From 20ce345c1dc2905878ec1a9828a75813a63cfbd3 Mon Sep 17 00:00:00 2001 From: Erich Eckner Date: Tue, 19 Mar 2019 13:57:57 +0100 Subject: init.php: encode less: only specialchars are ancoded + ampersand in QUERY_STRING and REQUEST_URI is /not/ encoded (otherwise parameter separation is broken) --- init.php | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/init.php b/init.php index 1a978ff..993723e 100644 --- a/init.php +++ b/init.php @@ -6,14 +6,20 @@ while ($old != $_SERVER['QUERY_STRING']) { $old = $_SERVER['QUERY_STRING']; $_SERVER['QUERY_STRING'] = urldecode($_SERVER['QUERY_STRING']); } -$_SERVER['QUERY_STRING'] = htmlentities($_SERVER['QUERY_STRING']); +$_SERVER['QUERY_STRING'] = + str_replace('&', '&', + htmlspecialchars($_SERVER['QUERY_STRING']) + ); $old = ''; while ($old != $_SERVER['REQUEST_URI']) { $old = $_SERVER['REQUEST_URI']; $_SERVER['REQUEST_URI'] = urldecode($_SERVER['REQUEST_URI']); } -$_SERVER['REQUEST_URI'] = htmlentities($_SERVER['REQUEST_URI']); +$_SERVER['REQUEST_URI'] = + str_replace('&', '&', + htmlspecialchars($_SERVER['REQUEST_URI']) + ); foreach ($_GET as $key => $val) { $old = ''; @@ -21,5 +27,5 @@ foreach ($_GET as $key => $val) { $old = $_GET[$key]; $_GET[$key] = urldecode($_GET[$key]); } - $_GET[$key] = htmlentities($_GET[$key]); + $_GET[$key] = htmlspecialchars($_GET[$key]); } -- cgit v1.2.3-70-g09d2