1
0
mirror of https://github.com/phpbb/phpbb.git synced 2025-07-30 21:40:43 +02:00

[ticket/13280] Output escaping for the symfony request object

PHPBB3-13280
This commit is contained in:
Tristan Darricau
2014-11-12 11:44:56 +01:00
parent 526a97db7c
commit 0dfe1d0d8b
12 changed files with 116 additions and 56 deletions

View File

@@ -31,10 +31,11 @@ class session
var $update_session_page = true;
/**
* Extract current session page
*
* @param string $root_path current root path (phpbb_root_path)
*/
* Extract current session page
*
* @param string $root_path current root path (phpbb_root_path)
* @return array
*/
static function extract_current_page($root_path)
{
global $request, $symfony_request, $phpbb_filesystem;
@@ -42,8 +43,8 @@ class session
$page_array = array();
// First of all, get the request uri...
$script_name = $symfony_request->getScriptName();
$args = explode('&', $symfony_request->getQueryString());
$script_name = $request->escape($symfony_request->getScriptName(), true);
$args = $request->escape(explode('&', $symfony_request->getQueryString()), true);
// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
if (!$script_name)
@@ -61,8 +62,8 @@ class session
// Since some browser do not encode correctly we need to do this with some "special" characters...
// " -> %22, ' => %27, < -> %3C, > -> %3E
$find = array('"', "'", '<', '>');
$replace = array('%22', '%27', '%3C', '%3E');
$find = array('"', "'", '<', '>', '&quot;', '&lt;', '&gt;');
$replace = array('%22', '%27', '%3C', '%3E', '%22', '%3C', '%3E');
foreach ($args as $key => $argument)
{