From a0ffd04bfb13207882724c7066832215ac51984b Mon Sep 17 00:00:00 2001
From: Andre Lorbach <alorbach@adiscon.com>
Date: Tue, 22 May 2012 12:12:45 +0200
Subject: [PATCH] Fixed Cross site scripting issue of id parameter on
 admin/searches.php page

---
 src/admin/searches.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/admin/searches.php b/src/admin/searches.php
index ebb4b26..5653fee 100644
--- a/src/admin/searches.php
+++ b/src/admin/searches.php
@@ -120,7 +120,7 @@ if ( isset($_GET['op']) )
 		if ( isset($_GET['id']) )
 		{
 			//PreInit these values 
-			$content['SEARCHID'] = DB_RemoveBadChars($_GET['id']);
+			$content['SEARCHID'] = strip_tags(DB_RemoveBadChars($_GET['id']));
 
 			$sqlquery = "SELECT * " . 
 						" FROM " . DB_SEARCHES . 
@@ -183,7 +183,7 @@ if ( isset($_GET['op']) )
 		if ( isset($_GET['id']) )
 		{
 			//PreInit these values 
-			$content['SEARCHID'] = DB_RemoveBadChars($_GET['id']);
+			$content['SEARCHID'] = strip_tags(DB_RemoveBadChars($_GET['id']));
 
 			// Get UserInfo
 			$result = DB_Query("SELECT DisplayName FROM " . DB_SEARCHES . " WHERE ID = " . $content['SEARCHID'] );