From 364c0565a28b84c5aae490b9f2d76ad3bd990a41 Mon Sep 17 00:00:00 2001
From: bendem <online+github@bendem.be>
Date: Fri, 20 Jan 2023 10:08:49 +0100
Subject: [PATCH] don't apply preventXSS on 'filter' parameters in export and
 search (#168)

fixes #98
---
 htdocs/copy.php          | 2 +-
 htdocs/export_form.php   | 2 +-
 lib/Query.php            | 2 +-
 lib/export_functions.php | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/htdocs/copy.php b/htdocs/copy.php
index fad7d92..507e8b8 100644
--- a/htdocs/copy.php
+++ b/htdocs/copy.php
@@ -41,7 +41,7 @@ $request['recursive'] = (get_request('recursive') == 'on') ? true : false;
 $request['remove'] = (get_request('remove') == 'yes') ? true : false;
 
 if ($request['recursive']) {
-	$filter = get_request('filter','POST',false,'(objectClass=*)');
+	$filter = get_request('filter','POST',false,'(objectClass=*)',false);
 
 	# Build a tree similar to that of the tree browser to give to r_copy_dn
 	$ldap['tree'] = array();
diff --git a/htdocs/export_form.php b/htdocs/export_form.php
index 64d856f..c18e803 100755
--- a/htdocs/export_form.php
+++ b/htdocs/export_form.php
@@ -17,7 +17,7 @@ $request['dn'] = get_request('dn','GET',false,'');
 $request['format'] = get_request('format','GET',false,get_line_end_format());
 $request['scope'] = get_request('scope','GET',false,'base');
 $request['exporter_id'] = get_request('exporter_id','GET',false,'LDIF');
-$request['filter'] = get_request('filter','GET',false,'(objectClass=*)');
+$request['filter'] = get_request('filter','GET',false,'(objectClass=*)',false);
 $request['attr'] = get_request('attributes','GET',false,'*');
 $request['sys_attr'] = get_request('sys_attr','GET') ? true: false;
 
diff --git a/lib/Query.php b/lib/Query.php
index cc2a4f3..c79940f 100644
--- a/lib/Query.php
+++ b/lib/Query.php
@@ -134,7 +134,7 @@ class Query extends xmlTemplate {
 		# If this is a custom search, we need to populate are paramters
 		if ($this->getID() == 'none') {
 			$bases = get_request('base','REQUEST',false,null);
-			$query['filter'] = get_request('filter','REQUEST',false,'objectClass=*');
+			$query['filter'] = get_request('filter','REQUEST',false,'objectClass=*',false);
 			$query['scope'] = get_request('scope','REQUEST',false,'sub');
 			$attrs = get_request('display_attrs','REQUEST',false,'');
 
diff --git a/lib/export_functions.php b/lib/export_functions.php
index 7f08b87..c7edad7 100644
--- a/lib/export_functions.php
+++ b/lib/export_functions.php
@@ -125,7 +125,7 @@ abstract class Export {
 		$query = array();
 		$base = get_request('dn','REQUEST');
 		$query['baseok'] = true;
-		$query['filter'] = get_request('filter','REQUEST',false,'objectclass=*');
+		$query['filter'] = get_request('filter','REQUEST',false,'objectclass=*',false);
 		$query['scope'] = get_request('scope','REQUEST',false,'base');
 		$query['deref'] = $_SESSION[APPCONFIG]->getValue('deref','export');
 		$query['size_limit'] = 0;