git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13957
7612ce4b-ef26-0410-bec9-
ea0150e637f0
* htmlspecialchars() is the preferred method.
* QUERY_STRING also needs the same treatment since it is
* used in php_self().
* htmlspecialchars() is the preferred method.
* QUERY_STRING also needs the same treatment since it is
* used in php_self().
+ * Update again: the encoding of ampersands that occurs
+ * using htmlspecialchars() corrupts the query strings
+ * in normal URIs, so we have to let those through.
+FIXME: will the de-sanitizing of ampersands create any security/XSS problems?
*/
if (isset($_SERVER['REQUEST_URI']))
*/
if (isset($_SERVER['REQUEST_URI']))
- $_SERVER['REQUEST_URI'] = htmlspecialchars($_SERVER['REQUEST_URI']);
+ $_SERVER['REQUEST_URI'] = str_replace('&', '&', htmlspecialchars($_SERVER['REQUEST_URI']));
if (isset($_SERVER['PHP_SELF']))
if (isset($_SERVER['PHP_SELF']))
- $_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']);
+ $_SERVER['PHP_SELF'] = str_replace('&', '&', htmlspecialchars($_SERVER['PHP_SELF']));
if (isset($_SERVER['QUERY_STRING']))
if (isset($_SERVER['QUERY_STRING']))
- $_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']);
+ $_SERVER['QUERY_STRING'] = str_replace('&', '&', htmlspecialchars($_SERVER['QUERY_STRING']));