mirror of
https://github.com/phpbb/phpbb.git
synced 2025-07-31 05:50:42 +02:00
[ticket/13280] Output escaping for the symfony request object
PHPBB3-13280
This commit is contained in:
@@ -31,10 +31,11 @@ class session
|
||||
var $update_session_page = true;
|
||||
|
||||
/**
|
||||
* Extract current session page
|
||||
*
|
||||
* @param string $root_path current root path (phpbb_root_path)
|
||||
*/
|
||||
* Extract current session page
|
||||
*
|
||||
* @param string $root_path current root path (phpbb_root_path)
|
||||
* @return array
|
||||
*/
|
||||
static function extract_current_page($root_path)
|
||||
{
|
||||
global $request, $symfony_request, $phpbb_filesystem;
|
||||
@@ -42,8 +43,8 @@ class session
|
||||
$page_array = array();
|
||||
|
||||
// First of all, get the request uri...
|
||||
$script_name = $symfony_request->getScriptName();
|
||||
$args = explode('&', $symfony_request->getQueryString());
|
||||
$script_name = $request->escape($symfony_request->getScriptName(), true);
|
||||
$args = $request->escape(explode('&', $symfony_request->getQueryString()), true);
|
||||
|
||||
// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
|
||||
if (!$script_name)
|
||||
@@ -61,8 +62,8 @@ class session
|
||||
|
||||
// Since some browser do not encode correctly we need to do this with some "special" characters...
|
||||
// " -> %22, ' => %27, < -> %3C, > -> %3E
|
||||
$find = array('"', "'", '<', '>');
|
||||
$replace = array('%22', '%27', '%3C', '%3E');
|
||||
$find = array('"', "'", '<', '>', '"', '<', '>');
|
||||
$replace = array('%22', '%27', '%3C', '%3E', '%22', '%3C', '%3E');
|
||||
|
||||
foreach ($args as $key => $argument)
|
||||
{
|
||||
|
Reference in New Issue
Block a user