Fix inversed encoding logic in paramArray (#6800)

* Fix inversed encoding logic in paramArray https://github.com/FreshRSS/FreshRSS/pull/6797#discussion_r1754661634 Also fix the possibility to use `<'&">` in shortcuts, and some minor encoding bugs in user queries * Forgot paramArrayString
2026-04-04 14:43:32 -04:00 · 2024-09-12 11:04:49 +02:00
parent d1f1e42c2b
commit fd1b5e9343
6 changed files with 33 additions and 10 deletions
--- a/app/Controllers/configureController.php
+++ b/app/Controllers/configureController.php
@@ -202,7 +202,7 @@ class FreshRSS_configure_Controller extends FreshRSS_ActionController {
 		$this->view->list_keys = SHORTCUT_KEYS;

 		if (Minz_Request::isPost()) {
-			$shortcuts = Minz_Request::paramArray('shortcuts');
+			$shortcuts = Minz_Request::paramArray('shortcuts', specialchars: true);
 			if (Minz_Request::paramBoolean('load_default_shortcuts')) {
 				$default = Minz_Configuration::load(FRESHRSS_PATH . '/config-user.default.php');
 				$shortcuts = $default['shortcuts'];
@@ -379,12 +379,13 @@ class FreshRSS_configure_Controller extends FreshRSS_ActionController {
 				$name = _t('conf.query.number', $id + 1);
 			}
 			if (!empty($params['get']) && is_string($params['get'])) {
-				$queryParams['get'] = htmlspecialchars_decode($params['get'], ENT_QUOTES);
+				$queryParams['get'] = $params['get'];
 			}
 			if (!empty($params['order']) && is_string($params['order'])) {
-				$queryParams['order'] = htmlspecialchars_decode($params['order'], ENT_QUOTES);
+				$queryParams['order'] = $params['order'];
 			}
 			if (!empty($params['search']) && is_string($params['search'])) {
+				// Search must be as plain text to be XML-encoded or URL-encoded depending on the situation
 				$queryParams['search'] = htmlspecialchars_decode($params['search'], ENT_QUOTES);
 			}
 			if (!empty($params['state']) && is_array($params['state'])) {
@@ -398,7 +399,7 @@ class FreshRSS_configure_Controller extends FreshRSS_ActionController {
 			$queryParams['url'] = Minz_Url::display(['params' => $queryParams]);
 			$queryParams['name'] = $name;
 			if (!empty($params['description']) && is_string($params['description'])) {
-				$queryParams['description'] = htmlspecialchars_decode($params['description'], ENT_QUOTES);
+				$queryParams['description'] = $params['description'];
 			}
 			if (!empty($params['imageUrl']) && is_string($params['imageUrl'])) {
 				$queryParams['imageUrl'] = $params['imageUrl'];