From d5313eb726177e33ed11dae03589da283fca11f6 Mon Sep 17 00:00:00 2001
From: Erich Eckner <git@eckner.net>
Date: Mon, 18 Mar 2019 10:55:52 +0100
Subject: init.php: clean up $_GET, $_SERVER["REQUEST_URI"] and
 $_SERVER["QUERY_STRING"] against xss

---
 init.php | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/init.php b/init.php
index 6c8a8f4..1a978ff 100644
--- a/init.php
+++ b/init.php
@@ -1,2 +1,25 @@
 <?php
 define("BASE", __DIR__);
+
+$old = '';
+while ($old != $_SERVER['QUERY_STRING']) {
+  $old = $_SERVER['QUERY_STRING'];
+  $_SERVER['QUERY_STRING'] = urldecode($_SERVER['QUERY_STRING']);
+}
+$_SERVER['QUERY_STRING'] = htmlentities($_SERVER['QUERY_STRING']);
+
+$old = '';
+while ($old != $_SERVER['REQUEST_URI']) {
+  $old = $_SERVER['REQUEST_URI'];
+  $_SERVER['REQUEST_URI'] = urldecode($_SERVER['REQUEST_URI']);
+}
+$_SERVER['REQUEST_URI'] = htmlentities($_SERVER['REQUEST_URI']);
+
+foreach ($_GET as $key => $val) {
+  $old = '';
+  while ($old != $_GET[$key]) {
+    $old = $_GET[$key];
+    $_GET[$key] = urldecode($_GET[$key]);
+  }
+  $_GET[$key] = htmlentities($_GET[$key]);
+}
-- 
cgit v1.2.3