From 9774fd8be92a2cec7d5ac9b30759ad6f87ce2fa5 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Fri, 23 Nov 2018 09:53:14 -0500
Subject: [PATCH 1/2] Remove unused parameter $save in HTML::search

- Remove unused variables in saved_search()
---
 mod/network.php           | 5 +----
 mod/search.php            | 2 +-
 src/Content/Text/HTML.php | 2 +-
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/mod/network.php b/mod/network.php
index 58f9484250..5bc5913cdb 100644
--- a/mod/network.php
+++ b/mod/network.php
@@ -170,7 +170,6 @@ function network_init(App $a)
 
 function saved_searches($search)
 {
-	$a = get_app();
 
 	$srchurl = '/network?f='
 		. ((x($_GET, 'cid'))   ? '&cid='   . $_GET['cid']   : '')
@@ -183,8 +182,6 @@ function saved_searches($search)
 		. ((x($_GET, 'file'))  ? '&file='  . $_GET['file']  : '');
 	;
 
-	$o = '';
-
 	$terms = DBA::select('search', ['id', 'term'], ['uid' => local_user()]);
 	$saved = [];
 
@@ -202,7 +199,7 @@ function saved_searches($search)
 	$o = Renderer::replaceMacros($tpl, [
 		'$title'     => L10n::t('Saved Searches'),
 		'$add'       => L10n::t('add'),
-		'$searchbox' => HTML::search($search, 'netsearch-box', $srchurl, true),
+		'$searchbox' => HTML::search($search, 'netsearch-box', $srchurl),
 		'$saved'     => $saved,
 	]);
 
diff --git a/mod/search.php b/mod/search.php
index 1ada76a9e6..2810b23b13 100644
--- a/mod/search.php
+++ b/mod/search.php
@@ -162,7 +162,7 @@ function search_content(App $a) {
 		'name' => "search-header",
 		'$title' => L10n::t("Search"),
 		'$title_size' => 3,
-		'$content' => HTML::search($search,'search-box','search',((local_user()) ? true : false), false)
+		'$content' => HTML::search($search,'search-box','search', false)
 	]);
 
 	if (strpos($search,'#') === 0) {
diff --git a/src/Content/Text/HTML.php b/src/Content/Text/HTML.php
index 544811536b..6451b74faa 100644
--- a/src/Content/Text/HTML.php
+++ b/src/Content/Text/HTML.php
@@ -951,7 +951,7 @@ class HTML
 	 *
 	 * @return string Formatted HTML.
 	 */
-	public static function search($s, $id = 'search-box', $url = 'search', $save = false, $aside = true)
+	public static function search($s, $id = 'search-box', $url = 'search', $aside = true)
 	{
 		$mode = 'text';
 

From c23d1b27763f6e0a9b45264f85dde23df3f87e13 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Fri, 23 Nov 2018 10:02:30 -0500
Subject: [PATCH 2/2] Urlencode /network file parameter

---
 include/conversation.php | 22 +++++++++++-----------
 mod/filerm.php           |  2 +-
 mod/network.php          | 17 ++++++++---------
 3 files changed, 20 insertions(+), 21 deletions(-)

diff --git a/include/conversation.php b/include/conversation.php
index 1b7b34e71a..2d613f0f38 100644
--- a/include/conversation.php
+++ b/include/conversation.php
@@ -462,17 +462,17 @@ function conversation(App $a, array $items, Pager $pager, $mode, $update, $previ
 				. "<script> var profile_uid = " . $_SESSION['uid']
 				. "; var netargs = '" . substr($a->cmd, 8)
 				. '?f='
-				. ((x($_GET, 'cid'))    ? '&cid='    . $_GET['cid']    : '')
-				. ((x($_GET, 'search')) ? '&search=' . $_GET['search'] : '')
-				. ((x($_GET, 'star'))   ? '&star='   . $_GET['star']   : '')
-				. ((x($_GET, 'order'))  ? '&order='  . $_GET['order']  : '')
-				. ((x($_GET, 'bmark'))  ? '&bmark='  . $_GET['bmark']  : '')
-				. ((x($_GET, 'liked'))  ? '&liked='  . $_GET['liked']  : '')
-				. ((x($_GET, 'conv'))   ? '&conv='   . $_GET['conv']   : '')
-				. ((x($_GET, 'nets'))   ? '&nets='   . $_GET['nets']   : '')
-				. ((x($_GET, 'cmin'))   ? '&cmin='   . $_GET['cmin']   : '')
-				. ((x($_GET, 'cmax'))   ? '&cmax='   . $_GET['cmax']   : '')
-				. ((x($_GET, 'file'))   ? '&file='   . $_GET['file']   : '')
+				. ((x($_GET, 'cid'))    ? '&cid='    . rawurlencode($_GET['cid'])    : '')
+				. ((x($_GET, 'search')) ? '&search=' . rawurlencode($_GET['search']) : '')
+				. ((x($_GET, 'star'))   ? '&star='   . rawurlencode($_GET['star'])   : '')
+				. ((x($_GET, 'order'))  ? '&order='  . rawurlencode($_GET['order'])  : '')
+				. ((x($_GET, 'bmark'))  ? '&bmark='  . rawurlencode($_GET['bmark'])  : '')
+				. ((x($_GET, 'liked'))  ? '&liked='  . rawurlencode($_GET['liked'])  : '')
+				. ((x($_GET, 'conv'))   ? '&conv='   . rawurlencode($_GET['conv'])   : '')
+				. ((x($_GET, 'nets'))   ? '&nets='   . rawurlencode($_GET['nets'])   : '')
+				. ((x($_GET, 'cmin'))   ? '&cmin='   . rawurlencode($_GET['cmin'])   : '')
+				. ((x($_GET, 'cmax'))   ? '&cmax='   . rawurlencode($_GET['cmax'])   : '')
+				. ((x($_GET, 'file'))   ? '&file='   . rawurlencode($_GET['file'])   : '')
 
 				. "'; var profile_page = " . $pager->getPage() . "; </script>\r\n";
 		}
diff --git a/mod/filerm.php b/mod/filerm.php
index 30a7f69df9..d240c2d6a7 100644
--- a/mod/filerm.php
+++ b/mod/filerm.php
@@ -36,6 +36,6 @@ function filerm_content(App $a)
 		info('Item was not deleted');
 	}
 
-	$a->internalRedirect('/network?f=&file=' . $term);
+	$a->internalRedirect('/network?f=&file=' . rawurlencode($term));
 	killme();
 }
diff --git a/mod/network.php b/mod/network.php
index 5bc5913cdb..594a557997 100644
--- a/mod/network.php
+++ b/mod/network.php
@@ -170,16 +170,15 @@ function network_init(App $a)
 
 function saved_searches($search)
 {
-
 	$srchurl = '/network?f='
-		. ((x($_GET, 'cid'))   ? '&cid='   . $_GET['cid']   : '')
-		. ((x($_GET, 'star'))  ? '&star='  . $_GET['star']  : '')
-		. ((x($_GET, 'bmark')) ? '&bmark=' . $_GET['bmark'] : '')
-		. ((x($_GET, 'conv'))  ? '&conv='  . $_GET['conv']  : '')
-		. ((x($_GET, 'nets'))  ? '&nets='  . $_GET['nets']  : '')
-		. ((x($_GET, 'cmin'))  ? '&cmin='  . $_GET['cmin']  : '')
-		. ((x($_GET, 'cmax'))  ? '&cmax='  . $_GET['cmax']  : '')
-		. ((x($_GET, 'file'))  ? '&file='  . $_GET['file']  : '');
+		. ((x($_GET, 'cid'))   ? '&cid='   . rawurlencode($_GET['cid'])   : '')
+		. ((x($_GET, 'star'))  ? '&star='  . rawurlencode($_GET['star'])  : '')
+		. ((x($_GET, 'bmark')) ? '&bmark=' . rawurlencode($_GET['bmark']) : '')
+		. ((x($_GET, 'conv'))  ? '&conv='  . rawurlencode($_GET['conv'])  : '')
+		. ((x($_GET, 'nets'))  ? '&nets='  . rawurlencode($_GET['nets'])  : '')
+		. ((x($_GET, 'cmin'))  ? '&cmin='  . rawurlencode($_GET['cmin'])  : '')
+		. ((x($_GET, 'cmax'))  ? '&cmax='  . rawurlencode($_GET['cmax'])  : '')
+		. ((x($_GET, 'file'))  ? '&file='  . rawurlencode($_GET['file'])  : '');
 	;
 
 	$terms = DBA::select('search', ['id', 'term'], ['uid' => local_user()]);