summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorErich Eckner <git@eckner.net>2019-03-19 13:57:57 +0100
committerErich Eckner <git@eckner.net>2019-03-19 13:57:57 +0100
commit20ce345c1dc2905878ec1a9828a75813a63cfbd3 (patch)
tree72666fb056b966653ad70e2d30fb5f986ff3e330
parent748e207978b69f854f7c69c9d4981b4b20b55856 (diff)
downloadwebsite-20ce345c1dc2905878ec1a9828a75813a63cfbd3.tar.xz
init.php: encode less: only specialchars are ancoded + ampersand in QUERY_STRING and REQUEST_URI is /not/ encoded (otherwise parameter separation is broken)
-rw-r--r--init.php12
1 files changed, 9 insertions, 3 deletions
diff --git a/init.php b/init.php
index 1a978ff..993723e 100644
--- a/init.php
+++ b/init.php
@@ -6,14 +6,20 @@ while ($old != $_SERVER['QUERY_STRING']) {
$old = $_SERVER['QUERY_STRING'];
$_SERVER['QUERY_STRING'] = urldecode($_SERVER['QUERY_STRING']);
}
-$_SERVER['QUERY_STRING'] = htmlentities($_SERVER['QUERY_STRING']);
+$_SERVER['QUERY_STRING'] =
+ str_replace('&amp;', '&',
+ htmlspecialchars($_SERVER['QUERY_STRING'])
+ );
$old = '';
while ($old != $_SERVER['REQUEST_URI']) {
$old = $_SERVER['REQUEST_URI'];
$_SERVER['REQUEST_URI'] = urldecode($_SERVER['REQUEST_URI']);
}
-$_SERVER['REQUEST_URI'] = htmlentities($_SERVER['REQUEST_URI']);
+$_SERVER['REQUEST_URI'] =
+ str_replace('&amp;', '&',
+ htmlspecialchars($_SERVER['REQUEST_URI'])
+ );
foreach ($_GET as $key => $val) {
$old = '';
@@ -21,5 +27,5 @@ foreach ($_GET as $key => $val) {
$old = $_GET[$key];
$_GET[$key] = urldecode($_GET[$key]);
}
- $_GET[$key] = htmlentities($_GET[$key]);
+ $_GET[$key] = htmlspecialchars($_GET[$key]);
}