* or
* contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E
* because it doesn't bother with broken tags.
- * htmlspecialchars() is the preferred method.
+ * sm_encode_html_special_chars() is the preferred method.
* QUERY_STRING also needs the same treatment since it is
* used in php_self().
* Update again: the encoding of ampersands that occurs
- * using htmlspecialchars() corrupts the query strings
+ * using sm_encode_html_special_chars() corrupts the query strings
* in normal URIs, so we have to let those through.
FIXME: will the de-sanitizing of ampersands create any security/XSS problems?
*/
if (isset($_SERVER['REQUEST_URI']))
- $_SERVER['REQUEST_URI'] = str_replace('&', '&', htmlspecialchars($_SERVER['REQUEST_URI']));
+ $_SERVER['REQUEST_URI'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['REQUEST_URI']));
if (isset($_SERVER['PHP_SELF']))
- $_SERVER['PHP_SELF'] = str_replace('&', '&', htmlspecialchars($_SERVER['PHP_SELF']));
+ $_SERVER['PHP_SELF'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['PHP_SELF']));
if (isset($_SERVER['QUERY_STRING']))
- $_SERVER['QUERY_STRING'] = str_replace('&', '&', htmlspecialchars($_SERVER['QUERY_STRING']));
+ $_SERVER['QUERY_STRING'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['QUERY_STRING']));
$PHP_SELF = php_self();