diff options
author | Erich Eckner <git@eckner.net> | 2019-03-18 10:55:52 +0100 |
---|---|---|
committer | Erich Eckner <git@eckner.net> | 2019-03-18 10:55:52 +0100 |
commit | d5313eb726177e33ed11dae03589da283fca11f6 (patch) | |
tree | 40d626f4afa81493b683ee9012cd63ca9ed7adf7 | |
parent | cfbe0d71c101b895418a1b6606d8e4352ff30a98 (diff) | |
download | archweb32-d5313eb726177e33ed11dae03589da283fca11f6.tar.xz |
init.php: clean up $_GET, $_SERVER["REQUEST_URI"] and $_SERVER["QUERY_STRING"] against xss
-rw-r--r-- | init.php | 23 |
1 files changed, 23 insertions, 0 deletions
@@ -1,2 +1,25 @@ <?php define("BASE", __DIR__); + +$old = ''; +while ($old != $_SERVER['QUERY_STRING']) { + $old = $_SERVER['QUERY_STRING']; + $_SERVER['QUERY_STRING'] = urldecode($_SERVER['QUERY_STRING']); +} +$_SERVER['QUERY_STRING'] = htmlentities($_SERVER['QUERY_STRING']); + +$old = ''; +while ($old != $_SERVER['REQUEST_URI']) { + $old = $_SERVER['REQUEST_URI']; + $_SERVER['REQUEST_URI'] = urldecode($_SERVER['REQUEST_URI']); +} +$_SERVER['REQUEST_URI'] = htmlentities($_SERVER['REQUEST_URI']); + +foreach ($_GET as $key => $val) { + $old = ''; + while ($old != $_GET[$key]) { + $old = $_GET[$key]; + $_GET[$key] = urldecode($_GET[$key]); + } + $_GET[$key] = htmlentities($_GET[$key]); +} |