diff options
Diffstat (limited to 'linden/indra/newview/llpaneldirfind.cpp')
-rw-r--r-- | linden/indra/newview/llpaneldirfind.cpp | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/linden/indra/newview/llpaneldirfind.cpp b/linden/indra/newview/llpaneldirfind.cpp index 591f06d..3dd419f 100644 --- a/linden/indra/newview/llpaneldirfind.cpp +++ b/linden/indra/newview/llpaneldirfind.cpp | |||
@@ -182,23 +182,36 @@ void LLPanelDirFindAll::search(const std::string& search_text) | |||
182 | // Replace spaces with "+" for use by Google search appliance | 182 | // Replace spaces with "+" for use by Google search appliance |
183 | // Yes, this actually works for double-spaces | 183 | // Yes, this actually works for double-spaces |
184 | // " foo bar" becomes "+foo++bar" and works fine. JC | 184 | // " foo bar" becomes "+foo++bar" and works fine. JC |
185 | std::string query = search_text; | 185 | |
186 | std::string::iterator it = query.begin(); | 186 | // Since we are already iterating over the query, |
187 | for ( ; it != query.end(); ++it ) | 187 | // do our own custom escaping here. |
188 | |||
189 | // Our own special set of allowed chars (RFC1738 http://www.ietf.org/rfc/rfc1738.txt) | ||
190 | const char* allowed = | ||
191 | "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" | ||
192 | "0123456789" | ||
193 | "-._~$+!*'()"; | ||
194 | |||
195 | std::string query; | ||
196 | std::string::const_iterator it = search_text.begin(); | ||
197 | for ( ; it != search_text.end(); ++it ) | ||
188 | { | 198 | { |
189 | if ( std::isspace( *it ) ) | 199 | if ( std::isspace( *it ) ) |
190 | { | 200 | { |
191 | *it = '+'; | 201 | query += '+'; |
202 | } | ||
203 | else if(strchr(allowed,*it)) | ||
204 | { | ||
205 | // The character is in the allowed set, just copy it | ||
206 | query += *it; | ||
207 | } | ||
208 | else | ||
209 | { | ||
210 | // Do escaping | ||
211 | query += llformat("%%%02X", *it); | ||
192 | } | 212 | } |
193 | } | 213 | } |
194 | 214 | ||
195 | // If user types "%" into search, it builds a bogus URL. | ||
196 | // Try to work around that. It's not a security problem | ||
197 | // as far as I can tell -- we MySQL escape database queries | ||
198 | // on the server. Do this after "+" substitution because | ||
199 | // "+" is an allowed character. | ||
200 | query = LLURI::escape(query); | ||
201 | |||
202 | std::string url = gSavedSettings.getString("SearchURLQuery"); | 215 | std::string url = gSavedSettings.getString("SearchURLQuery"); |
203 | std::string substring = "[QUERY]"; | 216 | std::string substring = "[QUERY]"; |
204 | url.replace(url.find(substring), substring.length(), query); | 217 | url.replace(url.find(substring), substring.length(), query); |