From 20ce345c1dc2905878ec1a9828a75813a63cfbd3 Mon Sep 17 00:00:00 2001
From: Erich Eckner <git@eckner.net>
Date: Tue, 19 Mar 2019 13:57:57 +0100
Subject: init.php: encode less: only specialchars are ancoded + ampersand in
 QUERY_STRING and REQUEST_URI is /not/ encoded (otherwise parameter separation
 is broken)

---
 init.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'init.php')

diff --git a/init.php b/init.php
index 1a978ff..993723e 100644
--- a/init.php
+++ b/init.php
@@ -6,14 +6,20 @@ while ($old != $_SERVER['QUERY_STRING']) {
   $old = $_SERVER['QUERY_STRING'];
   $_SERVER['QUERY_STRING'] = urldecode($_SERVER['QUERY_STRING']);
 }
-$_SERVER['QUERY_STRING'] = htmlentities($_SERVER['QUERY_STRING']);
+$_SERVER['QUERY_STRING'] =
+  str_replace('&amp;', '&',
+    htmlspecialchars($_SERVER['QUERY_STRING'])
+  );
 
 $old = '';
 while ($old != $_SERVER['REQUEST_URI']) {
   $old = $_SERVER['REQUEST_URI'];
   $_SERVER['REQUEST_URI'] = urldecode($_SERVER['REQUEST_URI']);
 }
-$_SERVER['REQUEST_URI'] = htmlentities($_SERVER['REQUEST_URI']);
+$_SERVER['REQUEST_URI'] =
+  str_replace('&amp;', '&',
+    htmlspecialchars($_SERVER['REQUEST_URI'])
+  );
 
 foreach ($_GET as $key => $val) {
   $old = '';
@@ -21,5 +27,5 @@ foreach ($_GET as $key => $val) {
     $old = $_GET[$key];
     $_GET[$key] = urldecode($_GET[$key]);
   }
-  $_GET[$key] = htmlentities($_GET[$key]);
+  $_GET[$key] = htmlspecialchars($_GET[$key]);
 }
-- 
cgit v1.2.3