query filter was a bit greedy

author: zotlabs <mike@macgirvin.com> 2018-07-18 17:48:23 -0700
committer: zotlabs <mike@macgirvin.com> 2018-07-18 17:48:23 -0700
commit: a05c8ff66bd8d09f69f6c59bc49b7627792f4109 (patch)
tree: a47e676f511adfdea1fd1924797d5c35f28c94fe /boot.php
parent: 5ce50d0a2e15ae66765a68ba2785a87ecda57f6a (diff)
download: volse-hubzilla-a05c8ff66bd8d09f69f6c59bc49b7627792f4109.tar.gz
volse-hubzilla-a05c8ff66bd8d09f69f6c59bc49b7627792f4109.tar.bz2
volse-hubzilla-a05c8ff66bd8d09f69f6c59bc49b7627792f4109.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/boot.php b/boot.php
index 3b8347c30..5f833c132 100755
--- a/boot.php
+++ b/boot.php
@@ -874,11 +874,12 @@ class App {
 		}
 
 		if((x($_SERVER,'QUERY_STRING')) && substr($_SERVER['QUERY_STRING'], 0, 2) === "q=") {
-			self::$query_string = escape_tags(substr($_SERVER['QUERY_STRING'], 2));
+			self::$query_string = str_replace(['<','>'],['&lt;','&gt;'],substr($_SERVER['QUERY_STRING'], 2);
 			// removing trailing / - maybe a nginx problem
 			if (substr(self::$query_string, 0, 1) == "/")
 				self::$query_string = substr(self::$query_string, 1);
 		}
+
 		if(x($_GET,'q'))
 			self::$cmd = escape_tags(trim($_GET['q'],'/\\'));
author	zotlabs <mike@macgirvin.com>	2018-07-18 17:48:23 -0700
committer	zotlabs <mike@macgirvin.com>	2018-07-18 17:48:23 -0700
commit	a05c8ff66bd8d09f69f6c59bc49b7627792f4109 (patch)
tree	a47e676f511adfdea1fd1924797d5c35f28c94fe /boot.php
parent	5ce50d0a2e15ae66765a68ba2785a87ecda57f6a (diff)
download	volse-hubzilla-a05c8ff66bd8d09f69f6c59bc49b7627792f4109.tar.gz volse-hubzilla-a05c8ff66bd8d09f69f6c59bc49b7627792f4109.tar.bz2 volse-hubzilla-a05c8ff66bd8d09f69f6c59bc49b7627792f4109.zip