summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorErich Eckner <git@eckner.net>2019-03-18 10:55:52 +0100
committerErich Eckner <git@eckner.net>2019-03-18 10:55:52 +0100
commitd5313eb726177e33ed11dae03589da283fca11f6 (patch)
tree40d626f4afa81493b683ee9012cd63ca9ed7adf7
parentcfbe0d71c101b895418a1b6606d8e4352ff30a98 (diff)
downloadarchweb32-d5313eb726177e33ed11dae03589da283fca11f6.tar.xz
init.php: clean up $_GET, $_SERVER["REQUEST_URI"] and $_SERVER["QUERY_STRING"] against xss
-rw-r--r--init.php23
1 files changed, 23 insertions, 0 deletions
diff --git a/init.php b/init.php
index 6c8a8f4..1a978ff 100644
--- a/init.php
+++ b/init.php
@@ -1,2 +1,25 @@
<?php
define("BASE", __DIR__);
+
+$old = '';
+while ($old != $_SERVER['QUERY_STRING']) {
+ $old = $_SERVER['QUERY_STRING'];
+ $_SERVER['QUERY_STRING'] = urldecode($_SERVER['QUERY_STRING']);
+}
+$_SERVER['QUERY_STRING'] = htmlentities($_SERVER['QUERY_STRING']);
+
+$old = '';
+while ($old != $_SERVER['REQUEST_URI']) {
+ $old = $_SERVER['REQUEST_URI'];
+ $_SERVER['REQUEST_URI'] = urldecode($_SERVER['REQUEST_URI']);
+}
+$_SERVER['REQUEST_URI'] = htmlentities($_SERVER['REQUEST_URI']);
+
+foreach ($_GET as $key => $val) {
+ $old = '';
+ while ($old != $_GET[$key]) {
+ $old = $_GET[$key];
+ $_GET[$key] = urldecode($_GET[$key]);
+ }
+ $_GET[$key] = htmlentities($_GET[$key]);
+}