init.php: clean up $_GET, $_SERVER["REQUEST_URI"] and $_SERVER["QUERY_STRING"] against xss

1 files changed, 23 insertions, 0 deletions

diff --git a/init.php b/init.php
index 6c8a8f4..1a978ff 100644
--- a/init.php
+++ b/init.php
@@ -1,2 +1,25 @@
 <?php
 define("BASE", __DIR__);
+
+$old = '';
+while ($old != $_SERVER['QUERY_STRING']) {
+  $old = $_SERVER['QUERY_STRING'];
+  $_SERVER['QUERY_STRING'] = urldecode($_SERVER['QUERY_STRING']);
+}
+$_SERVER['QUERY_STRING'] = htmlentities($_SERVER['QUERY_STRING']);
+
+$old = '';
+while ($old != $_SERVER['REQUEST_URI']) {
+  $old = $_SERVER['REQUEST_URI'];
+  $_SERVER['REQUEST_URI'] = urldecode($_SERVER['REQUEST_URI']);
+}
+$_SERVER['REQUEST_URI'] = htmlentities($_SERVER['REQUEST_URI']);
+
+foreach ($_GET as $key => $val) {
+  $old = '';
+  while ($old != $_GET[$key]) {
+    $old = $_GET[$key];
+    $_GET[$key] = urldecode($_GET[$key]);
+  }
+  $_GET[$key] = htmlentities($_GET[$key]);
+}