diff options
author | Mario Vavti <mario@mariovavti.com> | 2018-06-07 22:45:07 +0200 |
---|---|---|
committer | Mario Vavti <mario@mariovavti.com> | 2018-06-07 22:45:07 +0200 |
commit | b3928f3d2a7c4c77df5ceba6fc29cbfcbe067dff (patch) | |
tree | 8b0c1567ca113c9aad585192959b5020b758010e | |
parent | d3bc50e18d77d0f21b2b34560338c2ded4ae59eb (diff) | |
download | volse-hubzilla-b3928f3d2a7c4c77df5ceba6fc29cbfcbe067dff.tar.gz volse-hubzilla-b3928f3d2a7c4c77df5ceba6fc29cbfcbe067dff.tar.bz2 volse-hubzilla-b3928f3d2a7c4c77df5ceba6fc29cbfcbe067dff.zip |
escape query string
-rw-r--r-- | Zotlabs/Module/Connections.php | 2 | ||||
-rw-r--r-- | Zotlabs/Module/Directory.php | 2 | ||||
-rw-r--r-- | Zotlabs/Module/Photos.php | 4 | ||||
-rw-r--r-- | Zotlabs/Module/Viewconnections.php | 2 | ||||
-rwxr-xr-x | boot.php | 4 |
5 files changed, 7 insertions, 7 deletions
diff --git a/Zotlabs/Module/Connections.php b/Zotlabs/Module/Connections.php index 3bbdbf326..cecada769 100644 --- a/Zotlabs/Module/Connections.php +++ b/Zotlabs/Module/Connections.php @@ -326,7 +326,7 @@ class Connections extends \Zotlabs\Web\Controller { killme(); } else { - $o .= "<script> var page_query = '" . $_GET['q'] . "'; var extra_args = '" . extra_query_args() . "' ; </script>"; + $o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>"; $o .= replace_macros(get_markup_template('connections.tpl'),array( '$header' => t('Connections') . (($head) ? ': ' . $head : ''), '$tabs' => $tabs, diff --git a/Zotlabs/Module/Directory.php b/Zotlabs/Module/Directory.php index f2673fa1a..8a7c6baf6 100644 --- a/Zotlabs/Module/Directory.php +++ b/Zotlabs/Module/Directory.php @@ -395,7 +395,7 @@ class Directory extends \Zotlabs\Web\Controller { $dirtitle = (($globaldir) ? t('Global Directory') : t('Local Directory')); - $o .= "<script> var page_query = '" . $_GET['q'] . "'; var extra_args = '" . extra_query_args() . "' ; divmore_height = " . intval($maxheight) . "; </script>"; + $o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; divmore_height = " . intval($maxheight) . "; </script>"; $o .= replace_macros($tpl, array( '$search' => $search, '$desc' => t('Find'), diff --git a/Zotlabs/Module/Photos.php b/Zotlabs/Module/Photos.php index e21f3025c..489bffc4a 100644 --- a/Zotlabs/Module/Photos.php +++ b/Zotlabs/Module/Photos.php @@ -838,7 +838,7 @@ class Photos extends \Zotlabs\Web\Controller { killme(); } else { - $o .= "<script> var page_query = '" . $_GET['q'] . "'; var extra_args = '" . extra_query_args() . "' ; </script>"; + $o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>"; $tpl = get_markup_template('photo_album.tpl'); $o .= replace_macros($tpl, array( '$photos' => $photos, @@ -1377,7 +1377,7 @@ class Photos extends \Zotlabs\Web\Controller { killme(); } else { - $o .= "<script> var page_query = '" . $_GET['q'] . "'; var extra_args = '" . extra_query_args() . "' ; </script>"; + $o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>"; $tpl = get_markup_template('photos_recent.tpl'); $o .= replace_macros($tpl, array( '$title' => t('Recent Photos'), diff --git a/Zotlabs/Module/Viewconnections.php b/Zotlabs/Module/Viewconnections.php index 8366e1325..0a5e86907 100644 --- a/Zotlabs/Module/Viewconnections.php +++ b/Zotlabs/Module/Viewconnections.php @@ -107,7 +107,7 @@ class Viewconnections extends \Zotlabs\Web\Controller { killme(); } else { - $o .= "<script> var page_query = '" . $_GET['q'] . "'; var extra_args = '" . extra_query_args() . "' ; </script>"; + $o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>"; $tpl = get_markup_template("viewcontact_template.tpl"); $o .= replace_macros($tpl, array( '$title' => t('View Connections'), @@ -876,13 +876,13 @@ class App { set_include_path("include/self::$hostname" . PATH_SEPARATOR . get_include_path()); if((x($_SERVER,'QUERY_STRING')) && substr($_SERVER['QUERY_STRING'], 0, 2) === "q=") { - self::$query_string = substr($_SERVER['QUERY_STRING'], 2); + self::$query_string = escape_tags(substr($_SERVER['QUERY_STRING'], 2)); // removing trailing / - maybe a nginx problem if (substr(self::$query_string, 0, 1) == "/") self::$query_string = substr(self::$query_string, 1); } if(x($_GET,'q')) - self::$cmd = trim($_GET['q'],'/\\'); + self::$cmd = escape_tags(trim($_GET['q'],'/\\')); // unix style "homedir" |