mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-07-31 05:50:42 +02:00
Code Issues Releases Wiki Activity

[ticket/13280] Output escaping for the symfony request object

Browse Source 
PHPBB3-13280
This commit is contained in:
Tristan Darricau
2014-11-12 11:44:56 +01:00
parent 526a97db7c
commit 0dfe1d0d8b
12 changed files with 116 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
phpBB/phpbb/path_helper.php
View File

@@ -154,6 +154,7 @@ class path_helper
return $this->web_root_path;
}
// We do not need to escape $path_info, $request_uri and $script_name because we can not find their content in the result.
// Path info (e.g. /foo/bar)
$path_info = $this->filesystem->clean_path($this->symfony_request->getPathInfo());
@@ -203,9 +204,12 @@ class path_helper
*/
if ($this->request->is_ajax() && $this->symfony_request->get('_referer'))
{
// We need to escape $absolute_board_url because it can be partially concatenated to the result.
$absolute_board_url = $this->request->escape($this->symfony_request->getSchemeAndHttpHost() . $this->symfony_request->getBasePath(), true);
$referer_web_root_path = $this->get_web_root_path_from_ajax_referer(
$this->symfony_request->get('_referer'),
$this->symfony_request->getSchemeAndHttpHost() . $this->symfony_request->getBasePath()
$absolute_board_url
);
return $this->web_root_path = $this->phpbb_root_path . $referer_web_root_path;
}