From 05ac39a74067724fb5982016f1c9253486d2ceaa Mon Sep 17 00:00:00 2001
From: John Flatness <john@zerocrates.org>
Date: Wed, 17 Mar 2021 17:05:47 -0400
Subject: [PATCH] Fix unescaped query on cross-site search results

(fix #1698)
---
 application/view/common/cross-site-search/item-results.phtml  | 2 +-
 .../view/common/cross-site-search/item-set-results.phtml      | 2 +-
 application/view/common/cross-site-search/results.phtml       | 2 +-
 .../view/common/cross-site-search/site-page-results.phtml     | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/application/view/common/cross-site-search/item-results.phtml b/application/view/common/cross-site-search/item-results.phtml
index 15cceef06e..17e2585253 100644
--- a/application/view/common/cross-site-search/item-results.phtml
+++ b/application/view/common/cross-site-search/item-results.phtml
@@ -5,7 +5,7 @@
     ['class' => 'advanced-search']
 ); ?>
 
-<h2><?php echo sprintf($this->translate('Item results for "%s"'), $fulltextSearch); ?></h2>
+<h2><?php echo sprintf($this->translate('Item results for "%s"'), $this->escapeHtml($fulltextSearch)); ?></h2>
 
 <?php echo $this->pagination(); ?>
 
diff --git a/application/view/common/cross-site-search/item-set-results.phtml b/application/view/common/cross-site-search/item-set-results.phtml
index eaded79edd..d7c5b20ce6 100644
--- a/application/view/common/cross-site-search/item-set-results.phtml
+++ b/application/view/common/cross-site-search/item-set-results.phtml
@@ -5,7 +5,7 @@
     ['class' => 'advanced-search']
 ); ?>
 
-<h2><?php echo sprintf($this->translate('Item set results for "%s"'), $fulltextSearch); ?></h2>
+<h2><?php echo sprintf($this->translate('Item set results for "%s"'), $this->escapeHtml($fulltextSearch)); ?></h2>
 
 <?php echo $this->pagination(); ?>
 
diff --git a/application/view/common/cross-site-search/results.phtml b/application/view/common/cross-site-search/results.phtml
index 2debb46e9b..e6879c341d 100644
--- a/application/view/common/cross-site-search/results.phtml
+++ b/application/view/common/cross-site-search/results.phtml
@@ -3,7 +3,7 @@ $fulltextSearch = $this->params()->fromQuery('fulltext_search');
 $hasResults = false;
 ?>
 
-<h2><?php echo sprintf($this->translate('Search results for “%s”'), $fulltextSearch); ?></h2>
+<h2><?php echo sprintf($this->translate('Search results for “%s”'), $this->escapeHtml($fulltextSearch)); ?></h2>
 
 <?php
 if ($responseSitePages && $responseSitePages->getTotalResults()):
diff --git a/application/view/common/cross-site-search/site-page-results.phtml b/application/view/common/cross-site-search/site-page-results.phtml
index 12212ed850..8aa996e596 100644
--- a/application/view/common/cross-site-search/site-page-results.phtml
+++ b/application/view/common/cross-site-search/site-page-results.phtml
@@ -1,6 +1,6 @@
 <?php $fulltextSearch = $this->params()->fromQuery('fulltext_search'); ?>
 
-<h2><?php echo sprintf($this->translate('Site page results for "%s"'), $fulltextSearch); ?></h2>
+<h2><?php echo sprintf($this->translate('Site page results for "%s"'), $this->escapeHtml($fulltextSearch)); ?></h2>
 
 <div class="site results">
     <ul>
@@ -12,4 +12,4 @@
         </li>
     <?php endforeach; ?>
     </ul>
-</div>
\ No newline at end of file
+</div>