From 1725561c34479713991b82f7c8b3e13ba69d2521 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 9 Oct 2012 11:42:38 +0200
Subject: [PATCH] Better security fix: Using GETPOST does not fix all cases,
 also the real bug (missing escaping information when using it) was not fixed.

---
 htdocs/user/group/index.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/htdocs/user/group/index.php b/htdocs/user/group/index.php
index 5d45e999149..87ac410f07f 100644
--- a/htdocs/user/group/index.php
+++ b/htdocs/user/group/index.php
@@ -34,8 +34,8 @@ if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS))
 
 $langs->load("users");
 
-$sall=GETPOST('sall', 'alpha');
-$search_group=GETPOST('search_group','alpha');
+$sall=GETPOST('sall');
+$search_group=GETPOST('search_group');
 
 $sortfield = GETPOST('sortfield','alpha');
 $sortorder = GETPOST('sortorder','alpha');
@@ -82,7 +82,7 @@ if ($resql)
     $num = $db->num_rows($resql);
     $i = 0;
 
-    $param="search_group=".$search_group."&amp;sall=".$sall;
+    $param="search_group=".urlencode($search_group)."&amp;sall=".urlencode($sall);
     print '<table class="noborder" width="100%">';
     print '<tr class="liste_titre">';
     print_liste_field_titre($langs->trans("Group"),$_SERVER["PHP_SELF"],"g.nom",$param,"","",$sortfield,$sortorder);