query filter was a bit greedy

(cherry picked from commit a05c8ff66bd8d09f69f6c59bc49b7627792f4109)
author: zotlabs <mike@macgirvin.com> 2018-07-18 17:48:23 -0700
committer: Mario <mario@mariovavti.com> 2018-07-19 09:21:14 +0200
commit: 67848c03edf02b8a6d3c2010f08d50d823685e27 (patch)
tree: 6caf1c061d2aa3683ca4c4533be4bb0928769f8c /boot.php
parent: 685d05f98be3cbe991a9427a9fe522c383ad56cd (diff)
download: volse-hubzilla-67848c03edf02b8a6d3c2010f08d50d823685e27.tar.gz
volse-hubzilla-67848c03edf02b8a6d3c2010f08d50d823685e27.tar.bz2
volse-hubzilla-67848c03edf02b8a6d3c2010f08d50d823685e27.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/boot.php b/boot.php
index 04cb7c24c..e4ef33be6 100755
--- a/boot.php
+++ b/boot.php
@@ -874,11 +874,12 @@ class App {
 		}
 
 		if((x($_SERVER,'QUERY_STRING')) && substr($_SERVER['QUERY_STRING'], 0, 2) === "q=") {
-			self::$query_string = escape_tags(substr($_SERVER['QUERY_STRING'], 2));
+			self::$query_string = str_replace(['<','>'],['&lt;','&gt;'],substr($_SERVER['QUERY_STRING'], 2);
 			// removing trailing / - maybe a nginx problem
 			if (substr(self::$query_string, 0, 1) == "/")
 				self::$query_string = substr(self::$query_string, 1);
 		}
+
 		if(x($_GET,'q'))
 			self::$cmd = escape_tags(trim($_GET['q'],'/\\'));
author	zotlabs <mike@macgirvin.com>	2018-07-18 17:48:23 -0700
committer	Mario <mario@mariovavti.com>	2018-07-19 09:21:14 +0200
commit	67848c03edf02b8a6d3c2010f08d50d823685e27 (patch)
tree	6caf1c061d2aa3683ca4c4533be4bb0928769f8c /boot.php
parent	685d05f98be3cbe991a9427a9fe522c383ad56cd (diff)
download	volse-hubzilla-67848c03edf02b8a6d3c2010f08d50d823685e27.tar.gz volse-hubzilla-67848c03edf02b8a6d3c2010f08d50d823685e27.tar.bz2 volse-hubzilla-67848c03edf02b8a6d3c2010f08d50d823685e27.zip