extract(- as_integer => " simple" ) ;
107+ my $SimpleText = $Untaint -> extract(- as_printable => " simpletext" ) ;
102108
103109 # ## Purify input (remove punctuation)
104110
105- # $SimpleText =~ s/[^\s\w+-\.]//go;
106- # $TitleSearch =~ s/[^\s\w+-\.]//go;
107- # $AbstractSearch =~ s/[^\s\w+-\.]//go;
108- # $KeywordSearch =~ s/[^\s\w+-\.]//go;
109- # $RevisionNoteSearch =~ s/[^\s\w+-\.]//go;
110- # $PubInfoSearch =~ s/[^\s\w+-\.]//go;
111- # $FileSearch =~ s/[^\s\w+-\.]//go;
112- # $FileDescSearch =~ s/[^\s\w+-\.]//go;
111+ $SimpleText =~ s /\s\w +-\. ]// go
112+ $TitleSearch =~ s /\s\w +-\. ]// go
113+ $AbstractSearch =~ s /\s\w +-\. ]// go
114+ $KeywordSearch =~ s /\s\w +-\. ]// go
115+ $RevisionNoteSearch =~ s /\s\w +-\. ]// go
116+ $PubInfoSearch =~ s /\s\w +-\. ]// go
117+ $FileSearch =~ s /\s\w +-\. ]// go
118+ $FileDescSearch =~ s /\s\w +-\. ]// go
113119 $FileContSearch =~ s /\s\w +-\. ]// go # No idea what they'd do with special characters, best to remove
114120
115121 GetTopics();
@@ -122,7 +128,7 @@ sub LocalSearch ($) {
122128 }
123129 NewXMLOutput();
124130 } else {
125- my @Scripts = (" jquery/jquery-3.0.0 .min" " jquery/jquery.tablesorter.min" " jquery/jquery.tablesorter.widgets"
131+ my @Scripts = (" jquery/jquery-3.5.1.slim .min" " jquery/jquery.tablesorter.min" " jquery/jquery.tablesorter.widgets"
126132 @JQueryElements = (" tablesorter"
127133 push @Scripts ," JQueryReady"
128134
@@ -180,25 +186,25 @@ sub LocalSearch ($) {
180186 }
181187 }
182188
183- $Afterday = $params { afterday } ;
184- $Aftermonth = $params { aftermonth } ;
185- $Afteryear = $params { afteryear } ;
189+ $Afterday = $Untaint -> extract(- as_printable => " afterday" ) ;
190+ $Aftermonth = $Untaint -> extract(- as_printable => " aftermonth" ) ;
191+ $Afteryear = $Untaint -> extract(- as_printable => " afteryear" ) ;
186192 if ($Afteryear && $Afteryear ne " ----"
187193 if ($Aftermonth eq " ---" $Aftermonth = " Jan"
188194 if ($Afterday eq " --" $Afterday = " 1"
189195 $SQLBegin = " $Afteryear -$ReverseAbrvMonth {$Aftermonth }-$Afterday "
190196 }
191197
192- $Beforeday = $params { beforeday } ;
193- $Beforemonth = $params { beforemonth } ;
194- $Beforeyear = $params { beforeyear } ;
198+ $Beforeday = $Untaint -> extract(- as_printable => " beforeday" ) ;
199+ $Beforemonth = $Untaint -> extract(- as_printable => " beforemonth" ) ;
200+ $Beforeyear = $Untaint -> extract(- as_printable => " beforeyear" ) ;
195201 if ($Beforeyear && $Beforeyear ne " ----"
196202 if ($Beforemonth eq " ---" $Beforemonth = " Dec"
197203 if ($Beforeday eq " --" $Beforeday = DaysInMonth($ReverseAbrvMonth {$Beforemonth },$Beforeyear );}
198204 $SQLEnd = " $Beforeyear -$ReverseAbrvMonth {$Beforemonth }-$Beforeday "
199205 }
200206
201- my $Mode = $params { mode } ;
207+ my $Mode = $Untaint -> extract(- as_printable => " mode" ) ;
202208 unless ($Mode eq " date" or $Mode eq " meeting" or $Mode eq " conference" or $Mode eq " title"
203209 $Mode = " date"
204210 }
0 commit comments